Author Archives: Wayne Anderson

Securing the Unsecured: State of Cybersecurity 2019 – Part II

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack?

In Part I of the series, we explored IT security trends for 2019 and ways companies can protect themselves from IoT device vulnerability. Today, we’re continuing the discussion by exploring the threat of cryptocrime, the nature of cybersecurity threats in the near future, and the steps that small- and medium-sized businesses can take to protect themselves.

Q3: How great is the threat to companies of “crypto crime”?

The thing about ransomware is that it’s no longer the province of specific groups. At the RSA Conference this year, McAfee’s own Raj Samani shared the advent of the franchise model in crypto crime. As a result, we are seeing greater reach, but less unique systems applying ransomware. Still, we see the enterprises failing in the same ways year after year and falling victim to these families of ransomware at scale.

As you seek to conquer incident response as an effective plank of mitigating the effect of phishing and initial ransomware infections—I’d ask, how does your incident response change in the cloud? Do you have incident response resources and provisions for SaaS vs. IaaS? How do you get the logs and resources that you need from cloud providers to effectively investigate and ensure you have identified all affected nodes, or the initial attack vector? The time to figure out that question isn’t during time-compressed investigation stages when everyone is under stress from an active threat.

With the recent third anniversary of No More Ransom, security leaders like Raj Samani and the companies that make up partnerships like that of the No More Ransom website can help offer basic protection for some forms of ransomware. In this joint project with Europol and AWS, it’s been an amazing journey to watch and even invest in helping protect businesses against ransomware.

Q4: How can small businesses with limited resources protect the privacy of their customers?

The dwell time of threats in small and medium businesses is 45 to 800 days, with the averages moving more towards the latter. Cloud based information security SaaS (Software as a Service) is helping to level the playing field. To make continued progress, venture capital backing small firms, and the public buying from these companies, need to assert an expectation of security as part of doing business.

Many restaurants and retail establishments are still small businesses today, run by families and individuals. In many of these stores, there is a certain level of distrust of cloud and connected platforms, versus point-of-sales systems they can put their hands on and feel like they have control over. How do we gain the trust and their attention to of these small stakeholders, help them either more strongly secure things in-house or make the move to cloud security services? We can’t just have an answer that demands $4,000 or $40,000 to make the fix. Instead we have to find every possible opportunity to go serverless and make more and more walled garden capability for things like point of sale, or small engineering platform.

When it comes to small businesses interconnecting systems and moving into cloud services for consumers, these small companies holding identities is a challenge from a trust perspective. Forums and programs like the OpenID technologies providing standards and enabling identity without spreading the authorization infrastructure unnecessarily has been instrumental in constraining the size of this problem.

Security spans everything. There are basic exercises that you can do as business customers to check your readiness. I am a huge fan of SOAPA from ESG as a method of mapping what assets you have at different levels of the organization. Ask yourself a basic question -can you keep control integrity when you go from one “tower” —like on-premise—of connected capability to mapping the other silos or major cloud environments of your hybrid company? I’d also add it costs nothing to follow some of your favorite security personalities. I follow people like Cisco’s Wendy Nather and Kate Moussouris, the CEO of Luta Security who is helping even small companies understand the market of bug bounties and vulnerability disclosure.

Here, too, public policy potentially has a natural role. Government requires health training, for example in a restaurant, but not information security necessarily at small- and medium-sized business. Actually, the natural consequences and motivations of insurance companies can be an ally here, requiring training in basic computer hygiene, security, and privacy as part of issuing liability policies for businesses.

Q5: What are some new cybersecurity threats that we can expect to see in the next year?

I expect to see the rise of more significant exploitation of the “seams” in cloud integrations. The recent CapitalOne breach was relatively benign in the scheme of things. The actor was a braggart hacktivist, but the media coverage emphasized the weakness of cloud integrations to many who might have more capability. We’ve seen spikes in discussion in the dark web around this, so the profile of the cloud vulnerability is higher, and now we will have to see how the cat-and-mouse game between offense and defense proceeds.

