Are our investments in ‘information security’ aligned with today’s reality? It seems that every day there is a new security incident making headlines. Dictionary.com has nominated the word ‘exposure’ as word of the year. The word exposure has been popularised by events such as Ebola, but more relevant to us in the world of ‘infosec’, data breaches and other related security incidents.
So with all this popularisation and awareness being generated, why are businesses still struggling to prevent or even detect a security incident until way after the fact? For me the answer is a complete misalignment in thinking as to how security is viewed. Certainly it is an admirable goal to avoid being breached or a victim of a security incident, however the reality is that this is an unrealistic goal as we can see from the frequency, diversity and apparent ease of breaches occurring.
Where do we start?
There are many areas that we could focus on within the discipline of ‘infosec’, but the area that I would like to focus on is incident response (IR). Often I’m asked ‘we haven’t had a security incident, so why do we need to invest more?’ In my opinion this is the wrong question. Why? Very few organisations are actually looking for indicators of compromise, or that an incident has even taken place, so of course many incidents are taking place without them knowing.
An analogy would be the iceberg, with most of the danger lurking below the water, invisible to all but the most prudent individual.
Few adversaries want to draw attention to themselves, unless it directly assists their cause. An example of this would be hacktivists rendering a very public website unavailable via a DDoS attack, as this will draw more publicity to their cause. So it is unrealistic to expect out-of-the-box consoles of the security products you’ve purchased to light up telling you that some foreign state or cyber-criminal has just stolen your customer database or most sensitive trade secrets.
Supporting my statements is the huge uptick and increased focus and investment in threat intelligence and incident response technologies and services for organisations that wish to have this level of insight. I would like to say though, we need to push a little further and even change some of our language so as to recalibrate our thinking and the way we view infosec in the rapidly evolving and hyper-connected world.
Incident Discovery and not response
Discovery to me implies a level of pro-activeness, continually ‘hunting’ for indicators that a security incident has or is about to take place. Response, on the other hand, implies a passive nature, where organisations are waiting for the event that may or may not take place. The reality is, though, that events are taking place every day, and even if it’s not a 100Gbps DDoS attack, there are many events that when connected together certainly constitute an incident. Perhaps a minor incident, perhaps not, the point is though, that unless organisations are prepared to ‘hunt’ for these events, and understand where to look, and what to look for, only the biggest of security incidents will be detected, and often only when it’s too late.
Wisdom and hindsight are great bedfellows is one of my favourite sayings, and if we look at some of the biggest data breaches in history and what is known publically about these breaches, it is clear that there were a number of indicators and tell tail signs that something wasn’t right.
So where do we start?
Data points that hint at Indicators of Compromise (IOC) are everywhere and not ‘just’ in the log files of your firewall, antivirus management platform etc.
I recommend to customers adopting a five-step plan, and for those of you who are seasoned security professionals you’ll notice that none of this is revolutionary, and is based around good risk management practices.
Step 1: Know how your business makes money, services its customers, constituents and delivers its services, and how does your Information Systems support this?
Step 2: Where does the data reside, and who and what access this data? Are there multiple feeds that when integrated create a higher degree of sensitivity and importance of information?
Step 3: What does good look like? This is easier said than done; however it is necessary to know what ‘normal’ looks like for your organisation. This gives you a baseline which you can operate from. This is where there are some impressive analytical tools and dare I say it – big data even plays a significant part in all of this.
Step 4: Define the top 3-5 ‘use cases’ in which an adversary could seriously disrupt your business. An example could be obtaining trade secrets or customer records. So the use case would firstly understand where the data resides, who has access to it, what technology is being used, how would an adversary conceivably access this information and obtain it (exfiltration), and where would you look to know that this has occurred?
Step 5: Establish a workflow, aided by the necessary tools that will allow you to quickly cycle through the previously defined threat use cases so as to identify any anomalies (IOCs). Establishing these workflows and making them part of standard operating procedures (SOPs) will not only provide deeper understanding your business, areas of importance, and how technology aids supports the business, but will also give you a baseline from which current and future security investments can be assessed.
These five steps serve as the foundation of proactive information security and embody many of the principles that good infosec practitioners have been advocating for years.
The litmus test
The questions are often asked of executives to help them get a sense where their infosec programme is at are:
1. Do you know what good looks like within your environment?
2. The bad guys are already stealing your information, how would you know this, where would you look and what would you look for?
3. How do you know that your security investments last year improved your security posture? You spent $2 million on security and you achieved what? The business is growing, new programs are happening, you want more money, but can you demonstrate your investments are aiding the business to achieve their security objects (think back to the use cases previously defined).
Simplify, focus, control
Rapid innovation, explosive growth, and a world that is changing faster and faster everyday makes a tough job even more tougher for today’s infosec professional. It’s not easy, and that’s why they call it work; however, with a battle plan that allows you to strip away the unnecessary clutter, you are more free to focus on what is important to you and the business, and in turn give you a degree (perhaps only a sense) of control.