Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/17/2017
12:30 PM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Embrace the Machine & Other Goals for CISOs

Here are five ways we can become more effective for our organizations.

Depending on how you look at it, the past year was either tough for security professionals or it showed the world how complex and interesting this field really is. After all, we're not working to identify some deterministic software bug — we're combatting real adversaries who are constantly testing our defenses.

Like many of you, I spend a lot of time talking to customers, partners, and other security professionals, and there is clearly a lot we can do to become more effective for our organizations. Here is my take on what the security community should resolve to accomplish or overcome as we move forward.

1. Embrace the machine.
We have access to programmable technology today that is compatible with other systems, and capable of massive correlations using data from many sources — logins, proximity card data, Web behaviors, locations. We have agents on users' machines that log information about process execution. And we have rich, intelligent sources of threat information from third-party vendors and other experts.

The ability to almost instantaneously correlate all that information means that today's expert systems are doing things humans used to do but doing it much faster. Machines can calculate those correlations in near-real time, build information about what happened, and prioritize events for an analyst to review.

Taking it a step further, today we see machines good enough at making correlations that they instantly know the identified activity is malicious. The challenge is to let go and allow the machine itself to loop back into firewalls, endpoint security, and applications, and actively mitigate the threat.

Embracing AI in this way can reduce response times from months to milliseconds, produce logs that are more relevant, and create APIs that respond to inputs from the bigger systems.

2. Consume farm-to-table security data.
CISOs need to understand the difference between primary data and secondary data, and get as close to the source as possible when automating systems. The closer our data points are to the user, the less risk we run of bad modeling.

The key is to capture logs at the time of creation so, unless the event logging system itself is compromised, you’re going to get unfiltered truth. If you go back to a machine after a bad guy has cleaned up his toolset and deleted the log, the tracks may be covered.

To this end, you have to constantly evaluate log sources to see how quickly the data is logged, what the source is, whether there is redundancy — and identify the correlation points that enable a true picture of what’s happening with each machine on the network.

3. Give back to the community.
On both a human and machine level, getting better at security is an iterative process. When an intrusion analyst identifies something, engineering should imbue that knowledge into the correlation engine. Eventually, this process will allow you to automate what the analyst does in a virtual movement between the machine, engineering and the network’s defenses — making every piece more effective.

Now it's time to share what you’ve learned. Ideally, that information should go to a major threat intel vendor to be correlated with other data so the broader security community can benefit as well.

4. Let analysts analyze.
Information security pros and analysts are expensive, and if there's a host of things that machines can suppress, this frees those human resources to add value elsewhere and reward the C-suite for the investments they've made in security.

And believe it or not, this is also a retention mechanism. Why? Because now only the really hard problems are turned over to analysts, which makes them happy. This is ultimately why many of us go into the security industry in the first place. We're dealing with human adversaries who are actively and continually adjusting their software and tactics to get into your network. It's a battle of wits and knowledge. That part of the job is much more compelling than poring over extensive activity logs.

5. Prove your value — and the value of future investments.
CISOs are great at a lot of things, but demonstrating our value isn't always one of them. For many years, security was neglected. Only in the last decade has it come into its own, and only in the last couple of years has it really entered the broader public consciousness. Now we need to take another step toward connecting the dots between risk and value.

When we hear that competitors, customers, or peers have experienced breaches, we should alert management. If a company similar to yours lost customer data or intellectual property, or was hacked because of software you have in common, brief management on that too. Build a case study or a presentation to demonstrate how your architecture can (or did) prevent a similar attack.

Ditto when things happen in your own network. When your defenses detect a ransomware attack, it demonstrates the value of management-approved investments. The endpoint security software you bought detected the attack within 100 milliseconds. Your AI correlation engines booted the fix back into the email filtering system. The backup system just paid for itself because you were able to recover the lost work and the copy was only three hours old. The system worked. You won.

And if you didn't win, what mitigations could have prevented the loss? Management should know that too, so they have a clear understanding of where to invest next.

Commit to Making It Happen
So what’s the point of all this? First, you need time to close the gap. Going 200 days until detection of an intrusion isn't acceptable when it’s possible to detect many threats in 150 milliseconds and fan out a protection to every machine in the enterprise in another 150 milliseconds.

And second, organizations can only achieve that level of effectiveness when the CISO and upper management commit to embracing automation. Yes, it takes engineering, technical knowledge, and the right gear. But in the end, it's the commitment by the organization that makes it all work.

Related Content:

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32693
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
CVE-2021-32424
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
CVE-2021-32426
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
CVE-2021-32694
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
CVE-2021-32695
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...