Category Archives: INDUSTRY INSIGHTS

Handling a crisis when you aren’t under attack

With global attacks dominating headlines cybersecurity is top priority, meaning the role of the CISO is expanding.CISOs need to expand their leadership role and actively engage in risk management.Traditionally, the

The post Handling a crisis when you aren’t under attack appeared first on The Cyber Security Place.

Two incident response phases most organizations get wrong

It’s important to remember: Incident response isn’t a thing, it’s a process.There is a baseline for incident response — six phases familiar to anyone who has spent time around a

The post Two incident response phases most organizations get wrong appeared first on The Cyber Security Place.

Securing Your Organization’s Human Layer

In my time in the trenches, and in my previous role as a Gartner research analyst and industry advisor, I spent a LOT of time helping organizations across the world

The post Securing Your Organization’s Human Layer appeared first on The Cyber Security Place.

How to Safeguard Your Business Against Cyber Crime

Cyber crime is one of the biggest threats facing UK businesses today, costing around £30 billion a year. As a result, it’s something businesses need to start taking seriously !The

The post How to Safeguard Your Business Against Cyber Crime appeared first on The Cyber Security Place.

Large scale data breaches provide drive for DevSecOps investments

Breaches related to open source components have grown 50 percent since 2017, and an eye-opening 121 percent since 2014, according to a new survey from open source governance and DevSecOps

The post Large scale data breaches provide drive for DevSecOps investments appeared first on The Cyber Security Place.

SecurityWeek RSS Feed: Why Mass Transit Could Be the Next Big Target for Cyber Attacks—and What to do About it

The constantly evolving tools and methods of cyber attackers has resulted in specific industries becoming the unfortunate subjects of sudden upswings in incident volume and severity. In recent years, for example, we’ve seen waves of ransomware attacks in healthcare and large-scale customer data breaches in technology. So, this trend begs the question, who’s next? Which unlucky industry will be the latest target caught in the crosshairs of cyber attackers?

read more



SecurityWeek RSS Feed

Why Mass Transit Could Be the Next Big Target for Cyber Attacks—and What to do About it

The constantly evolving tools and methods of cyber attackers has resulted in specific industries becoming the unfortunate subjects of sudden upswings in incident volume and severity. In recent years, for example, we’ve seen waves of ransomware attacks in healthcare and large-scale customer data breaches in technology. So, this trend begs the question, who’s next? Which unlucky industry will be the latest target caught in the crosshairs of cyber attackers?

read more

What is cyber security? How to build a cyber security strategy

Organizations face many threats to their information systems and data. Understanding all the basic elements to cyber security is the first step to meeting those threats.Cyber security is the practice

The post What is cyber security? How to build a cyber security strategy appeared first on The Cyber Security Place.

Cyber-security only a top priority for one in ten businesses

Lack of attention despite numbers showing a strong increase in the amount of cyber-attacks.Just ten per cent of UK’s businesses see cyber-security as the biggest challenge to their economic success.

The post Cyber-security only a top priority for one in ten businesses appeared first on The Cyber Security Place.

How the human factor puts your company at risk

Positive Technologies has released a new report with statistics on the success rates of social engineering attacks, based on the 10 largest and most illustrative pentesting projects performed for clients

The post How the human factor puts your company at risk appeared first on The Cyber Security Place.

Cybersecurity: How Do You Build a Transformational Dynamic?

At the end of a keynote speech I gave at the excellent CIO WaterCooler LIVE! Event in London on 28th September 2017 on security organization, governance and creating the dynamics

The post Cybersecurity: How Do You Build a Transformational Dynamic? appeared first on The Cyber Security Place.

Mitigating Digital Risk from the Android PC in Your Pocket

Security Teams Must Prioritize Risk Mitigation Against Android Malware

Few of us could have imagined that a device that allows us to talk to anyone from anywhere at any time would morph, in just a few years, into many users’ computing device of choice. The latest numbers from StatCounter reveal that mobile devices are outpacing desktops and are the preferred method for accessing the Internet. The most popular operating system worldwide? Android.

Threat actors watch these trends too. They’re opportunistic and will focus their efforts where they believe their success rate will be the highest. So naturally, many are targeting Android devices and taking advantage of malware to launch attacks. 

As an open-source tool, Android provides the benefits of collaborative applications (apps) and innovation; however, its accessibility inherently exposes it to exploitation by malicious actors. In the past year, while some users fell victim to targeted social engineering campaigns that infect their devices, most malware was embedded in malicious apps users inadvertently downloaded from official and unofficial sources. With the greatest number of users, Android’s official app store Google Play has been the largest single source of infection. However, most of the sources of infection were other third-party stores. 

Android Mobile SecurityUsers are duped by apps that pose as legitimate resources or services, or that are advertised fraudulently by displaying branding associated with credible organizations. Apps have been found that impersonate Uber, any number of financial institutions, gaming apps and perhaps most galling, security apps. Mobile malware is generally delivered and deployed via a multi-step process requiring some user interaction. This presents threat actors with many opportunities to infiltrate a device. For example, once installed, many malicious apps request users to approve unnecessary privileges, such as administration access, to execute processes. Overlays (superimposing phishing screens on a legitimate app) are also used to prompt users to provide sensitive information, such as credentials or financial data. 

