Threat Intelligence

3/17/2017
12:30 PM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Embrace the Machine & Other Goals for CISOs

Here are five ways we can become more effective for our organizations.

Depending on how you look at it, the past year was either tough for security professionals or it showed the world how complex and interesting this field really is. After all, we're not working to identify some deterministic software bug — we're combatting real adversaries who are constantly testing our defenses.

Like many of you, I spend a lot of time talking to customers, partners, and other security professionals, and there is clearly a lot we can do to become more effective for our organizations. Here is my take on what the security community should resolve to accomplish or overcome as we move forward.

1. Embrace the machine.
We have access to programmable technology today that is compatible with other systems, and capable of massive correlations using data from many sources — logins, proximity card data, Web behaviors, locations. We have agents on users' machines that log information about process execution. And we have rich, intelligent sources of threat information from third-party vendors and other experts.

The ability to almost instantaneously correlate all that information means that today's expert systems are doing things humans used to do but doing it much faster. Machines can calculate those correlations in near-real time, build information about what happened, and prioritize events for an analyst to review.

Taking it a step further, today we see machines good enough at making correlations that they instantly know the identified activity is malicious. The challenge is to let go and allow the machine itself to loop back into firewalls, endpoint security, and applications, and actively mitigate the threat.

Embracing AI in this way can reduce response times from months to milliseconds, produce logs that are more relevant, and create APIs that respond to inputs from the bigger systems.

2. Consume farm-to-table security data.
CISOs need to understand the difference between primary data and secondary data, and get as close to the source as possible when automating systems. The closer our data points are to the user, the less risk we run of bad modeling.

The key is to capture logs at the time of creation so, unless the event logging system itself is compromised, you’re going to get unfiltered truth. If you go back to a machine after a bad guy has cleaned up his toolset and deleted the log, the tracks may be covered.

To this end, you have to constantly evaluate log sources to see how quickly the data is logged, what the source is, whether there is redundancy — and identify the correlation points that enable a true picture of what’s happening with each machine on the network.

3. Give back to the community.
On both a human and machine level, getting better at security is an iterative process. When an intrusion analyst identifies something, engineering should imbue that knowledge into the correlation engine. Eventually, this process will allow you to automate what the analyst does in a virtual movement between the machine, engineering and the network’s defenses — making every piece more effective.

Now it's time to share what you’ve learned. Ideally, that information should go to a major threat intel vendor to be correlated with other data so the broader security community can benefit as well.

4. Let analysts analyze.
Information security pros and analysts are expensive, and if there's a host of things that machines can suppress, this frees those human resources to add value elsewhere and reward the C-suite for the investments they've made in security.

And believe it or not, this is also a retention mechanism. Why? Because now only the really hard problems are turned over to analysts, which makes them happy. This is ultimately why many of us go into the security industry in the first place. We're dealing with human adversaries who are actively and continually adjusting their software and tactics to get into your network. It's a battle of wits and knowledge. That part of the job is much more compelling than poring over extensive activity logs.

5. Prove your value — and the value of future investments.
CISOs are great at a lot of things, but demonstrating our value isn't always one of them. For many years, security was neglected. Only in the last decade has it come into its own, and only in the last couple of years has it really entered the broader public consciousness. Now we need to take another step toward connecting the dots between risk and value.

When we hear that competitors, customers, or peers have experienced breaches, we should alert management. If a company similar to yours lost customer data or intellectual property, or was hacked because of software you have in common, brief management on that too. Build a case study or a presentation to demonstrate how your architecture can (or did) prevent a similar attack.

Ditto when things happen in your own network. When your defenses detect a ransomware attack, it demonstrates the value of management-approved investments. The endpoint security software you bought detected the attack within 100 milliseconds. Your AI correlation engines booted the fix back into the email filtering system. The backup system just paid for itself because you were able to recover the lost work and the copy was only three hours old. The system worked. You won.

And if you didn't win, what mitigations could have prevented the loss? Management should know that too, so they have a clear understanding of where to invest next.

Commit to Making It Happen
So what’s the point of all this? First, you need time to close the gap. Going 200 days until detection of an intrusion isn't acceptable when it’s possible to detect many threats in 150 milliseconds and fan out a protection to every machine in the enterprise in another 150 milliseconds.

And second, organizations can only achieve that level of effectiveness when the CISO and upper management commit to embracing automation. Yes, it takes engineering, technical knowledge, and the right gear. But in the end, it's the commitment by the organization that makes it all work.

Related Content:

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.