• Clinton Smith

With the increased demand on remote working and connectivity due to the coronavirus, the role of an internal security operations team is becoming increasingly challenging. Teleworking and the volume of data, number of systems, complexity of networks and sophistication and capability of the adversary have increased faster than our capacity to respond.

With many organisations being forced to bench any contract staff, security operations teams are often overloaded, under resourced, and jumping from crisis to crisis. Articles and presentations have started to capture this concerning trend.

Each day can seem like walking through the egg room scene in Alien. Any moment, the next face-hugging threat can burst forth and attack.

The tricky challenge is to balance the need to apply business context to security events and controls whilst leveraging external capacity and skills, introducing automation for efficiency and reducing monotony for internal teams through outsourcing repetitive or generic activities.

Here are some suggestions to consider when filtering and prioritising security issues as they arise:

  • What is the potential real business risk or consequence? and who (and how many) will be impacted. This requires an understanding of not just the number of Customers in a given system but also the type of service and business conducted (e.g. Private banking)

  • How long has the security issue / vulnerability / event / threat been present, and has the impact grown, stayed the same or decreased? A new, fast growing threat may need to be addressed more quickly due to the lack of established controls and potential for evolution.

  • What is the point of decision / action and when must it be made? (and by whom) This is especially important to know. Some decisions can and should be made long in advance of an incident. Asking each system / service / information owner to agree on the conditions for 1) Declaring a security incident (e.g. compromise of a single account vs website defacement), and 2) Conditions requiring immediate quarantine or shutdown.

  • Are we equipped (Capacity, Skills, Tools, Services, Organisational Mandate) to address the issue? No orchestral conductor would perform without a good understanding of the music he is making, the capability of his musicians and the instruments they have, so too is the need for security teams to have a plan, access to (and competence with) the right tools and external services.

  • Are there larger controls that we can or should leverage (e.g. DR, BCP, etc)? Sometimes response is much larger than just the security component and will require organisational coordination (e.g. HR, Legal, PR, Contact Centres etc).

  • If we have high volume and low impacts for a particular event (e.g. Phishing) - can we create playbooks or leverage automation (Response and Recovery)?

  • If we have low volume and high impacts for a particular event (e.g. DDoS) - can we leverage defensive (Preventative) controls?

  • Have we considered long running or concurrent incidents? e.g. having shifts or delegated working groups?

As an important side note, the issue of mental health and PTSD is serious and affects many people. If you or someone you know needs support take a look at Beyond Blue.

If you would like to talk to us about services to reduce your stress and effort in managing cybersecurity - get in touch.

Author: Clinton Smith

  • Clinton Smith

According to feedback from many of my industry peers and clients, the business community has been steadily moving away from a focus of acquiring new security products, towards security services.

This is perhaps not surprising given the looming global shortage of cyber security expertise, but brings with it some important questions. In this article, I look at the problem and propose some potential answers.

Some security capabilities seem out of reach

1) Does this mean that businesses should focus on educated security service procurement?

Yes. I find it heartbreaking to talk to clients that have been sold 'comprehensive' solutions by less than scrupulous vendors and service providers. Clients often know that they need to do something, but are not 100% sure of what that is. They then engage a specialist who (rather than taking the time to understand their business) sells them their highest margin product or service.

Here are a few tips and suggestions for the non-security business when having such discussions:

  • Do you have some reference clients and can we talk to them about your service?

  • How does your product / service help us i) reduce the likelihood or ii) impact of a security issue?

  • Is your product / service certified, comply with any standard or will it help us to demonstrate compliance? (e.g. PCI DSS, CPS 234, Privacy Act)

  • What specific security issue (Threat, Vulnerability, etc) does this product or service address and how do we know that it is the most important to invest in?

  • You have told us that your product/service will reduce our risk. What specific measures or reporting will you put in place to demonstrate this ongoing?

The consultant advises her client on security measures

2) What are we doing to help businesses make informed investment and procurement decisions?