So, what’s the ultimate endgame for cyber criminals? The most prevalent objective is espionage – gathering information through profiling device data or recording phone calls and messages. Mobile banking malware, such as Marcher and BankBot, uses sophisticated techniques to harvest user banking data, including overlays specific to target banks, and intercepts SMS messages to obtain multi-factor authentication codes. Recently, mobile devices have also been targeted for cryptocurrency mining. While less powerful than desktops and servers used for this purpose, more Android devices exist, and they are often less protected and, thus, more easily accessible. You can expect this objective to continue to grow as smartphones become more powerful.

Security teams must now prioritize risk mitigation against Android mobile device malware. But after surveying more than 3,600 security professionals across 26 countries, the Cisco 2018 Security Capabilities Benchmark Study found that mobile devices are the most challenging areas and functions to defend. Implementing the following 10 practices will help: 

1. Use the official Google Play store and only download Play Protect-verified apps and those from legitimate companies. 

2. Only enable limited permissions for downloaded apps. 

3. For business devices, use mobile device management solutions to give IT security staff control to set access permissions and restrictions.

4. Do not root business devices; rooting allows root access to the Android operating system code and preventing it discourages unauthorized administration privilege access. 

5. Deploy endpoint antivirus solutions on individual devices. 

6. Ensure that mobile device operating systems are up to date.

7. Use runtime application self-protection (RASP) to prevent overlay attacks by detecting and blocking malicious activity in real time. 

8. For BYOD enterprises, establish user policies that forbid connection of employee-controlled devices to corporate infrastructure. 

9. Educate employees on threats associated with SMS phishing and mobile device browsing. 

10. Monitor mobile applications, not just third-party apps but internal company mobile apps that may have been modified by a third party. 

Android devices, and smartphones in general, will continue to be attractive targets for cybercriminals, particularly as these devices become more powerful, offer longer battery life and plug into keyboards and other peripherals to easily serve as a user’s computer. But with a multilayered approach to security that includes best practices and a defense-in-depth strategy, security teams can overcome many of the challenges they face when mitigating risk from the PC we carry in our pockets.

Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.

Half of Cyber-Pros Believe They’re Losing the Fight

Half of cyber-pros believe they’re losing the war against the bad guys: 46% of those surveyed by security giant McAfee believe that in the next year they will either struggle

The post Half of Cyber-Pros Believe They’re Losing the Fight appeared first on The Cyber Security Place.

The best cybersecurity analysts should play the part of detective

Today’s cybersecurity analysts need to be part detective, following their gut wherever it takes them and thinking like the very attackers.With an ever-growing threat from cyber attacks, we now live

The post The best cybersecurity analysts should play the part of detective appeared first on The Cyber Security Place.

SecurityWeek RSS Feed: In Modern Data Centers Security Must Take Center Stage

Securing the Modern Data Center

As Your Organization Modernizes the Data Center and Shifts to Cloud-based Environments, You Must Rethink Your Approach to Security

Data centers are changing rapidly and how we protect them must as well. Auto manufacturers must allow an expansive ecosystem of partners access to proprietary designs and confidential data to ensure the latest makes and models land in dealerships as promised while protecting their competitive edge. Hospitals need to provide nurses, physicians, administrators, and patients with varying levels of access to information while keeping in mind regulatory and compliance issues. Financial institutions engaged in high-frequency trading need highly-available and highly-secure environments for compute-intensive workloads. State and local governments are now expected to provide all stakeholders – residents, law enforcement, social services, public works, etc. – with access to the information they need, and only what they need, when and where they need it. 

The technology advances behind these scenarios – virtualization, cloud, and software defined networking – are changing the scope and function of the modern data center. Data and workloads are constantly moving across multi-cloud and physical data centers and security policies must adjust in lock-step. DevOps teams are rolling out new application and services quickly. And there is a huge influx of data from big data analytics. 

As your organization modernizes the data center and shifts to cloud-based environments, you must rethink your approach to security, increasing visibility and control without compromising agility and performance. To do this you need to consider the three pillars of security in the modern data center: visibility, segmentation, and threat defense.

1. Visibility. The biggest concern when migrating to multi-cloud data centers is that the connectivity and security of existing workloads remain intact. Achieving consistent workload protection starts with visibility into existing workloads and application behavior, as well as who the users are, where they are connecting from, and what hosts and application resources they are accessing. When you have a clear view and can understand the interdependencies at play, you can define policies, appropriate levels of segmentation, and other defenses to create a security architecture. Considering the number of workflows typically present in any data center, you can imagine the magnitude of the challenge and may be tempted to bypass this step, but it is critical to ensure workloads go undisrupted.

On an ongoing basis, complete visibility can reveal performance bottlenecks and help you improve capacity planning. It makes it easier to detect malicious activity and accelerate incident response and investigations. This helps you determine if and to what extent critical systems were breached and what information was stolen. 

