CISO Shares Strategies For Surviving The Inevitability Of Attacks
Loop in application, network teams to help spot threats and attacks before they do harm
NEW YORK, N.Y. -- Interop New York 2013 -- Chief information security officer Jay Leek says today's reality that you can't stop all cyberattacks means security teams must double down on smarter detection of threats and attacks rather than the traditional approach of mainly trying to prevent them.
|Click here for more articles from Dark Reading.|
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Smarter Process: Five Ways to Make Your Day-to-Day Operations Better, Faster and More Measurable
Leek, who is the CISO at financial services and asset management firm Blackstone, says the more you know about your attackers and their M.O., the better chance you have in thwarting any real damage. That entails three main mindset and strategic shifts that security pros need to make, he says, to handle threats and attacks today: better visibility into threats and attacks, better intelligence about them, and a planned response rather than merely reacting to the latest threat, vulnerability, or incident.
"The reality is that bad guys have much more time on their hands than we do," says Leek, who gave a presentation from the CISO's perspective here at Interop yesterday. "If you're focused on prevention and not much on detection, you are flying blind sometimes because you don't necessarily know where you're headed."
Blackstone is adopting what John Pironti, president of IP Architects, says is a prime example of a risk-based model for security -- one where security pros serve as advisers to the business on the real risks facing their firms, rather than as the naysayers they sometimes appear to the business side.
"Security is the output" of what the business' risk profile defines, Pironti says.
Meanwhile, Leek estimates that most organizations spend about 70 percent of their capital, resources, and processes on prevention, but that model is no longer viable in today's threat landscape. "Our programs, generally speaking, largely reflect the vendor landscape" of mainly prevention-based tools, he says. "Why is this? Because it's sexier to sell prevention," he says.
Security teams need to change up their strategy, he says.
1. Better visibility into attacks. That means investing more in watching what's happening not just on the network, but in the applications as well, Leek says. "You also need visibility into what's happening at the host," he says.
Leek has done this by working with other groups outside of the security team: He has been reaching out to Blackstone's application developers and network teams to assist, he says. "It's not just within the security organization. It's amazing how much your application developers and network guys see."
Leek says this cross-team collaboration can pay off quickly: A network alert from its IT team's SolarWinds product discovered a 2-megabit-per-second connection from Shanghai to Bangkok, he says. "Why the hell did that happen?" he says. "Having this kind of visibility and collaboration" can thwart damage from attacks, he says.
"You can train application people to watch" for threats as well, he says. "I don't have enough people, and I can't find ones to hire, so I'm trying to figure out how to scale my organization outside the traditional security team," he says.
2. Get more in-depth threat and attack intelligence. Leek says security teams need to gather more useful intelligence. "It's very important that we understand what's happening in our own environment and in the world around us," he says.
At the heart of this more drilled-down approach to threats and attacks is the goal of identifying the type of attacker targeting your organization, he says. "It's very important to understand who the adversary is because this changes the way we respond," Leek says. "You respond differently if you know it's a targeted attack," for example, and not a random one.
If you spot an attack group known for targeting your industry, then that likely means it's going after your intellectual property, according to Leak, so you can lock down accordingly. "Attribution is key," he says.
If you know who's targeting you, you can respond more intelligently and efficiently, he says. If it's just a random cybercrime attack aimed at stealing financial credentials or other information, you can take the infected machine offline and reimage it. "But if the targeted user is an executive [in the company] and the attack is cyberespionage, maybe you don't want to take that machine offline or reimage it right away" so you can track the attacker's movements and glean more intel, he says.
That's how better intelligence can shape your response, he says.
Blackstone also now is patching only for actively exploited vulnerabilities rather than each and every vulnerability out there, Leak says. With some 5,000 new bugs per year exposed, there's no way to keep up, he says. "You're just chasing a number, and you never get to zero," he says.
[Companies need to focus on, not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less .]
"It used to be a knee-jerk that 'this is high risk.' Now we know there's exploit code [out there] and the adversary is using it," and we patch for it, Leek says.
3. Shift from react to respond. "Response is planned," Blackstone's Leek says.
A member of his team recently wrote an application that automates the integration of alerts for response and forensics, Leek says. It basically reports on an alert generated by, say, its FireEye system, where that suspicious traffic got through, and which indicators of compromises it includes.
"This is an example of allowing us to automate a lot of processes we have put in place," Leek says. "We're planning for [attacks] to happen. We know it's going to happen."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.