The short answer is "Not Enough". So what could we do? Standardise cybersecurity products and services, simplify language (ideally bringing it back to a discussion about business risk) and invest in education and training.

Other alternatives (just as in other industries such as Building, Engineering and Manufacturing) organisations can use specialists as advocates, arbitrators and advisors.

Here are a few tips to help make informed decisions on procuring security services:

  • Get references - and check them.

  • Check for qualifications and certifications such as CREST and ISO 27001.

  • Ask for samples of reports or deliverables.

  • Ask for demo's and walkthroughs.

  • Consult with industry analysts Gartner or Forrester.

  • Phone a friend - talk to industry colleagues about their experiences.

The CISO surveys just the surface of their issues

3) Even though security hardware and software continue to evolve, why is the problem space still so large and seemingly insurmountable?

Every business (budget, culture, imperative, obligations, capability, location, information, technology) is unique, not every threat and vulnerability are relevant, nor a one-size fits all for security controls.

The security gap is based on where a business is at (initial state) where it wants to be (target state) and its appetite and capacity for change (and ability to sustain the change).

There are many options for Technology based controls for security but few that take into consideration the People and Process (or service). In addition, the evolution of defensive security measures still lags behind offensive ones.

In the same way that knowing that a system is missing patches and may be vulnerable to certain attacks, simply patching may not be as straightforward. As platforms and applications form only part of the full ecosystem and the role of the defender in cybersecurity must also consider the potential (negative) impacts of applying any security controls.

Cybersecurity, often like driving at night on a dark road

4) Why do security vendors still use scare tactics to promote their wares?

The short answer is that fear (and the organisational requirement to reduce/avoid risk) still motivates many organisation to invest in security. The problem with this is that the threat landscape is a moving target and often based on what is happening locally and globally.

The more difficult answer is that security vendors and service providers struggle to properly articulate the positive value (what will the security control actually enable). To provide this requires a lot more business context and requires a deeper understanding of the objectives, the environment, constraints and dependencies.

Here are a few tips to put security products and services in context:

  • Rather than focus on risk mitigation alone, consider what additional benefits may be able to be achieved. e.g. While SSL Encryption helps to avoid compromise of the communications between a web browser and a web server, it also helps to show a customer that they are talking to the website that they expect to be (i.e. helps to build online trust).

  • Work out where the control fits in the scheme of things. Preparation, Prevention, Detection, Response or Recovery. Usually security controls can help to address the Likelihood or Consequence of Loss or Harm from a given threat.

  • Determine how you (or the provider on your behalf) will demonstrate (and track) the value and performance of the security control ongoing. If not properly maintained, it is common for the value of a security control to degrade over time.

  • Weigh the cost of the service against the potential value, loss or downsides. If the cost is higher than the expected annual (or likely) loss or impact (or if there are better, cheaper controls) some services may not be so cost effective or justifiable.

You must be "this" tall to operate the firewall

5) What is the minimum / baseline knowledge required to safely interact with technology?

This is a tricky question as it depends on a number of factors but one thing is clear that basic security awareness is a key requirement for a modern business. Minimum security knowledge should ideally include:

  • Keeping systems up to date and patched

  • Basic antivirus and security software

  • Safe web browsing and email habits and be wary of downloads and attachments

  • Limit sharing of personal information and consider using temporary email services (to help avoid spam and other scams)

  • Limit the use of untrusted WiFi networks (and consider using a VPN)

  • Maintain awareness of online threats and scams

Here are additional some tips and thoughts from Kaspersky

AI delivers the first CISO on a chip

6) What are some of the big problems security professionals are trying to solve?

Here are a few of the big problems (not exhaustive)

  • Application Security and security within the software development lifecycle.

  • Patching of IoT devices (especially those that are a] numerous, b] geographically dispersed, c] lacking vendor support)

  • Supply chain security

  • The shortage of cybersecurity expertise

  • Workforce resilience and education

It is clear from the list above that AI and automation will be central to security long into the future, however the next question is where / when will the collaboration between security and AI become more commonplace and less product centric?

