Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/14/2019
02:00 PM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Cybersecurity CISO Priorities for the Future

Seven chief information security officers share their pain points and two-year spending plans.

Many chief information security officers view their responsibilities through the National Institute of Standards and Technology's (NIST) model of Identify, Protect, Detect, Respond, and Recover. There's been a focus on detecting and responding to endpoint threats over the past few years, yet new priorities are arising: migration to the cloud, new heterogeneous devices, and custom applications, all of which have greatly expanded attack surfaces.

I recently spoke with seven CISOs. Many are from the Fortune 500, and several are influential in the startup community, advising for YL Ventures. What follows is a recap of their top five concerns and two-year spending priorities:

1. Identity Management in a Multicloud World
The old days of breaching a network's perimeter technologies and slowly hacking laterally across systems is less of an emphasis thanks to the cloud. With stolen credentials, a device is often one hop from accessing the crown jewels of privileged data in the cloud. Microsoft Corporation CISO Bret Arsenault strikes at the heart of the matter. Today, he says, "hackers don't break in, they log in." In line with that thinking, Microsoft's security organization believes that "identity is our new perimeter."

What makes managing identity complex is that it spans many personas. As Juniper Networks CISO Sherry Ryan explains: Security teams must "know who is accessing your network, whether it be a customer accessing your portals, or a partner, a supplier, or your own employees."

Cloud apps often require authenticating with single sign-on and Microsoft Active Directory. Yet most CISOs in this discussion say they also attempt to reduce the "blast radius" with additional identity and authorization silos. They're still working out architectural best practices but are investing in password-less, biometric, and behavioral-based authentication.

To that end, identity and access management (IAM) is a product category CISOs continue to purchase despite the challenges involving the multiple vendors needed to cover employees, the supply chain, and customer identities. Piecemeal IAM adoption is now easier, yet some of the CISOs believe that a one-size-fits-all solution doesn't yet exist.

2. Protecting Assets with Encryption and Zero Trust
The cloud transformation is enabling CISOs to ditch on-premises legacy systems. Many are enthusiastic about building cloud security right from day one, and zero trust is a big part of this. Zero trust limits role-based access by default. It ensures users are who they say they are, and that their devices meet reasonable security standards before connecting.

Besides locking down configurations, CISOs are building zero trust with multiple technologies. They mention leveraging things such as multifactor authentication (MFA), mobile device management (MDM), and vulnerability management. But ensuring that data is only seen by trusted users is an ongoing issue.

At the same time, as the industry finally confronts the dynamic nature of data, encryption is being deployed by many of these CISOs: "It's really a hard problem to get to the point where you're identifying every communication trying to access a piece of data" observes F5 Networks CISO Mary Gardner, noting how valuable information is copied, moved, and accessed by numerous applications and people. Granular controls and encryption must protect data across its life cycle, she says.

Markel Corporation CISO Patti Titus explains the complexity in this context: "As an organization, we have to determine when to encrypt, obfuscate data" and ensure "encryption in transit and at rest." And then there's "the challenge of encrypting data that has to be usable for the data scientist."

3. The Rise of DevSecOps
Even the most analog company is developing software to run its business. This includes customer web portals, mobile apps, and APIs exposed to customers, partners, and hackers alike. Organizations are increasingly automating manual activities and relying on analytics and artificial intelligence. Educating software developers into better practices is key, and a strategic initiative is securing applications with DevSecOps.

Many CISOs are also "moving left" and purchasing static analysis tools that operate on code and flag issues before runtime. In keeping with a common theme, the CISOs prefer seamless approaches that are easy on humans. This means integrating DevSecOps technologies into the daily routine of developers. "Continuous integration is where we've spent a lot of time and focus so that developers are securing their own code, they're testing their own code," says Fannie Mae CISO Chris Porter.

While further along with static analysis tools, many of the CISOs in the discussion also indicate a desire for dynamic analysis. Dynamic tools operate during runtime, monitor applications, and log information for incident response.

4. Responding to "Alert Fatigue"
A CISO's operation involves spotting security breaches through the noise of false positives and low-priority alerts. It's an endless challenge. Antivirus, firewalls, and other security technologies often produce millions of daily events.

To move beyond manual processes, almost every CISO interviewed for this article bought security orchestration automation, and response (SOAR) products. They are generally happy with them. Some want more help getting started. Many feel SOAR performs only as well as the quantity and quality of alerts fed into it.

CISOs are also on the lookout for new approaches to alert fatigue but find the number of technologies coming out each year "overwhelming." These security leaders are hopeful that the new tech they deploy will increase coverage yet are skeptical of the efficacy of more alerts.

"Our philosophy has been to flip the model," explains Blue Cross Blue Shield CISO Yaron Levi. "We are actually looking at alert fatigue from a threat modeling and risk management perspective. [We] model vectors for that potentially harmful attack and then develop our defenses."

Levi is employing attack emulation as a new approach to alert fatigue. The starting point is emulating attacks from recent industry breaches safely within Blue Cross Blue Shield's network. This verifies if common real-world attacks are even seen, after which these alerts receive the top priority for building response plans and automation.

5. Educating Employees to Think Like a CISO
Noting that security focuses on people, processes, and technology, LogMeIn CISO Gerald Beuchelt strongly believes that it really has to be in that order. "We have to get people on board with what security needs to do.... No security team can grow big enough to protect such a complex and large organization by itself."

Many of these CISOs agree that it's important to take advantage of Cyber Awareness Month using educational tools such as games, humor, and shorter training sessions to motivate their user base.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'"

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...