• Clinton Smith

According to feedback from many of my industry peers and clients, the business community has been steadily moving away from a focus of acquiring new security products, towards security services.

This is perhaps not surprising given the looming global shortage of cyber security expertise, but brings with it some important questions. In this article, I look at the problem and propose some potential answers.

Some security capabilities seem out of reach

1) Does this mean that businesses should focus on educated security service procurement?

Yes. I find it heartbreaking to talk to clients that have been sold 'comprehensive' solutions by less than scrupulous vendors and service providers. Clients often know that they need to do something, but are not 100% sure of what that is. They then engage a specialist who (rather than taking the time to understand their business) sells them their highest margin product or service.

Here are a few tips and suggestions for the non-security business when having such discussions:

  • Do you have some reference clients and can we talk to them about your service?

  • How does your product / service help us i) reduce the likelihood or ii) impact of a security issue?

  • Is your product / service certified, comply with any standard or will it help us to demonstrate compliance? (e.g. PCI DSS, CPS 234, Privacy Act)

  • What specific security issue (Threat, Vulnerability, etc) does this product or service address and how do we know that it is the most important to invest in?

  • You have told us that your product/service will reduce our risk. What specific measures or reporting will you put in place to demonstrate this ongoing?

The consultant advises her client on security measures

2) What are we doing to help businesses make informed investment and procurement decisions?

The short answer is "Not Enough". So what could we do? Standardise cybersecurity products and services, simplify language (ideally bringing it back to a discussion about business risk) and invest in education and training.

Other alternatives (just as in other industries such as Building, Engineering and Manufacturing) organisations can use specialists as advocates, arbitrators and advisors.

Here are a few tips to help make informed decisions on procuring security services:

  • Get references - and check them.

  • Check for qualifications and certifications such as CREST and ISO 27001.

  • Ask for samples of reports or deliverables.

  • Ask for demo's and walkthroughs.

  • Consult with industry analysts Gartner or Forrester.

  • Phone a friend - talk to industry colleagues about their experiences.

The CISO surveys just the surface of their issues

3) Even though security hardware and software continue to evolve, why is the problem space still so large and seemingly insurmountable?

Every business (budget, culture, imperative, obligations, capability, location, information, technology) is unique, not every threat and vulnerability are relevant, nor a one-size fits all for security controls.

The security gap is based on where a business is at (initial state) where it wants to be (target state) and its appetite and capacity for change (and ability to sustain the change).

There are many options for Technology based controls for security but few that take into consideration the People and Process (or service). In addition, the evolution of defensive security measures still lags behind offensive ones.

In the same way that knowing that a system is missing patches and may be vulnerable to certain attacks, simply patching may not be as straightforward. As platforms and applications form only part of the full ecosystem and the role of the defender in cybersecurity must also consider the potential (negative) impacts of applying any security controls.

Cybersecurity, often like driving at night on a dark road

4) Why do security vendors still use scare tactics to promote their wares?

The short answer is that fear (and the organisational requirement to reduce/avoid risk) still motivates many organisation to invest in security. The problem with this is that the threat landscape is a moving target and often based on what is happening locally and globally.

The more difficult answer is that security vendors and service providers struggle to properly articulate the positive value (what will the security control actually enable). To provide this requires a lot more business context and requires a deeper understanding of the objectives, the environment, constraints and dependencies.

Here are a few tips to put security products and services in context:

  • Rather than focus on risk mitigation alone, consider what additional benefits may be able to be achieved. e.g. While SSL Encryption helps to avoid compromise of the communications between a web browser and a web server, it also helps to show a customer that they are talking to the website that they expect to be (i.e. helps to build online trust).

  • Work out where the control fits in the scheme of things. Preparation, Prevention, Detection, Response or Recovery. Usually security controls can help to address the Likelihood or Consequence of Loss or Harm from a given threat.

  • Determine how you (or the provider on your behalf) will demonstrate (and track) the value and performance of the security control ongoing. If not properly maintained, it is common for the value of a security control to degrade over time.

  • Weigh the cost of the service against the potential value, loss or downsides. If the cost is higher than the expected annual (or likely) loss or impact (or if there are better, cheaper controls) some services may not be so cost effective or justifiable.

You must be "this" tall to operate the firewall

5) What is the minimum / baseline knowledge required to safely interact with technology?