In summary, security is not really something you can buy off a shelf. As a risk management discipline it is an ecosystem that involves People, Process and Technology.

If you would like to talk to us about improving your overall resilience to cyber attack (and not just products and technology) - get in touch.

Author: Clinton Smith

  • Clinton Smith

Whilst a lot of security investment is often focused on Prevention, how do we take the fight to our opponent, the attacker? Short of Hacking Back, we can do a lot of proactive things that make a big impact on security.

The threat hunter prepares for another day

In this article I will touch on some of the activities you can take to be prepared and proactive. These include:

  1. Red Teaming and Purple Teaming

  2. Customisation and contextualisation of security - threat mapping

  3. Secure application development and vulnerability management

  4. Active threat hunting

Let's expand on one of the items above, threat hunting.

What is threat hunting?

Threat Hunting is a form of active defence that seeks to minimise the amount of time that an attacker can spend in your environment before being found. In contrast to traditional preventative controls such as firewalls and antivirus products, Threat Hunting is the process of actively searching for and detecting threats which currently exist within the network and may be actively evading existing security capabilities and solutions.

Who can / should hunt?

Anyone can hunt. Whether hunting submarines, wild animals or truffles, success is usually based on a number of considerations:

  1. Knowing the terrain (i.e. the business and technology environment)

  2. Understanding the target / threat (who / what is the adversary)

  3. Looking for spoor and other signs (e.g. indicators of compromise )

  4. Knowing what to do when you find your adversary (e.g. security incident response & digital forensics)

  5. Understanding when the process is complete and environment is rendered safe once again (who can declare network, data or system integrity)

The question of whether you Should hunt will usually come down to availability of appropriately skilled resources.

Cybersecurity recruitment may soon turn to alternative skills

What threats should be hunted?

In order to understand what threats should be hunted, the threat hunters must understand credible threats and threat actors, critical business objectives and assets and the existing security and other controls in place.

The valiant threat hunter succumbs to an advanced persistent threat

Even if the organisation is not an obvious target, it may be a critical part of a supply chain for others. So in considering threats TO the organisation, consideration should also be given to threats FROM the organisation.

It should be noted that threats can, and do evolve. One basic malware infection can become a network compromise, a ransom attack and ultimately a data breach.

As compromises often remain undetected for many months, consideration should also be given to the frequency of hunting activities.

How does threat hunting work?

One of my past articles outlines some of the processes involved. A high level overview of the process is below.

Threat Hunting Process

Do I need a dedicated threat hunting capability?

The question as to whether a dedicated threat hunting capability should be in place usually comes down to capability, capacity and cost.

The threat hunters prepare for a nation state threat actor

Maintaining the skills and tools to perform threat hunting effectively without impacting security operations typically requires a very large security team. With overwhelmingly strong industry competition, attracting and retaining security talent has become increasingly challenging.

Having a wide variety of options to choose from, security practitioners are being constantly tempted to take on more lucrative and sexier roles.

This represents both a risk and an opportunity. For organisations with mature security capability, backfill and training of less experienced talent, and up-skilling internal key resources can provide a more interesting and dynamic role for the experienced security expert.

This does however come at a cost and many organisations still either:

  1. do not understand (or see the immediate value) in threat hunting

  2. do not understand (or cannot adequately quantify) the risks that threat hunting helps to mitigate

  3. have other, more immediate operational security imperatives and are still operating in a reactive mode

  4. leverage external services to obtain threat hunting on a periodic basis

If you would like to discuss how we can assist you to hunt threats within your environment get in touch.

Author: Clinton Smith

Sales:          sales@esecure.com.au
Careers:      jobs@esecure.com.au

LinkedIn Logo
Facebook Logo
Twitter Logo
GlobalMark Seal
CREST Australia and New Zealand Logo

e-Secure Pty. Ltd.

ABN 48 086 248 419

Copyright 2020 e-Secure Pty. Ltd. All rights reserved