2. Segmentation. Employees, contractors, business partners, and customers are interacting with resources in the data center in an ever-expanding way. This boosts the value of the data center, but also increases the attack surface, providing more opportunities for attackers. Recognizing that these different users only need access to a subset of resources to get their jobs done, segmentation allows you to plan for those requirements and reduce the attack surface. With permission-level access, consistent security policy enforcement, application whitelisting, and microsegmentation, resources are locked but those who need access to specific resources can do so safely. When an attack happens, segmentation prevents attackers from moving laterally within data centers and contains malicious activity. It’s an effective way to slow down the hacker and provide security teams time to identify the problem, limit the exposure, and respond to the attack.

Segmentation is also a valuable tool to improve your overall approach to security. For servers on delayed patch cycles, segmentation can reduce the potential for vulnerability exploitation until you can qualify and deploy a patch into production. For legacy systems, segmentation is critical to protect resources that don’t receive maintenance releases or patch updates. In sectors with requirements such as the Payment Card Industry Data Security Standard (PCI DSS) and regulations like the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA), segmentation can help to reduce the number of systems that require controls, as well as the scope of an audit.

3. Threat Defense. To protect the modern data center, security policies must dynamically change to help enable real-time policy enforcement and security orchestration that follows the workload everywhere. To do this you need to build security into your data center infrastructure from the beginning. 

In multi-tenant environments, such as a public cloud, the possibility of a malicious customer attempting to compromise another customer’s server to steal proprietary information or tamper with records always exists. This requires understanding the security controls of your cloud providers and ensuring they address your requirements. You can supplement those controls by deploying threat sensors across north-south and east-west traffic flows in private cloud and physical data centers to quickly detect, block, and respond to attacks before hackers can steal data or disrupt operations. And while an array of devices and mobile and web applications enable more users to access resources anytime and anywhere, they create another avenue for exploitation. You can minimize business disruption and the impact from a breach by deploying comprehensive, integrated security solutions and policies, that work together in an automated process. This streamlines threat protection, detection, and mitigation. Evolving to incident readiness and response further mitigates your cyber risk when a breach happens.

As you modernize your data center, security must take center stage so you can keep your data, applications, users, and processes secure without any disruption to the business. Visibility, segmentation, and threat defense are foundational elements to any security strategy allowing you to reduce risk while creating new opportunities to deliver value to your customers, partners, and the organization.

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.


SecurityWeek RSS Feed

In Modern Data Centers Security Must Take Center Stage

Securing the Modern Data Center

As Your Organization Modernizes the Data Center and Shifts to Cloud-based Environments, You Must Rethink Your Approach to Security

Data centers are changing rapidly and how we protect them must as well. Auto manufacturers must allow an expansive ecosystem of partners access to proprietary designs and confidential data to ensure the latest makes and models land in dealerships as promised while protecting their competitive edge. Hospitals need to provide nurses, physicians, administrators, and patients with varying levels of access to information while keeping in mind regulatory and compliance issues. Financial institutions engaged in high-frequency trading need highly-available and highly-secure environments for compute-intensive workloads. State and local governments are now expected to provide all stakeholders – residents, law enforcement, social services, public works, etc. – with access to the information they need, and only what they need, when and where they need it. 

The technology advances behind these scenarios – virtualization, cloud, and software defined networking – are changing the scope and function of the modern data center. Data and workloads are constantly moving across multi-cloud and physical data centers and security policies must adjust in lock-step. DevOps teams are rolling out new application and services quickly. And there is a huge influx of data from big data analytics. 

As your organization modernizes the data center and shifts to cloud-based environments, you must rethink your approach to security, increasing visibility and control without compromising agility and performance. To do this you need to consider the three pillars of security in the modern data center: visibility, segmentation, and threat defense.

1. Visibility. The biggest concern when migrating to multi-cloud data centers is that the connectivity and security of existing workloads remain intact. Achieving consistent workload protection starts with visibility into existing workloads and application behavior, as well as who the users are, where they are connecting from, and what hosts and application resources they are accessing. When you have a clear view and can understand the interdependencies at play, you can define policies, appropriate levels of segmentation, and other defenses to create a security architecture. Considering the number of workflows typically present in any data center, you can imagine the magnitude of the challenge and may be tempted to bypass this step, but it is critical to ensure workloads go undisrupted.

On an ongoing basis, complete visibility can reveal performance bottlenecks and help you improve capacity planning. It makes it easier to detect malicious activity and accelerate incident response and investigations. This helps you determine if and to what extent critical systems were breached and what information was stolen. 

2. Segmentation. Employees, contractors, business partners, and customers are interacting with resources in the data center in an ever-expanding way. This boosts the value of the data center, but also increases the attack surface, providing more opportunities for attackers. Recognizing that these different users only need access to a subset of resources to get their jobs done, segmentation allows you to plan for those requirements and reduce the attack surface. With permission-level access, consistent security policy enforcement, application whitelisting, and microsegmentation, resources are locked but those who need access to specific resources can do so safely. When an attack happens, segmentation prevents attackers from moving laterally within data centers and contains malicious activity. It’s an effective way to slow down the hacker and provide security teams time to identify the problem, limit the exposure, and respond to the attack.

