Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/14/2019
02:00 PM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Cybersecurity CISO Priorities for the Future

Seven chief information security officers share their pain points and two-year spending plans.

Many chief information security officers view their responsibilities through the National Institute of Standards and Technology's (NIST) model of Identify, Protect, Detect, Respond, and Recover. There's been a focus on detecting and responding to endpoint threats over the past few years, yet new priorities are arising: migration to the cloud, new heterogeneous devices, and custom applications, all of which have greatly expanded attack surfaces.

I recently spoke with seven CISOs. Many are from the Fortune 500, and several are influential in the startup community, advising for YL Ventures. What follows is a recap of their top five concerns and two-year spending priorities:

1. Identity Management in a Multicloud World
The old days of breaching a network's perimeter technologies and slowly hacking laterally across systems is less of an emphasis thanks to the cloud. With stolen credentials, a device is often one hop from accessing the crown jewels of privileged data in the cloud. Microsoft Corporation CISO Bret Arsenault strikes at the heart of the matter. Today, he says, "hackers don't break in, they log in." In line with that thinking, Microsoft's security organization believes that "identity is our new perimeter."

What makes managing identity complex is that it spans many personas. As Juniper Networks CISO Sherry Ryan explains: Security teams must "know who is accessing your network, whether it be a customer accessing your portals, or a partner, a supplier, or your own employees."

Cloud apps often require authenticating with single sign-on and Microsoft Active Directory. Yet most CISOs in this discussion say they also attempt to reduce the "blast radius" with additional identity and authorization silos. They're still working out architectural best practices but are investing in password-less, biometric, and behavioral-based authentication.

To that end, identity and access management (IAM) is a product category CISOs continue to purchase despite the challenges involving the multiple vendors needed to cover employees, the supply chain, and customer identities. Piecemeal IAM adoption is now easier, yet some of the CISOs believe that a one-size-fits-all solution doesn't yet exist.

2. Protecting Assets with Encryption and Zero Trust
The cloud transformation is enabling CISOs to ditch on-premises legacy systems. Many are enthusiastic about building cloud security right from day one, and zero trust is a big part of this. Zero trust limits role-based access by default. It ensures users are who they say they are, and that their devices meet reasonable security standards before connecting.

Besides locking down configurations, CISOs are building zero trust with multiple technologies. They mention leveraging things such as multifactor authentication (MFA), mobile device management (MDM), and vulnerability management. But ensuring that data is only seen by trusted users is an ongoing issue.

At the same time, as the industry finally confronts the dynamic nature of data, encryption is being deployed by many of these CISOs: "It's really a hard problem to get to the point where you're identifying every communication trying to access a piece of data" observes F5 Networks CISO Mary Gardner, noting how valuable information is copied, moved, and accessed by numerous applications and people. Granular controls and encryption must protect data across its life cycle, she says.

Markel Corporation CISO Patti Titus explains the complexity in this context: "As an organization, we have to determine when to encrypt, obfuscate data" and ensure "encryption in transit and at rest." And then there's "the challenge of encrypting data that has to be usable for the data scientist."

3. The Rise of DevSecOps
Even the most analog company is developing software to run its business. This includes customer web portals, mobile apps, and APIs exposed to customers, partners, and hackers alike. Organizations are increasingly automating manual activities and relying on analytics and artificial intelligence. Educating software developers into better practices is key, and a strategic initiative is securing applications with DevSecOps.

Many CISOs are also "moving left" and purchasing static analysis tools that operate on code and flag issues before runtime. In keeping with a common theme, the CISOs prefer seamless approaches that are easy on humans. This means integrating DevSecOps technologies into the daily routine of developers. "Continuous integration is where we've spent a lot of time and focus so that developers are securing their own code, they're testing their own code," says Fannie Mae CISO Chris Porter.

While further along with static analysis tools, many of the CISOs in the discussion also indicate a desire for dynamic analysis. Dynamic tools operate during runtime, monitor applications, and log information for incident response.

4. Responding to "Alert Fatigue"
A CISO's operation involves spotting security breaches through the noise of false positives and low-priority alerts. It's an endless challenge. Antivirus, firewalls, and other security technologies often produce millions of daily events.

To move beyond manual processes, almost every CISO interviewed for this article bought security orchestration automation, and response (SOAR) products. They are generally happy with them. Some want more help getting started. Many feel SOAR performs only as well as the quantity and quality of alerts fed into it.

CISOs are also on the lookout for new approaches to alert fatigue but find the number of technologies coming out each year "overwhelming." These security leaders are hopeful that the new tech they deploy will increase coverage yet are skeptical of the efficacy of more alerts.

"Our philosophy has been to flip the model," explains Blue Cross Blue Shield CISO Yaron Levi. "We are actually looking at alert fatigue from a threat modeling and risk management perspective. [We] model vectors for that potentially harmful attack and then develop our defenses."

Levi is employing attack emulation as a new approach to alert fatigue. The starting point is emulating attacks from recent industry breaches safely within Blue Cross Blue Shield's network. This verifies if common real-world attacks are even seen, after which these alerts receive the top priority for building response plans and automation.

5. Educating Employees to Think Like a CISO
Noting that security focuses on people, processes, and technology, LogMeIn CISO Gerald Beuchelt strongly believes that it really has to be in that order. "We have to get people on board with what security needs to do.... No security team can grow big enough to protect such a complex and large organization by itself."

Many of these CISOs agree that it's important to take advantage of Cyber Awareness Month using educational tools such as games, humor, and shorter training sessions to motivate their user base.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'"

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.