I think it’s worth adding, the next threat isn’t as much the challenge to me, as the enterprise reaching the next run of maturity in the digital environment. Asset management, vulnerability reduction, and preparing the protection of cloud operations and visibility are all critical disciplines for the enterprise, no matter what the threat is.

Protect your devices. Protect your cloud—not in silos, but with an integrated strategy. Demand from your vendors the ability to integrate to maintain a cohesive threat picture which you can use to easily react.

To read Part I of this two-part series, click here.

 

The post Securing the Unsecured: State of Cybersecurity 2019 – Part II appeared first on McAfee Blogs.

Securing the Unsecured: State of Cybersecurity 2019 – Part I

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack?

Alongside some fantastic leaders and technology strategists from HCL, Oracle, Clarify360, Duo Security, and TCDI, we explored the challenges of today’s hyper-connected and stretched security team.

Today, businesses operate in a world where over the last few years, more than 85% of business leaders surveyed by Dell and Dimensional Research say they believe security teams can better enable digital transformation initiatives if they are included early. Moreover, 90% say they can better enable the business if given more resources. Yet most of these same leaders assert that security is being brought in too late to enable digital transformation initiatives! These digital transformation trends—cloud, data, analytics, devices—are critical to the next generation of customer and employee experiences, and for the clear majority of companies, the transition of value chains is already in progress!

We collate the insights from the course of the discussion …

Q1: What are some of the IT security trends for 2019? Are there particular cybersecurity challenges related to digital trends?

Digital isn’t one trend—it’s many. Plus, we can’t stop running the business today. This forces a split of the skill investment that is available to companies, which MSSPs and system integrators can cover part of. The biggest challenge is information security extension in a multi-cloud world. All large enterprise is multi-cloud and hybrid. Yet few security operations teams are prepared for that.

Part of solving that challenge is bringing nascent ways of identifying anomalies and gaining scale—for example, through graph theory technology, critical to find the little traces that represent defensive capability. Machine learning will be throughout the information security technology stack soon. This shift must happen, as the challenge is more than new environments. The log volumes in cloud are material—and you pay for them, by the way—the formats are different, the collections are different, and the visibility is fragmented.

The harder thing here is that information security teams must adjust to ALL of this at ONCE. Great, you have AWS Cloud Trail. Let me ask you a question: Which of your security stack can see that AND is tuned for it AND can unify the risk identified there with on-premise derived visibility? And if you can answer that in a positive way, what about when I ask the same thing for Azure? Are you starting to think about the shift to resilience, or are you still thinking about defense and control exclusively?

I’d ask though, as your team is investing in cloud, are they investing in the understanding and readiness to protect data science? Are you preparing the project cycle for your security team to now be iterative as well to even deliver these services? Identity and access management is part of the solution as a critical foundation. Effective governance and strategy can help you figure out which platforms have security relevant data. While it’s easy to say “see and save everything,” you quickly find out how expensive that is, and how much trash is in there. At that point, you can start thinking about automation.

Focusing on data storage and data in motion has led us to consider more zero-trust to cut down on the amount of interstitial security complexity. To realize that vision, tokenization and indexing and many other technologies must continue to expand. We face an odd duality between the confidentiality and accessibility of making data useful in digital employee experience and customer experience.

It’s about more than adding automation to conquer the complexity. The automation must have intelligence, and it must operate in a way that is more than “I bought tech with buzzwords.” So many platforms and products say they do these things—but as you buy and implement, you need to focus on how, and how hard they are to build and link together. Plus, how are you going to maintain them? Be careful as we adjust to keep the pace of digital transformation that we aren’t trading one problem for another.

Finally, I’d note that at every level of the information security organization—not jus the CISO—the people need to have a sense of purpose. What value do you add as a security professional to the customer experience? Why do you exist? We need to remember that, as customer journeys are the way that digital transformation shows up. We have to think end-to-end.

Q2: What can companies do to protect themselves against vulnerabilities created by IoT devices?

Start with procurement. Look, I’d love to tell you that IoT security is a software problem, but that’s only part of it. It really starts with buying technology that is well-designed, and both the customer and the upstream vendor must enforce Secure Development Life Cycle (SDLC) internally.