Segmentation is also a valuable tool to improve your overall approach to security. For servers on delayed patch cycles, segmentation can reduce the potential for vulnerability exploitation until you can qualify and deploy a patch into production. For legacy systems, segmentation is critical to protect resources that don’t receive maintenance releases or patch updates. In sectors with requirements such as the Payment Card Industry Data Security Standard (PCI DSS) and regulations like the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA), segmentation can help to reduce the number of systems that require controls, as well as the scope of an audit.

3. Threat Defense. To protect the modern data center, security policies must dynamically change to help enable real-time policy enforcement and security orchestration that follows the workload everywhere. To do this you need to build security into your data center infrastructure from the beginning. 

In multi-tenant environments, such as a public cloud, the possibility of a malicious customer attempting to compromise another customer’s server to steal proprietary information or tamper with records always exists. This requires understanding the security controls of your cloud providers and ensuring they address your requirements. You can supplement those controls by deploying threat sensors across north-south and east-west traffic flows in private cloud and physical data centers to quickly detect, block, and respond to attacks before hackers can steal data or disrupt operations. And while an array of devices and mobile and web applications enable more users to access resources anytime and anywhere, they create another avenue for exploitation. You can minimize business disruption and the impact from a breach by deploying comprehensive, integrated security solutions and policies, that work together in an automated process. This streamlines threat protection, detection, and mitigation. Evolving to incident readiness and response further mitigates your cyber risk when a breach happens.

As you modernize your data center, security must take center stage so you can keep your data, applications, users, and processes secure without any disruption to the business. Visibility, segmentation, and threat defense are foundational elements to any security strategy allowing you to reduce risk while creating new opportunities to deliver value to your customers, partners, and the organization.

Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.

Why Multi-cloud Security Requires Rethinking Network Defense

The Need to Rethink Security For Our Cloud Applications Has Become Urgent

Companies are utilizing the public cloud as their primary route to market for creating and delivering innovative applications. Striving to gain a competitive advantage, organizations of all sizes and in all vertical sectors now routinely tap into infrastructure as a service, or IaaS, and platform as a service, or PaaS, to become faster and more agile at improving services through applications.

Along the way, companies are working with multiple cloud providers to create innovative new apps with much more speed and agility. This approach is opening up unprecedented paths to engage with remote workers, suppliers, partners and customers. Organizations that are good at this are first to market with useful new tools, supply chain breakthroughs and customer engagement innovations. 

There’s no question that IaaS, PaaS and their corollary, DevOps, together have enabled businesses to leapfrog traditional IT processes. We are undergoing a digital transformation of profound scope – and things are just getting started. Companies are beginning to leverage the benefits of being able to innovate with unprecedented agility and scalability; however, to take this revolution to the next level, we must take a fresh approach to how we’re securing our business networks.

Limits to legacy defense

Simply put, clunky security approaches, pieced together from multiple vendors, result in a fragmented security environment where IT teams must manually correlate data to implement actionable security protections. This level of human intervention increases the likelihood for human error, leaving organizations exposed to threats and data breaches. What’s more, security tools that are not built for the cloud significantly limit the agility of development teams. 

Cloud collaboration, fueled by an array of dynamic and continually advancing platforms, is complex; and this complexity has introduced myriad new layers of attack vectors. We’ve seen how one small oversight, such as forgetting to change the default credentials when booting up a new cloud-based workload, can leave an organization’s data exposed or allow attackers to leverage resources to mine cryptocurrency. 

Clearly the need to rethink security for our cloud apps has become urgent. What’s really needed is an approach that minimizes data loss and downtime, while also contributing to faster application development, thus allowing the business to experience robust growth. It should be possible to keep companies free to mix and match cloud services, and to innovate seamlessly on the fly, while also reducing the attack surface that is readily accessible to malicious parties.

Frictionless security

The good news is that the cybersecurity community recognizes this new exposure, and industry leaders are innovating, as well, applying their expertise to prevent successful cyberattacks. It is, indeed, possible to keep companies free to mix and match multiple cloud providers, and to innovate seamlessly on the fly, while also reducing opportunities for attack. Ideally, cloud security should speed application development and business growth, while preventing data loss and business downtime.

This requires three key capabilities: advanced application and data breach prevention, consistent protection across locations and clouds, and frictionless deployment and management. Security delivered through private cloud, public cloud and SaaS security capabilities can work together to eliminate the wide range of cloud risks that can cause breaches. 

When you think about it, a different approach to cloud security is inevitable. There’s every reason to drive toward wider use of enterprise-class cloud security capabilities integrated into the cloud app development lifecycle. It’s vital to make cloud security frictionless – for both the development teams and the security teams. This is a linchpin to fulfilling the potential of cloud-centric commerce. We must move toward frictionless security systems, designed to be just as fast and agile as the cloud-based business operations they protect.

Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.

Why People Should Learn About Cybersecurity In 2018

You might think of cybersecurity as a specialized, niche career–not a skill that the average person should learn about.But that’s not the case. In an age where we manage more

The post Why People Should Learn About Cybersecurity In 2018 appeared first on The Cyber Security Place.

