Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/18/2018
02:30 PM
Joel Fulton
Joel Fulton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Make Security Boring Again

In the public sector and feeling overwhelmed? Focus on the basics, as mind numbing as that may sound.

Cybersecurity is a fast-moving target, particularly in the public sector. With constantly changing mandates and compliance requirements, it is hard to keep up. Since the Office of Personnel Management compromise in 2015, government security leaders have been in overdrive trying to strengthen their organizations' security measures to stave off the next major breach. This focus on cybersecurity in the public sector has also made the "government needs to be more like industry" cry louder than ever. Unfortunately, it is also more wrong than ever.

I know this because I routinely hear from and ask questions of security leaders from both commercial and public sector organizations, and the top problems are categorically identical: talent recruitment and retention, skills gaps, budget challenges, and a constant stream of new threats for which to look out.

The hard truth is, despite 30-day cyber sprints, creating a promising Continuous Diagnostics and Mitigation Program, acquiring the latest tech and checking off every other "best practices" box, we are playing catch-up with our adversaries. And we will continue down that path until we change tack.

What is the solution I offer to end your adversarial woes? First, discard that question. Your route to success: Go back to basics and roll up your sleeves.

You Can't Protect What You Can't See
Past midnight, a beat cop comes upon a chief information security officer (CISO) on his hands and knees under a bright street lamp. The CISO is searching the road for dropped keys. After 30 fruitless minutes of assisting with the search, the impatient officer asks, "Where did you lose them?"

"Over there," the CISO says, pointing at a darkened alley, "but the light's much better here."

I won't win any plaudits for this pearl of wisdom: You cannot secure that which you cannot see. Nor for this: What you need to secure may not be where you're looking. Before you nod in obvious agreement, check in with your security operations centers. Do they lack visibility across the IT, network, cloud, and security infrastructure stacks? To paraphrase Donald Rumsfeld, how would they know their unknown unknowns?

"But," you answer, "I have visibility and monitoring tools… a dozen of them!" Do those tools give you a holistic view of your infrastructure? Have you evaluated both gaps and overlaps or duplicates? Is your infrastructure complete but fragmented?

By the time you piece together that puzzle, has your environment changed? In my experience, dealing with a tangled mess of wires in a data center is more appealing than facing the answer to those questions. I've been there.

Identity Matters
How do you begin to sort out your data? The most critical step is starting with a thorough risk assessment of your practices by asking the boring but right questions. For starters:

  • Where is your data?
  • Who and what have access to that data?
  • How complete is your inventory?
  • How thorough is your configuration management database (CMDB)? How up to date is it?
  • Are you seeing what is necessary or simply what is convenient?

Also, determine what success looks like for your agency. Is it enhancing the way you collect and use data to guard against inbound risks? What level of breach or compromise are you comfortable with? This last question is one I find most people hesitant to address but perhaps is the most significant.

This work is tedious. It looks less like vendor dinners or rolling out a new tool and more like listening to your team, comparing notes with other CISOs, and reading, learning, doing. But I promise it will be worth the work, and even more, now is the best time to be conducting this effort. Your success is in the excellent delivery of monotonous tasks.

Artificial Intelligence and Machine Learning Can Help
Once your agency has determined its goals and figured out what you can see and need to protect, it is time to put your talent into action, define your tactics, and finally line up supporting technology.

Remember that CMDB? Now that the grunt work is complete, your confidence in it should be higher than ever and well placed. The law of entropy assures us that the universe tends toward chaos. A massive expenditure of energy is needed to halt and reverse that natural degradation. That brute force and total commitment to the rudiments and fundamentals will buy you breathing room to deploy scripting and automation to hold the new line.

Now you have a path to those shiny artificial intelligence (AI) and machine learning (ML) tools you've been eyeing. When they are properly deployed, relying on the solid foundation established by your earlier diligence, you may find those tools will even help alleviate the stress on your overworked security team. A refreshed and re-engaged security team focusing on higher-order questions and problems is a game changer you'll not soon forget.

But AI and ML are only as good as the data you can provide. That's why the tedious stuff is imperative — so the fun stuff can be even more fun.

Act Now 
I know there are a lot of people in both the public and private sectors who will read this and say "Obviously." But I also know there are more who will get nervous thinking about how much mind-numbing work I just prescribed. I would remind both of the truism: Well done is better than well said.

Because again: I've been there. In fact, I'm still there, because the nature of security is never-ending and there is always more to be done.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.