To a certain degree, we need to see IoT as completely untrusted. Google’s BeyondCorp is a good goal for an entire org’s high-level vision of zero trust. Data introspection and device behaviors then need to have high inspection rather than assumptions of performance. We are advantaged in that we now live in a society full of tools where the reality is that encryption overhead is almost negligible with RISC based enhancements to network interface level assets. The organization can think differently about data protection in that kind of world with (relatively) cheap encryption cost to latency and performance.

When I think about IoT security, I continue to go back to an example that really made an impression on me a couple years back: If the team at IKEA can sell an IoT lightbar for cheap that has basic randomization, locked services, and minimal platform build … I have to think that certainly we can do better in health technology, industrial control systems, and manufacturing technologies.

When it comes to governance, IoT has the potential to turn asset management issues up to “11” on the 10-point scale of concern. How do you define an authorized device? Authorize an untrusted device to send data into the system? What do you recognize as a managed device? How will your organization make conditional access decisions to use, aggregate, and modify data? “Enterprise Architecture” (EA) needs to be part of the plan for effective governance. In some ways, as an industry, EA got swept up with the boom and bust of specific analyst models of architecture not proving out value cases at a lot of organizations. In today’s iterative digital world, architecture and simplicity have to be part of the IoT project Minimum Viable Product in order to realize the scale needed later.

We can’t manage IoT like laptops—these devices have fewer capabilities. Instead we need more affirmative approaches that integrate the components of the ecosystem in a predictable and defined way, like trusted cloud. The default expectation for a device intended to be used in a reduced management environment should have heavy encryption, PKI validation, and locked down application-controlled execution built into them out of the box.

When you take a step back and look at the problem as societal instead of the microcosm of a specific company’s product or implementation, public policy must enter into the intersection of law and devices at scale. We have to solve difficult questions like the role of liability and commercial incentives to build and deploy device platforms in a responsible way. As one example, when machine learning-led IoT decisions create a catastrophe, who is responsible? The owning company? The software vendor? The system integrator? All the above? In critical spaces like utilities and healthcare, we need the focus of meeting some level of criteria for devices to have minimum reasonable security.

Even at this scale, this, too could be a great place for graph theory and machine learning-led approaches to secure societal level device challenges like elections. It’s easily expressed as math—easily identified for loci and baseline deviations. We need investment, however, from government or non-traditional sources as the state/local government and education sectors have very long buying cycles, and the available budget for this problem hasn’t yet justified the extended R&D costs of these kinds of technological changes.

Even while these public policy shifts are emerging, the greater propensity of localized privacy law has created operational hurdles for enterprise. As a microcosm, introduction of privacy safeguards in the India data localization law represents many different interests trying to be balanced in one approach. This has created a higher cost for external multinationals as they create duplicative storage and has even slowed digital transformation and created a drag on growth for India based consulting and business process outsourcing economic engines. You could make the same analysis for CCPA or GDPR, but these same measures have helped privacy, potentially, for citizens.

To help companies navigate these challenges, we are seeing organizations like ENISA, and the NCSC Secure Authority providing advisory guidance. This leads to the definition of a state of reasonable practice. When we add that kind of practical dimension to ISO standards like the 27000 series, and the Top 20 from the Center for Internet Security, and others, we help organizations navigate what the basics look like for practical security applicability in IoT and security generally.

In Part II of this series, we’ll explore the threat of cryptocrime, the nature of cybersecurity threats in the near future, and the steps that small- and medium-sized businesses can take to protect themselves.

The post Securing the Unsecured: State of Cybersecurity 2019 – Part I appeared first on McAfee Blogs.

Getting Started with Cloud Governance

Governing cloud security and privacy in the enterprise is hard, but it’s also critical: As recently noted in a blog by Cloud Transformation Specialist Brooke Noelke, security and complexity remain the two most significant obstacles to achieving enterprise cloud goals. Accelerating cloud purchases and tying them together without critical governance has resulted in many of today’s enterprise security executives losing sleep, as minimally secured cloud provider estates run production workloads, and organizations only begin to tackle outstanding SaaS (Software as a Service) footprints.