SecurityWeek RSS Feed: Risky Business: The Fifth Element

Last month, I talked about the elegant beauty in offloading parts of your risk portfolio in four distinct ways

The logic is to streamline the company’s mitigation efforts and allow you to focus more time and investment where it matters most—on the unique risks inherent to the business.

But there is a fifth element, and it is going to be in your future. While security-as-a-service for functions like WAF and DDoS protection are well-established, they are just the beginning of a new industry that is emerging around consumption-based security models.  

To a certain extent, security in the future is going to be Uberized, and for some situations, you may be able to get rid of your car entirely. No insurance. No maintenance. No hassles with parking. And you won’t even have to wash it or vacuum crumbs out of the seat cracks. 

That is to say, you won’t hire a company just for DDoS and WAF. You’ll hire a company for IDaaS, IPS, encryption/decryption, SSL orchestration, governance, risk and compliance (GRC). 

And over time, you’ll dial in your use of these services. Spin them up when they’re needed most. Ratchet them back when they’re not in demand. Pay only for what you use. This is a strategic way to contain costs as you may only fully use your GRC service when it’s time for an audit, enabling the company to increase its capacity without having a consulting service on site. 

All of this will dramatically change how CISOs function and how their teams are structured. Instead of hiring dozens of people to build and maintain multiple systems, CISOs will shift to focus on the data that powers the business and how it flows through and interacts with these outsourced relationships. 

And yes, I am going so far as to say this shift is inevitable, because it’s being driven by some pretty clear economic pressures:

Talent scarcity 

It’s well-known that there are a lot of open job reqs in cybersecurity. I mean a lot—more than a million today. And according to Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study, there may be as many as 1.8 million open jobs in the field by 2022.  

In this market, finding the right person can take months. You either have to poach them from another company or develop them yourself. Development means trial by fire. I don’t know about you, but I don’t want trial by fire. And if you do steal a great hire from another company, the cost-benefit analysis is such that you’re basically being driven to a vendor anyway, simply because the salary pressure makes it more cost-effective. 

There are also specific areas of risk that require hard-to-find skills, which only exacerbate this phenomenon. Try to hire a great DDoS or application security specialist and you’ll see what I mean. It’s no coincidence that the jobs with the highest degree of talent scarcity are the first ones being outsourced. 

The reality of the situation is those specialists increasingly work for … guess who? Security-as-a-service companies. They’re the only ones that can afford that level of talent, and having that talent is their core differentiator. 

Economies of scale

Most CISOs will never be able to address all of a company’s risk anyway. They’ll never have enough resources to truly cover all of them. 

So take the example of application security, one of those unique skillsets that’s so difficult and expensive to hire for. In this environment, outsourcing application security scanning to a vendor just makes too much sense. 

Why? Because of economies of scale. With its crack team of top-tier analysts, the Sec-aaS vendor can provide a complete assessment of the company’s risk footprint in a few weeks. 

If a company were to hire those skills in-house, they would make a similar or even larger investment and still wouldn’t have that kind of scale. Your in-house expert, as brilliant as they may be, would not be able to provide an understanding of the entire footprint along with the details of what needs to be done within a few weeks. The scale is just too big. 

Taking this to the next level, outsourced vendors are also finding ways to automate these processes, creating platforms that apply the experience of their entire team of experts for the customer’s benefit. 

This means they can provide analysis much more quickly, which means you can start doing mitigations much more quickly, which means your window of exposure is much smaller, which ultimately means the benefit for mitigating risk is much more effective. 

Companies can expect similar benefits across Sec-aaS categories. If you outsource WAF, you’re no longer focused on implementing that control mechanism. With the right DDoS vendor, your traffic is getting scrubbed all the time. The customer no longer needs to be concerned with those controls. 

Like today’s cloud and SaaS platforms, these are cost-effective models. But the benefits of using a security-as-a-service vendor is not only transferring the risk and saving money. Instead of somebody who’s concentrating on learning DDoS, you can hire people who understand the company, its industry and its own unique characteristics. You can give them the time to become a true business partner, working directly with business groups to understand the company’s assets and align security to the business. 

And for CISOs, shift your focus to understanding your own data flows and managing your consumption-based security services with pinpoint precision. Solve challenges for your own company that have not already been solved. 

Ultimately this movement is going to transform the security industry. Over the next few years, we’ll see a world of security that will be more cost-effective and more focused on user experience. The business will have security ingrained within it, rather than wrapped around it. And removing that friction will allow the business to accelerate. 

As for trying to solve DDoS? Application security? Firewalls? Don’t try to solve it yourself. Go ahead and let the fifth element of Sec-aaS providers commoditize where they can. We’ll all be better off.

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.


SecurityWeek RSS Feed

Risky Business: The Fifth Element

Last month, I talked about the elegant beauty in offloading parts of your risk portfolio in four distinct ways

The logic is to streamline the company’s mitigation efforts and allow you to focus more time and investment where it matters most—on the unique risks inherent to the business.

But there is a fifth element, and it is going to be in your future. While security-as-a-service for functions like WAF and DDoS protection are well-established, they are just the beginning of a new industry that is emerging around consumption-based security models.  

