Organizations are facing an ever-evolving threat landscape these days. As the news has shown us, threats like Meltdown and Spectre show up on short notice, then impact the hardware and software in use every day from user endpoints to server racks.
Companies are looking for ways to be prepared for these seemingly inevitable events. This security expert roundtable discusses the key security trends they’re following, how to mitigate threats, and what successful companies do to avoid security issues. Assessing security risks is just the beginning of a journey to being prepared to deal with an attack on your company’s infrastructure in some shape or form.
The advice is varied yet there are some cross over areas but ultimately each System Admin, IT Pro, CISO, and CIO must adapt an approach that works for their organization.
What works for one organization may not be the best solution for another however, the ideas shared in this conversation could help spark the concepts that you adopt within your business to address the challenges you face each day.
How much time do enterprises have between learning about an emerging threat and rolling out an enterprise-wise solution to deal with it?
Tom Patterson, Chief Trust Officer at Unisys: The approach for security really needs to evolve. Just like the threats can evolve but also their own enterprises need to evolve. Long gone are the days when the CISO just had to worry about the data center and some employees on laptops.
Now the CISO is charged with securing an enterprise that is in the public cloud, that is mobile, that has Internet of Things, and has industrial control systems. The new paradigm of enterprise sprawl has caused an evolution so if you still think about it as ‘I hear about a threat and I better respond’ your never ever going to catch up.
At Unisys, we like to work on a mindset evolution from security to resilience. The goal is to stay up and operational, and to not be taken down; to continue operations; to manage attacks as incidents that are manageable and then move on.
Richard Henderson, a Global Security Strategist for Absolute: Most mature organizations have a relatively evolved patching strategy when it comes to devices. Sometimes when something breaks they do have to kick things into high gear and push those patches out sooner than they would like.
They obviously have to take into account the impact that patches are going to have on internally developed applications, business intelligence applications, the custom applications they run in their enterprise and that is often a trade-off. They have to decide "Can I wait a week while we deploy this patch into our test environments to make sure it is not going to throw a wrench into the gears of our critical internal applications? Or is something actively being exploited out there right now and we have to get these deployed to our end points?"
What are the best steps for preventing an an impact within a company from these external threats?
Randy Battat, the founder and CEO of security company PreVeil: Encryption has been around for a long time but it hasn’t been all that easy to use. So, if you can use the best in encryption so that you don’t have to be perfect on responding to the threats you are really protecting at a totally different level.
At the same time make it super easy to use so your users will actually use it. Then it becomes less about reaction and a little bit about being proactive and making it so that even if a threat does slip in you are still protected.
Jack Miller, the Chief Security Officer from SlashNext: Personally, I went through an evolution on this. Originally it didn’t make sense to me: Why do I want my system to alert you and have you pick up the phone and call one of my people and not send the alert directly to my people? Over the years I actually cancelled a few contracts with some Managed Security Service Providers (MSSP’s) because what happens is you never hear from them.
By having some internal resources that allow you to have oversight over the MSSP, to be able to log in and look at what they’re looking at, you can quickly validate that they’re actually doing their job and what you’re paying them for.
You’re all technology and security industry veterans. What are the best steps you can take to react to a threat?
Matthew Gardiner, cybersecurity strategist at Mimecast: While you can not necessarily specify every step when you have a threat, you don’t want to over-specify because some threats are very trivial and you shouldn’t spend a lot of time worrying about it and other threats end up being much less trivial and you should spend a lot of time dealing with it.
When these things happen make sure that you actually do follow these steps and that you have an after action report. It Is not going to go perfectly, but if you can tune your system after an event does happen, then the next time you’ll be even better prepared.
Patterson, talking about the practice of microsegements, wherein IT pros segment their network, users, and data so that there is a smaller overall attack vector: The whole concept of living within microsegments is that it changes the risk factor from what is the worst thing that could happen to a manageable incident as opposed to a takedown of the company. That one change means you can budget better, you can provide more predictable results to your organization and you can breathe a little bit easier when you see the next malware wave.
How do you sort through the the overwhelming number of cybersecurity related products and services that are currently available? What do you look for in a product?
Henderson: You need to have the ability to rapidly query the status of all these end points and roll that into a dashboard of some sort or have that information funnel into another tool that you use to get an idea of the status of all of your devices as a whole and then be able to drill down to specific devices.
Battat: One, do users like it and will users use it? It is one thing to lock everything down but you know users are going to find a way to get done what they want to get done. Ease of use is fundamental.
Two, I think the basics of the security paradigm ought to make sense. It can’t be so complicated that I as an IT Manager can’t understand the basics. If I can understand the simple concept that the bad guys can’t steal what they can’t see because it is encrypted, I think that also has to make sense. If it gets too complicated, too convoluted and you can’t understand it, then maybe it is not all that great.
What do you see successful companies doing in assessing security risks? What would you copy if you had to?
Miller: There is an opportunity here for both MSSP’s and for Value Added Resellers (VARs) and consulting companies to really establish themselves as a trusted partner and as an expert that can go out and evaluate these different types of things and then bring the information back to you, [because] you are never going to be able to have the amount of staff internally to be able to kick the tires on all these things.
Gardiner: [Successful companies] build in the reality that they are already breached in some way or will be soon and so they never rely on a single point of failure. They plan for disasters related to a cyber impact and they have alternative systems and ways of running their business when their primary system is not available.
Backing up is a normal part of their routine and a threat is not an emergency anymore and is just part of daily life. These companies make basic battles their routine operations and save their energy for the real bad ones that might happen.