For security professionals and leaders, the on-premise (or co-location) data center seems simple by comparison: Want to protect applications in the data center? By virtue of the fact that it has a network connection in the data center, there are certain boundaries and processes that already apply. Business unit leaders aren’t exactly standing by with a credit card, trying to load tens of thousands of dollars of 4U Servers, storage racks, and a couple of SAN heads and then trying to expense it. In other words, for a workload in the data center, certain procurement controls must be completed, an IT review established, and implementation steps forced before the servers “light up”—and networking gates must be established for connectivity and publishing.

When it comes to the cloud, however, we’re being asked to fulfill new roles, while continuing to serve as protector of all the organization’s infrastructure, both new and existing. Be the rule setter. Contribute to development practice. Be the enforcer. And do all of this while at the same time making sure all the other projects you already had planned for the next 18 months get accomplished, as well …

Without appropriate controls and expectation-setting, development teams could use a credit card and publish a pre-built workload—from registration to world-accessibility—in hours! Sadly, that’s the reality at many organizations today, in a world where as much as 11% of a company’s published sensitive data is likely to be present in custom/engineered cloud applications.

Simplify Governance – Be Transparent

One of the biggest challenges for today’s businesses is understanding what the “sanctioned” path to cloud looks like: Who do they reach out to? Why should they engage the security team and other IT partners when the software vendor is willing to take credit cards directly? At many of today’s enterprises, “Security Awareness” initiatives mean some emails and a couple training sessions a year on “building block” security measures, with a particular focus on detecting phishing emails. While these measures have their place, security teams should also establish regular partnership meetings at the business unit level to “advertise” available services to “accelerate” capabilities into the cloud.

However, instead of communicating what the business will receive or explaining the steps the security team requires in order to complete the process, the emphasis should be on what departments receive by engaging the security team early: Faster funding and procurement approvals. Proactive scheduling of scarce resources for application review. Accelerated provisioning. And ultimately, faster spend and change times, with less risk and hopefully with minimal schedule impact.

The security team also needs to help the business understand that, while they may not see it reflected in direct line items today, there is a cost per application that they are generating for existing/legacy applications. If the perception is that today’s applications are “free,” but the team needs a line item to be created in new projects for cloud security deployments, it encourages people to exit the process or to avoid things that add to the price—or, at least, to fight an internal battle to push back on each line-item add. Our job is to help the organization understand that today’s security spend is around 7% of infrastructure or application spend, and to set the expectation that whatever the next-generation project budget is, an associated investment should be expected—in both technology and people—to secure the platform.

Establish a Goal and Discuss It

Does your business understand what the “goal line” looks like when it comes to putting something into the cloud? Would they know where to go to find the diagram(s) or list(s) that define that? What level of cloud competency and security understanding does someone in the business need in order to consume what your team has published?

If the answer to one or more of these questions is a shrug—or demands a master’s level understanding of technical knowledge—how can we as the leaders of the security space expect the business to readily partner with us in a process they don’t understand?

Published policy with accompanying detailed standards is a start. But the security team has an opportunity to go a step further with very basic conceptual “block” diagrams, which set “minimum viable protection” that the business’ “minimum viable product” must have to go into security.

The easiest way to do this is to take a minimum control set, and then create a few versions of the diagram—in other words, one for the smallest footprint and one or more at larger scale—to explain to the organization how the requirements “flex” according to the size and traffic volume of what has been deployed.

Cloud Governance is Possible

Governance is the initial building block for cloud security. Being successful in protecting cloud applications requires effective technical controls, like MVISION Cloud’s product risk assessment and protection for enterprise data through unified policy. For the organization to mature and further reduce risk, governance must become as much about consulting with businesses regarding cloud consumption as it has been historically about risk meetings and change reviews. With a few simple adjustments and intentional internal marketing investments, your team can start the journey.

The post Getting Started with Cloud Governance appeared first on McAfee Blogs.