To a certain extent, security in the future is going to be Uberized, and for some situations, you may be able to get rid of your car entirely. No insurance. No maintenance. No hassles with parking. And you won’t even have to wash it or vacuum crumbs out of the seat cracks. 

That is to say, you won’t hire a company just for DDoS and WAF. You’ll hire a company for IDaaS, IPS, encryption/decryption, SSL orchestration, governance, risk and compliance (GRC). 

And over time, you’ll dial in your use of these services. Spin them up when they’re needed most. Ratchet them back when they’re not in demand. Pay only for what you use. This is a strategic way to contain costs as you may only fully use your GRC service when it’s time for an audit, enabling the company to increase its capacity without having a consulting service on site. 

All of this will dramatically change how CISOs function and how their teams are structured. Instead of hiring dozens of people to build and maintain multiple systems, CISOs will shift to focus on the data that powers the business and how it flows through and interacts with these outsourced relationships. 

And yes, I am going so far as to say this shift is inevitable, because it’s being driven by some pretty clear economic pressures:

Talent scarcity 

It’s well-known that there are a lot of open job reqs in cybersecurity. I mean a lot—more than a million today. And according to Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study, there may be as many as 1.8 million open jobs in the field by 2022.  

In this market, finding the right person can take months. You either have to poach them from another company or develop them yourself. Development means trial by fire. I don’t know about you, but I don’t want trial by fire. And if you do steal a great hire from another company, the cost-benefit analysis is such that you’re basically being driven to a vendor anyway, simply because the salary pressure makes it more cost-effective. 

There are also specific areas of risk that require hard-to-find skills, which only exacerbate this phenomenon. Try to hire a great DDoS or application security specialist and you’ll see what I mean. It’s no coincidence that the jobs with the highest degree of talent scarcity are the first ones being outsourced. 

The reality of the situation is those specialists increasingly work for … guess who? Security-as-a-service companies. They’re the only ones that can afford that level of talent, and having that talent is their core differentiator. 

Economies of scale

Most CISOs will never be able to address all of a company’s risk anyway. They’ll never have enough resources to truly cover all of them. 

So take the example of application security, one of those unique skillsets that’s so difficult and expensive to hire for. In this environment, outsourcing application security scanning to a vendor just makes too much sense. 

Why? Because of economies of scale. With its crack team of top-tier analysts, the Sec-aaS vendor can provide a complete assessment of the company’s risk footprint in a few weeks. 

If a company were to hire those skills in-house, they would make a similar or even larger investment and still wouldn’t have that kind of scale. Your in-house expert, as brilliant as they may be, would not be able to provide an understanding of the entire footprint along with the details of what needs to be done within a few weeks. The scale is just too big. 

Taking this to the next level, outsourced vendors are also finding ways to automate these processes, creating platforms that apply the experience of their entire team of experts for the customer’s benefit. 

This means they can provide analysis much more quickly, which means you can start doing mitigations much more quickly, which means your window of exposure is much smaller, which ultimately means the benefit for mitigating risk is much more effective. 

Companies can expect similar benefits across Sec-aaS categories. If you outsource WAF, you’re no longer focused on implementing that control mechanism. With the right DDoS vendor, your traffic is getting scrubbed all the time. The customer no longer needs to be concerned with those controls. 

Like today’s cloud and SaaS platforms, these are cost-effective models. But the benefits of using a security-as-a-service vendor is not only transferring the risk and saving money. Instead of somebody who’s concentrating on learning DDoS, you can hire people who understand the company, its industry and its own unique characteristics. You can give them the time to become a true business partner, working directly with business groups to understand the company’s assets and align security to the business. 

And for CISOs, shift your focus to understanding your own data flows and managing your consumption-based security services with pinpoint precision. Solve challenges for your own company that have not already been solved. 

Ultimately this movement is going to transform the security industry. Over the next few years, we’ll see a world of security that will be more cost-effective and more focused on user experience. The business will have security ingrained within it, rather than wrapped around it. And removing that friction will allow the business to accelerate. 

As for trying to solve DDoS? Application security? Firewalls? Don’t try to solve it yourself. Go ahead and let the fifth element of Sec-aaS providers commoditize where they can. We’ll all be better off.

Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.

Why Does Data Exfiltration Remain an Almost Unsolvable Challenge?

From hacked IoT devices to corporate infrastructures hijacked for crypto-mining to automated ransomware, novel and sophisticated cyber-attacks are notoriously hard to catch. It is no wonder that defending against these silent and never-seen-before threats dominates our security agendas. But while we grapple with the challenge of detecting the unknown, data exfiltration - an old and very well-known risk - doesn’t command nearly the same amount of attention. Yet data exfiltration happens, and it happens by the gigabyte.

As attackers improve their methods of purloining the sensitive data we trust our organizations to keep safe, one critical question remains: why does data exfiltration present the security community with such a formidable challenge?

Gigawatts and Flux Capacitors. Let’s go Back in Time.