This is a tricky question as it depends on a number of factors but one thing is clear that basic security awareness is a key requirement for a modern business. Minimum security knowledge should ideally include:

  • Keeping systems up to date and patched

  • Basic antivirus and security software

  • Safe web browsing and email habits and be wary of downloads and attachments

  • Limit sharing of personal information and consider using temporary email services (to help avoid spam and other scams)

  • Limit the use of untrusted WiFi networks (and consider using a VPN)

  • Maintain awareness of online threats and scams

Here are additional some tips and thoughts from Kaspersky

AI delivers the first CISO on a chip

6) What are some of the big problems security professionals are trying to solve?

Here are a few of the big problems (not exhaustive)

  • Application Security and security within the software development lifecycle.

  • Patching of IoT devices (especially those that are a] numerous, b] geographically dispersed, c] lacking vendor support)

  • Supply chain security

  • The shortage of cybersecurity expertise

  • Workforce resilience and education

It is clear from the list above that AI and automation will be central to security long into the future, however the next question is where / when will the collaboration between security and AI become more commonplace and less product centric?

In summary, security is not really something you can buy off a shelf. As a risk management discipline it is an ecosystem that involves People, Process and Technology.

If you would like to talk to us about improving your overall resilience to cyber attack (and not just products and technology) - get in touch.

Author: Clinton Smith

  • Clinton Smith

Whilst a lot of security investment is often focused on Prevention, how do we take the fight to our opponent, the attacker? Short of Hacking Back, we can do a lot of proactive things that make a big impact on security.

The threat hunter prepares for another day

In this article I will touch on some of the activities you can take to be prepared and proactive. These include:

  1. Red Teaming and Purple Teaming

  2. Customisation and contextualisation of security - threat mapping

  3. Secure application development and vulnerability management

  4. Active threat hunting

Let's expand on one of the items above, threat hunting.

What is threat hunting?

Threat Hunting is a form of active defence that seeks to minimise the amount of time that an attacker can spend in your environment before being found. In contrast to traditional preventative controls such as firewalls and antivirus products, Threat Hunting is the process of actively searching for and detecting threats which currently exist within the network and may be actively evading existing security capabilities and solutions.

Who can / should hunt?

Anyone can hunt. Whether hunting submarines, wild animals or truffles, success is usually based on a number of considerations:

  1. Knowing the terrain (i.e. the business and technology environment)

  2. Understanding the target / threat (who / what is the adversary)

  3. Looking for spoor and other signs (e.g. indicators of compromise )

  4. Knowing what to do when you find your adversary (e.g. security incident response & digital forensics)

  5. Understanding when the process is complete and environment is rendered safe once again (who can declare network, data or system integrity)

The question of whether you Should hunt will usually come down to availability of appropriately skilled resources.

Cybersecurity recruitment may soon turn to alternative skills

What threats should be hunted?

In order to understand what threats should be hunted, the threat hunters must understand credible threats and threat actors, critical business objectives and assets and the existing security and other controls in place.

The valiant threat hunter succumbs to an advanced persistent threat

Even if the organisation is not an obvious target, it may be a critical part of a supply chain for others. So in considering threats TO the organisation, consideration should also be given to threats FROM the organisation.

It should be noted that threats can, and do evolve. One basic malware infection can become a network compromise, a ransom attack and ultimately a data breach.

As compromises often remain undetected for many months, consideration should also be given to the frequency of hunting activities.

How does threat hunting work?

One of my past articles outlines some of the processes involved. A high level overview of the process is below.

Threat Hunting Process

Do I need a dedicated threat hunting capability?

The question as to whether a dedicated threat hunting capability should be in place usually comes down to capability, capacity and cost.

The threat hunters prepare for a nation state threat actor

Maintaining the skills and tools to perform threat hunting effectively without impacting security operations typically requires a very large security team. With overwhelmingly strong industry competition, attracting and retaining security talent has become increasingly challenging.

Having a wide variety of options to choose from, security practitioners are being constantly tempted to take on more lucrative and sexier roles.

This represents both a risk and an opportunity. For organisations with mature security capability, backfill and training of less experienced talent, and up-skilling internal key resources can provide a more interesting and dynamic role for the experienced security expert.

