Scott Brandt, CIO & Director of IT, Texas Office of the Secretary of State
As threats to information resources evolve, so must the cyber security community’s defense tactics. Gone are the days of implementing technology solutions solely on the network perimeter to thwart attackers. Information security defenses must include technology to detect and respond to malicious activity throughout the technology environment. Security organizations must partner with business area leaders, provide a robust security awareness program, and maintain a talented information security staff to effectively protect an organization.
Recent security incidents and data breaches have increased the visibility of information security, not only within organizations but also with partners, customers and the general public. Recent high-profile data breaches have elevated information security to a board room discussion item. A survey of 200 corporate directors conducted jointly by NYSE Governance Services and Veracode earlier this year found that 80 percent of board members say that cyber security is discussed at most or all board meetings. Information security organizations should take advantage of this to partner with business area leaders within the organization to understand the information and processes important to business operations as well as the associated risks. By developing a relationship with business area leaders and working together to identify and mitigate security risks, the information security organization becomes a partner in delivering service to customers. Risk management considerations can be discussed and addressed throughout the lifecycle of business initiatives rather than as a final “gate” to get past during implementation.
While perimeter defenses remain important, defenders must assume that malicious actors may already have a presence inside their corporate network. Threats have evolved to include advanced actors such as cyber criminals and nation state sponsored espionage. Attackers are becoming more advanced and persistent. The continuing rise of phishing attacks, “drive-by” web attacks, “watering hole” attacks and the modification of malware code to defeat signature based defenses requires defenders to focus more attention and resources on detecting and responding to threats inside their established defensive perimeter.
The 2015 Data Breach Investigations Report from Verizon estimates that 70 percent to 90 percent of malware samples are unique to a particular organization. This doesn’t mean the malware has unique functionality, but rather that the malware code has been adjusted to have a different hash value or signature to avoid detection. Bad actors have learned that it is frequently easier to trick users (employees of your organization or partner organizations) into executing malicious code than to attack computer systems and applications directly.
If attackers can make minor changes to their code to avoid anti-virus and other signature based technologies, tricking a user into executing malicious code may give attackers a foothold inside the network perimeter. Likewise, malicious actors may be able to trick an unsuspecting user into providing credentials to access an application or system. It is essential to have a security awareness program that educates workers. Employees must understand that in many cases they are the first line of defense.
To be effective, the information security organization should not only educate users regarding good security practices in the workplace, they should also work to provide additional value to the users and promote an “always aware” attitude. Security organizations should go the extra mile to provide useful information regarding how employees can stay safe at home and on their personal mobile devices. By adding value for users, the security organization fosters a positive relationship rather than being viewed as either an impediment blocking the employees from what they want to accomplish or as a “big brother” always watching over their shoulder waiting to correct or admonish them. Users should feel comfortable reporting suspicious items to the information security organization.
One of the key takeaways from the M-Trends 2015: A View from the Front Lines report by Mandiant is that: “Advanced threat actors continue to evolve their tools and tactics to reduce the forensic footprint of their actions and evade detection. Establishing a baseline of normal activity in an environment, and proactively hunting for deviations from this baseline, are essential to stay a step ahead of intruder’s efforts.” Mandiant also notes that the median amount of time that threat groups were present in a victim’s network before detection is 205 days. The organization must have skilled information security staff who not only partner with business areas and users to mitigate risks, but who can also regularly and effectively monitor the technology environment, recognize anomalies and respond to threats. As attackers become more sophisticated, security organizations are challenged to keep pace. While a malicious actor can concentrate on developing specific expertise needed to execute an attack, the defenders must possess the knowledge to combat many different attack vectors. Security staff must constantly be aware of new vulnerabilities and exploits. While the “bad guys” need but a few successful attacks, the defenders are expected to be successful 100% of the time. Security staff should not only receive regular training, but also practice their skills. This may involve white hat hacking of their own systems or the use of a cyber range. On a cyber range, security professionals can gain real world experience attacking or defending systems dedicated to the exercise. Participants are free to fully engage in this isolated environment without fear of impacting the real world. It is an excellent opportunity to experiment with security techniques, to make mistakes and to gain valuable experience.
Threats have evolved to include advanced actors such as cyber criminals and nation state sponsored espionage
Organizations with more limited information security resources may consider using a managed security services provider to supplement internal resources. A managed provider can provide expertise in a broad range of areas by leveraging the demands of multiple customers to maintain a larger pool of expert resources. The managed service provider can also compile threat intelligence from a much broader pool of potential targets due to monitoring multiple clients. An organization employing a managed provider benefits from the knowledge and experience the provider obtains when working with their other customers.
As cyber threats evolve, cyber security professionals must focus not only on perimeter defenses and breach prevention, but also on internal monitoring and incident response to address the increased threat from inside the private network. The information security organization must build relationships with the organization’s business leaders and users to work effectively to address security risks that pose a threat to the data and business operations of the organization.