All data exfiltration attacks share one common trait:  the early warning signs of anomalous activity on the network were present but traditional security failed to catch them. Regardless of level of subtlety, or the number of devices involved, perimeter tools missed the window of opportunity between impact and unauthorized data transfer  – allowing for hundreds of gigabytes of data to be exfiltrated from the organization.

The Sony hack of 2014 brought the world to a startling halt when it was revealed that attackers had spent over a year leaking 100 terabytes of data from the network. The next year brought us the Panama Papers, where allegedly 2.6 terabytes of data were leaked, causing reputational damage to some of the world’s most recognizable public figures. And in 2016, allegedly 80 gigabytes of data escaped from the Democratic National Committee’s network, launching two years of skepticism and distrust around the US elections. Each of these cases of sizeable data exfiltration remained undetected for months, or even years – only to be discovered when the data had already long been lost.

When we look at this cycle of stealthy and silent data breaches, we have to ask ourselves: how can such tremendous amounts of data leave our corporate networks without raising any alarms?

Data Exfiltration

Modern Networks: Living Organisms

The challenge in identifying indicators of data exfiltration lies partly in the structure of today’s networks. As our businesses continue to innovate, we open the door to increased digital complexity and vulnerability – from BYOD to third party supply chains, organizations significantly amplify their cyber risk profile in the name of optimal efficiency.

Against this backdrop, our security teams are hard-pressed to identify the subtle telling signs of a data exfiltration attempt in the hope to stop it in its tracks. To add to the complexity, they need to find the proverbial needle in an ever growing haystack of hundreds of thousands of devices on their network that they did not build, install, or even know existed.

Networks today are much like living organisms: they grow, they shrink, and they evolve at a rapid rate. If we think about a network as a massive data set that changes hundreds, if not thousands, of times per second, then we have to realize that no security team will ever be able to keep up with which actions are authorized versus which actions are indicative of data exfiltration.

The Old Approach Needs Victims Before it Can Offer Solutions

Compounding the challenge of today’s labyrinthine networks, stretched security teams are always on the offense – fighting back-to-back battles against the latest form of unpredictable threat. So how can security teams cut through the noise and discern the subtle differences between legitimate activity and criminal data exfiltration campaigns?

Five years ago, we relied on historical intelligence to define tomorrow’s attack. But the never-ending cycle of data breaches have taught us that these approaches were just as insufficient then as they are now. Identifying data exfiltration should be a low-hanging fruit for security teams, but to do so, we need to rely upon technologies that make no assumptions on what ‘malicious’ activity looks like.

Organizations are increasingly turning to AI technology for the answer, capable of identifying subtle deviations from normal network activity. By understanding the nuances of day-to-day network activity, self-learning technology correlates seemingly-irrelevant pieces of information to form a comprehensive picture of what is happening within our network borders. Consequently, AI spots the subtle indicators of exfiltration as it’s happening – giving security teams valuable time to mitigate the crisis before it becomes a headline.

To break the cycle of high-profile data breaches, we must embrace AI technologies that evolve with our organizations, strengthen its defenses over time, and identify data exfiltration tactics before our sensitive information is long past the network perimeter. And as we face a global cyber skills shortage, it is now more imperative than ever that we work in tandem with technology capable of doing the heavy lifting for us. Attackers seeking to leak our most sensitive data are evolving to keep up with our defenses – are we evolving too?

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.

Insurance and Corporate Vigilance Against Cyber Breaches: 5 Steps to Take in the Absence of Cross-Industry Protocols

Despite the lack of bright-line procedures, there are five risk reduction measures a company may consider implementing to reduce its potential exposure to cyber breaches, strengthen its security protocols, and

The post Insurance and Corporate Vigilance Against Cyber Breaches: 5 Steps to Take in the Absence of Cross-Industry Protocols appeared first on The Cyber Security Place.

Pwner of a Lonely Heart: The Sad Reality of Romance Scams

Valentine’s Day is a special holiday, but for victims of romance scams it is a tragic reminder, not only of love lost, but financial loss as well. According to the FBI Internet Crime Complaint Center (IC3), romance scams accounted for $230 million in losses in 2016.

Men and women may jokingly refer to their significant other as their “partner in crime,” but when it comes to romance scams, this joke may become a sad reality. In additional to financial losses, many scammers may convince their victims to become money mules or shipping mules, directly implicating them in illegal behavior.

Recently, Agari researchers identified a woman in Los Angeles that has sent nearly half a million dollars to a scammer that she has never even met. Even worse, this woman knowingly cashes bad checks and fake money orders on his behalf. The FBI has warned her to stop, yet it is unlikely she will do so.

The victims of romance scams are typically women in their 40s to 50s, usually divorced or widowed and looking for a new relationship. They are targeted by scam artists on dating web sites, who have the ability to refine their searches for women that fit their target demographics. 

The scam artists create profiles of charming and successful men to engage these lonesome women. Dating sites frequently ask what women are looking for in a partner, so it is easy for the scammer to say exactly what they need to seem like “Mr. Right.”

Once these scammers engage with their victims, there are an inevitable variety of excuses why they can’t meet – claims of overseas military service or mission trips are common, and help to further cement the supposed righteousness of the scammer. After a few months of correspondence, the scammer will claim a supposed tragedy: a lost paycheck or medical fees are common – and request a small loan. The typical loss in these scams is $14,000, not to mention the considerable psychological damage – victims of romance scams frequently withdraw from their social circles, embarrassed by the stigma.

