Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/18/2018
02:30 PM
Joel Fulton
Joel Fulton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Make Security Boring Again

In the public sector and feeling overwhelmed? Focus on the basics, as mind numbing as that may sound.

Cybersecurity is a fast-moving target, particularly in the public sector. With constantly changing mandates and compliance requirements, it is hard to keep up. Since the Office of Personnel Management compromise in 2015, government security leaders have been in overdrive trying to strengthen their organizations' security measures to stave off the next major breach. This focus on cybersecurity in the public sector has also made the "government needs to be more like industry" cry louder than ever. Unfortunately, it is also more wrong than ever.

I know this because I routinely hear from and ask questions of security leaders from both commercial and public sector organizations, and the top problems are categorically identical: talent recruitment and retention, skills gaps, budget challenges, and a constant stream of new threats for which to look out.

The hard truth is, despite 30-day cyber sprints, creating a promising Continuous Diagnostics and Mitigation Program, acquiring the latest tech and checking off every other "best practices" box, we are playing catch-up with our adversaries. And we will continue down that path until we change tack.

What is the solution I offer to end your adversarial woes? First, discard that question. Your route to success: Go back to basics and roll up your sleeves.

You Can't Protect What You Can't See
Past midnight, a beat cop comes upon a chief information security officer (CISO) on his hands and knees under a bright street lamp. The CISO is searching the road for dropped keys. After 30 fruitless minutes of assisting with the search, the impatient officer asks, "Where did you lose them?"

"Over there," the CISO says, pointing at a darkened alley, "but the light's much better here."

I won't win any plaudits for this pearl of wisdom: You cannot secure that which you cannot see. Nor for this: What you need to secure may not be where you're looking. Before you nod in obvious agreement, check in with your security operations centers. Do they lack visibility across the IT, network, cloud, and security infrastructure stacks? To paraphrase Donald Rumsfeld, how would they know their unknown unknowns?

"But," you answer, "I have visibility and monitoring tools… a dozen of them!" Do those tools give you a holistic view of your infrastructure? Have you evaluated both gaps and overlaps or duplicates? Is your infrastructure complete but fragmented?

By the time you piece together that puzzle, has your environment changed? In my experience, dealing with a tangled mess of wires in a data center is more appealing than facing the answer to those questions. I've been there.

Identity Matters
How do you begin to sort out your data? The most critical step is starting with a thorough risk assessment of your practices by asking the boring but right questions. For starters:

  • Where is your data?
  • Who and what have access to that data?
  • How complete is your inventory?
  • How thorough is your configuration management database (CMDB)? How up to date is it?
  • Are you seeing what is necessary or simply what is convenient?

Also, determine what success looks like for your agency. Is it enhancing the way you collect and use data to guard against inbound risks? What level of breach or compromise are you comfortable with? This last question is one I find most people hesitant to address but perhaps is the most significant.

This work is tedious. It looks less like vendor dinners or rolling out a new tool and more like listening to your team, comparing notes with other CISOs, and reading, learning, doing. But I promise it will be worth the work, and even more, now is the best time to be conducting this effort. Your success is in the excellent delivery of monotonous tasks.

Artificial Intelligence and Machine Learning Can Help
Once your agency has determined its goals and figured out what you can see and need to protect, it is time to put your talent into action, define your tactics, and finally line up supporting technology.

Remember that CMDB? Now that the grunt work is complete, your confidence in it should be higher than ever and well placed. The law of entropy assures us that the universe tends toward chaos. A massive expenditure of energy is needed to halt and reverse that natural degradation. That brute force and total commitment to the rudiments and fundamentals will buy you breathing room to deploy scripting and automation to hold the new line.

Now you have a path to those shiny artificial intelligence (AI) and machine learning (ML) tools you've been eyeing. When they are properly deployed, relying on the solid foundation established by your earlier diligence, you may find those tools will even help alleviate the stress on your overworked security team. A refreshed and re-engaged security team focusing on higher-order questions and problems is a game changer you'll not soon forget.

But AI and ML are only as good as the data you can provide. That's why the tedious stuff is imperative — so the fun stuff can be even more fun.

Act Now 
I know there are a lot of people in both the public and private sectors who will read this and say "Obviously." But I also know there are more who will get nervous thinking about how much mind-numbing work I just prescribed. I would remind both of the truism: Well done is better than well said.

Because again: I've been there. In fact, I'm still there, because the nature of security is never-ending and there is always more to be done.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...