Cisco Live: Attackers have gotten professional about security – so why aren’t more businesses doing the same?

CSOs that take a reactive approach to security are setting themselves up to fail in the face of attacks from an increasingly agile and professional cybercrime industry, warned speakers at a packed Security Innovation Day that helped to kick off the Cisco Live! 2017 conference in Melbourne.

Although nation-state attacks and ‘script kiddies’ were still happening online, Cisco Systems vice president and CSO Steve Martino warned a standing room-only crowd that the biggest threat facing today’s businesses was the increasing professionalism of profit-minded hacking businesses that were pulling out all the stops to keep the money flowing.

“These guys are making millions of dollars pretty much taking people’s data away,” said Earl Carter, a threat researcher within Cisco’s Talos threat-intelligence unit, said. Figures from the company’s recently released 2017 Annual Cybersecurity Report indicated that spam volumes had surged in 2016, to account for 65 percent of all email.

Whereas Talos was historically seeing 7 percent to 8 percent of spam emails carrying malicious attachments, that percentage had surged to nearly 75 percent last year as hackers increasingly experimented with new ransomware strains, malicious emails, new file types and various ransom amounts to see which tactics produced the biggest return.

“In the past,” Carter said, “criminals knew that if they stole credit cards, they didn’t know how long it was going to last. But now everyone has data now. And whether it’s a home system with your family pictures on it, or a work system with work files and documents on it, now the user sets the price on the data.”

By keeping a finger on the pulse of malware distribution, the Talos team works to feed current threat alerts across Cisco’s product range. Through broad sharing of new threat information, Carter said, teams at Cisco and other companies had precipitated a game of cat and mouse that had seen more than a few malicious attackers give up because it was becoming too hard.

“These guys are totally in it for the money,” Carter said, highlighting the recent decision by the authors of TeslaCrypt ransomware to shut it down and release its master keys after security researchers outpaced them.

“They don’t really care about being precise,” he continued. “They care about volume. They seem to have big development teams and they are constantly finding ways to get around protections on the network. And we are trying to constantly finding ways to identify that and get that out into our security products.”

The push to build increasingly responsive security defences was a key theme through the Security Innovation Day, part of Cisco’s push to strengthen its security credentials for thousands of people gathered in Melbourne for the tech giant’s annual update on its enterprise solutions. A range of Cisco technical experts highlighted recent advances such as Cisco Umbrella, while Alastair MacGibbon, special adviser to the prime minister on cyber security, joined several government security experts to discuss the impact of policy changes within the Australian context.

CSOs are increasingly helping executives understand the implications of these and other changes. If attackers are increasingly focused on making money, after all, their victims are increasingly focused on keeping it – and that, said several users in a panel session, remained a key driver as CSOs continued to try new ways of engaging with once-disinterested CEOs and boards.

Executives’ growing understanding of the risks from cybersecurity attacks had driven them to lean more and more on their security heads. This had positioned CSOs as “trusted advisors”, said one panel participant, whose security team had recognised early on that it needed to make security everyone’s business.

“We’re not a large team, and it’s a large corporate organisation, so we tend to embed wherever we can,” she explained, noting the creation of a ‘security council’ uniting staff across various business areas.

“We have people throughout the organisation as well as events where people can learn, then go out and promote security. That has been very important for us as a security-focused organisation.”

Executive buy-in was only one hurdle to the growing focus on security. Recent efforts to reinvent security operations at Deakin University had grown out of the realisation that security had been regularly handballed by other parts of the organisation.

This had, executive director for ICT Infrastructure Services Craig Warren said, made it hard to drive a coherent security policy and drove the team to rationalise both its heterogeneous security infrastructure and the responsibility lines across the organisation.

“There is a theme in the industry that security is everyone’s problem,” he said, “but when you create a security team everyone turns around to that team and says ‘security is your problem’. So we had to almost defocus the work of the security team and make sure that we really engaged with other teams. We had to go through the whole engineering of a new structure to make sure we got it right.”

Such structural changes were highlighting the real extent of the challenges that CSOs face in building a security culture. Yet recent increased scrutiny on the potentially catastrophic consequences of a data breach – such as the $US350m ($A456m) devaluation of Yahoo by new acquirer Verizon after Yahoo’s massive data breaches – had opened up new opportunities for CSOs to be heard, noted Jennifer Walbank, director of information technology with The College of Law.

“The saddest thing in Australia is that there is very little IT representation on governance boards,” Walbank said. “There is finance, and HR, but not IT.”

That had changed recently, however: these days, company directors’ “entire focus is security and liability of the board, and personal liability of the board,” she continued. “There still is a bit of a struggle in the companies when you do put the systems in. But you’ve never had a better time to put a paper in front of the board. You have to be honest and have their support.”

Warren had seen a similar change in attitudes after board members’ growing awareness of their obligations made them more receptive to security conversations. Clear guidance about current security risks – such as a four-stage risk level indicator – made it easier to tie investments to outcomes – and this, Warren said, had set the stage for a far stronger security practice across the university.

“We accompanied that with a program in one hand, and with the cash bucket in the other,” he said. “This let us say ‘if you spend this much, this is what we’ll get rid of in terms of risk’. That was highly successful – so much so that I now get invited back for frequent visits on how we’re going.”