Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/14/2019
02:00 PM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Cybersecurity CISO Priorities for the Future

Seven chief information security officers share their pain points and two-year spending plans.

Many chief information security officers view their responsibilities through the National Institute of Standards and Technology's (NIST) model of Identify, Protect, Detect, Respond, and Recover. There's been a focus on detecting and responding to endpoint threats over the past few years, yet new priorities are arising: migration to the cloud, new heterogeneous devices, and custom applications, all of which have greatly expanded attack surfaces.

I recently spoke with seven CISOs. Many are from the Fortune 500, and several are influential in the startup community, advising for YL Ventures. What follows is a recap of their top five concerns and two-year spending priorities:

1. Identity Management in a Multicloud World
The old days of breaching a network's perimeter technologies and slowly hacking laterally across systems is less of an emphasis thanks to the cloud. With stolen credentials, a device is often one hop from accessing the crown jewels of privileged data in the cloud. Microsoft Corporation CISO Bret Arsenault strikes at the heart of the matter. Today, he says, "hackers don't break in, they log in." In line with that thinking, Microsoft's security organization believes that "identity is our new perimeter."

What makes managing identity complex is that it spans many personas. As Juniper Networks CISO Sherry Ryan explains: Security teams must "know who is accessing your network, whether it be a customer accessing your portals, or a partner, a supplier, or your own employees."

Cloud apps often require authenticating with single sign-on and Microsoft Active Directory. Yet most CISOs in this discussion say they also attempt to reduce the "blast radius" with additional identity and authorization silos. They're still working out architectural best practices but are investing in password-less, biometric, and behavioral-based authentication.

To that end, identity and access management (IAM) is a product category CISOs continue to purchase despite the challenges involving the multiple vendors needed to cover employees, the supply chain, and customer identities. Piecemeal IAM adoption is now easier, yet some of the CISOs believe that a one-size-fits-all solution doesn't yet exist.

2. Protecting Assets with Encryption and Zero Trust
The cloud transformation is enabling CISOs to ditch on-premises legacy systems. Many are enthusiastic about building cloud security right from day one, and zero trust is a big part of this. Zero trust limits role-based access by default. It ensures users are who they say they are, and that their devices meet reasonable security standards before connecting.

Besides locking down configurations, CISOs are building zero trust with multiple technologies. They mention leveraging things such as multifactor authentication (MFA), mobile device management (MDM), and vulnerability management. But ensuring that data is only seen by trusted users is an ongoing issue.

At the same time, as the industry finally confronts the dynamic nature of data, encryption is being deployed by many of these CISOs: "It's really a hard problem to get to the point where you're identifying every communication trying to access a piece of data" observes F5 Networks CISO Mary Gardner, noting how valuable information is copied, moved, and accessed by numerous applications and people. Granular controls and encryption must protect data across its life cycle, she says.

Markel Corporation CISO Patti Titus explains the complexity in this context: "As an organization, we have to determine when to encrypt, obfuscate data" and ensure "encryption in transit and at rest." And then there's "the challenge of encrypting data that has to be usable for the data scientist."

3. The Rise of DevSecOps
Even the most analog company is developing software to run its business. This includes customer web portals, mobile apps, and APIs exposed to customers, partners, and hackers alike. Organizations are increasingly automating manual activities and relying on analytics and artificial intelligence. Educating software developers into better practices is key, and a strategic initiative is securing applications with DevSecOps.

Many CISOs are also "moving left" and purchasing static analysis tools that operate on code and flag issues before runtime. In keeping with a common theme, the CISOs prefer seamless approaches that are easy on humans. This means integrating DevSecOps technologies into the daily routine of developers. "Continuous integration is where we've spent a lot of time and focus so that developers are securing their own code, they're testing their own code," says Fannie Mae CISO Chris Porter.

While further along with static analysis tools, many of the CISOs in the discussion also indicate a desire for dynamic analysis. Dynamic tools operate during runtime, monitor applications, and log information for incident response.

4. Responding to "Alert Fatigue"
A CISO's operation involves spotting security breaches through the noise of false positives and low-priority alerts. It's an endless challenge. Antivirus, firewalls, and other security technologies often produce millions of daily events.

To move beyond manual processes, almost every CISO interviewed for this article bought security orchestration automation, and response (SOAR) products. They are generally happy with them. Some want more help getting started. Many feel SOAR performs only as well as the quantity and quality of alerts fed into it.

CISOs are also on the lookout for new approaches to alert fatigue but find the number of technologies coming out each year "overwhelming." These security leaders are hopeful that the new tech they deploy will increase coverage yet are skeptical of the efficacy of more alerts.

"Our philosophy has been to flip the model," explains Blue Cross Blue Shield CISO Yaron Levi. "We are actually looking at alert fatigue from a threat modeling and risk management perspective. [We] model vectors for that potentially harmful attack and then develop our defenses."

Levi is employing attack emulation as a new approach to alert fatigue. The starting point is emulating attacks from recent industry breaches safely within Blue Cross Blue Shield's network. This verifies if common real-world attacks are even seen, after which these alerts receive the top priority for building response plans and automation.

5. Educating Employees to Think Like a CISO
Noting that security focuses on people, processes, and technology, LogMeIn CISO Gerald Beuchelt strongly believes that it really has to be in that order. "We have to get people on board with what security needs to do.... No security team can grow big enough to protect such a complex and large organization by itself."

Many of these CISOs agree that it's important to take advantage of Cyber Awareness Month using educational tools such as games, humor, and shorter training sessions to motivate their user base.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'"

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...