This does however come at a cost and many organisations still either:

  1. do not understand (or see the immediate value) in threat hunting

  2. do not understand (or cannot adequately quantify) the risks that threat hunting helps to mitigate

  3. have other, more immediate operational security imperatives and are still operating in a reactive mode

  4. leverage external services to obtain threat hunting on a periodic basis

If you would like to discuss how we can assist you to hunt threats within your environment get in touch.

Author: Clinton Smith

  • Clinton Smith

Accidents happen, although accidents in managing security can have some serious and unexpected consequences.

This article discusses what should be basic measures for most organisations, yet still some lag way behind (aka the slow moving gazelles - a much loved staple of the carnivores).

The security manager taking a casual dip

During a discussion some time ago about SCUBA diving, I enquired:

why do divers carry knives? - Is it to defend against an attack by something scary?

The somewhat unsettling (joke) answer was:

no, it is to cut or disable other divers

(inferring that this would result in someone else being attacked by something scary)

This illustrates common principles (and beliefs) of:

  1. Safety in numbers (perhaps I can use my fellow divers as human shields)

  2. Survival of the fittest (perhaps I can swim faster than my fellow divers)

  3. Being prepared to acknowledge and address the risks of the environment (perhaps I want to go diving in a swimming pool instead)

(The real [and far more politically correct] answer was to cut free from entanglements such as ropes / weed etc)

So what happens when all positions on the food chain are at risk, and the predators are automated (e.g. Terminator)?

A few things are likely to occur:

  1. If an attacker is motivated and capable of exploiting a weakness that you have, and they have opportunity to do so, chances are they will.

  2. If you are uninformed, unaware or rely on belief, but make no attempt to ensure your assets are protected - chances are you will become a target.

  3. If you have a large, complex and vulnerable attack surface (e.g. your network, your data, your people, your supply chain, your systems) and are less vigilant than an attacker - chances are you will be attacked.

In much the same way as the injured moving tuna in a school of sharks can be open to becoming lunch, vulnerable systems on the Public Internet are exposed to attack.

The critical factors involved in this are (as above) that there is a threat, a vulnerability and a foreseeable (and probable) consequence .

The view from the well prepared security operation centre

So what can we do to avoid security mishaps (credit to Sun Tzu)?

  • Know yourself - establish security situational awareness, and be aware of your assets

  • Know the enemy - understand the realistic threats and attacks you may be exposed to

  • In time of peace, prepare for war (response) - don't rely on prevention alone

In addition, (to those of us without large armies and the backing of a nation state)

  • Prioritise - address the most important concerns on the basis of risk

  • Baseline - understand what normal looks like, so abnormal can be detected

Expanding on these concepts, effective management of security is typically based on some simple principles:

  1. Understand your critical business processes (and objectives)

  2. Understand the systems and information that supports these critical business processes

  3. Understand relevant threats and risks to these systems and information

  4. Understand your internal and external obligations (e.g. compliance)

  5. Empower business stakeholders to make informed risk decisions around security

  6. Adopt security strategies based on the cyber kill chain and your risk appetite

  7. Maintain a flexible and adaptive security incident response plan that has playbooks for key / common incidents.

In order to implement security controls where they are needed most, you need to know what asset(s) you are protecting, the threats and risks you consider credible, where these assets are, and what other controls you have in place.

Not all risk assessments are boring.

In the physical world, these are reasonably simple things. As an example, one of your family may ride (the process) a bicycle (the asset) to work:

  • you are concerned about safety of the rider - so you obtain a helmet and a light.

  • you are concerned about theft of the bike - so you obtain a chain and padlock.

  • you are concerned with equipment failure - so you obtain a spare tube and pump.

Whilst your loved one could break the road rules (external compliance) - you educate, inform and empower her, trusting that she will make good and informed decisions (e.g. to wear a helmet, and obey traffic signals).

Key takeaways are to seek to fully understand the interactions between your attackers, your defences and your assets (i.e. the cyber kill chain), establish controls based on your risk appetite, prioritise your controls and have a flexible incident response process.

If you would like to better understand your security exposures and gaps or confirm whether your defences are resilient to attack - contact us

Author: Clinton Smith

Sales:          sales@esecure.com.au
Careers:      jobs@esecure.com.au

LinkedIn Logo
Facebook Logo
Twitter Logo
GlobalMark Seal
CREST Australia and New Zealand Logo

e-Secure Pty. Ltd.

ABN 48 086 248 419

Copyright 2019 e-Secure Pty. Ltd. All rights reserved