Even worse, such as the case of our anonymous victim, some of these scams can continue on for years, with frequent requests for financial support. Once trust is established with their victims, these scammers may also to begin to use them as “mules” to cash fake checks, make deposits, accept shipment of stolen goods, and more. In the case of our anonymous victim, her family has pleaded with her to stop sending her suitor more money, and the FBI has warned her that her behavior is illegal; and yet she persists.

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist and entrepreneur, studying phishing, crimeware and mobile security. Prior to Agari, Jakobsson spearheaded research in malware, authentication, fraud, user interfaces and security technologies for Qualcomm. He also co-founded three digital startups – ZapFraud, RavenWhite and FatSkunk. Jakobsson has held key roles as Principal Scientist at PayPal, Xerox PARC and RSA Security. He holds more than 100 patents and is a visiting research fellow of the Anti-Phishing Working Group (APWG). He holds a Ph.D. in computer science from the University of California, San Diego and master’s degrees from both the University of California, San Diego and Lund University in Sweden.

Security Practitioners: 10 Signs You Need to be More Direct

Conflict isn’t Pleasant, But Sometimes it Can be Healthy and Necessary When Done Properly and Respectfully

Living and working in different cultures gives you a broader perspective across a variety of different areas than you might have attained otherwise. It is one of the things I am most grateful for professionally and has taught me to appreciate that each culture has its own advantages and disadvantages. There is one particular aspect of some cultures that I think we in security can learn a lot from.

Which cultural aspect am I referring to?  Directness. Those of you who know me know that I am very direct and that I am a big proponent of directness.  Directness is something that some cultures do better than others.  So how can we as security practitioners identify areas in which directness can help us improve? I present: 10 signs you need to be more direct.

1. Bad ideas hang around:  I remember watching the challenger explosion on television.  After the investigation, groupthink was found to be one of the reasons that the launch was allowed to go ahead, despite known risks.  People were simply afraid to state their concerns directly.  While the stakes are certainly lower in your security organization, the principle holds true.  If people are afraid to be direct, it often results in bad ideas hanging around far longer than they need to.  Whereas in a direct culture, a bad idea can be considered and politely dismissed in a relatively short amount of time, in an indirect culture, it may linger far longer than it should.  That results in valuable resources being spent on activities that don’t provide much value.

2. Good ideas don’t come forward:  In a similar manner, if people are afraid to be direct, it often keeps them from suggesting new ideas.  Perhaps the solution to that big problem you’ve been worried about is found in the thoughts of one of your team members.  But if it stays there, it doesn’t do you any good.

3. The team has no idea where it stands:  Security teams need to know that the work they’re doing adds value to the organization, improves its security posture, and helps mitigate risk.  In order to gauge where they stand, the security team needs to know what success in each of those areas means.  The only way I know of to communicate what success means is to do so directly.  That enables the team to make progress more effectively.

4. Strategic direction and goals are unclear:  Building on number 3, communicating strategic direction and goals clearly and directly helps the team understand where the organization is going and what success means.  Not surprisingly, that clarity will assist the security team in maturing far more quickly and efficiently.

5. Everything is above average - always:  I always love it when I hear people tell me that everyone on their team is exceptional/above average/a star.  Or that the intelligence they mine from their data is world class.  Or that their processes are the most refined and mature in the industry.  I hear this almost universally.  Unfortunately, statistically, this is simply impossible.  Everyone knows that organizations have different strengths and weaknesses.  Try being honest.  I think you’ll find that people will appreciate your candor and will respect you and your organization more for it.

6. Vendors are in the dark:  Is a vendor meeting your expectations?  Or, perhaps they are falling short of expectations?  Are they trying to sell you something that you aren’t going to buy?  Or perhaps they could benefit from some honest, constructive criticism?  Did the initial phone call or meeting with the vendor reveal that we don’t have a great fit here?  Then tell the vendor what you think.  Directly.  As someone who transitioned to the vendor side, I can tell you that trying to guess where you stand isn’t much fun at all.  If we don’t have a match here, let me know, and let us both move on to other things.

7. You don’t reply to email more than you do reply:  Did someone ask you a tough question by email?  Did a vendor follow-up to check up on things?  Did someone ask you to do something that doesn’t make a lot of sense to you?  Reply.  It could very well be that you indicate in your reply that a face-to-face discussion needs to happen around this matter.  Or, perhaps the answer is simply no. But at least do the person the decency of replying directly.

8. Executives get things sugar-coated:  It’s tempting to sugar-coat issues, challenges, shortcomings, and/or bad news to executives to avoid “burdening” them and to make ourselves look better in the short-term.  But most executives I have met want to know about risks to the business, including information security related risks.  Granted, you need to communicate clearly and concisely, and you need to have a plan for action.  But, assuming you have all those things in place, it’s best to be direct.  Sugar-coating things can make things easier for you in the near-term.  But in the long-term, cracks in the foundation will show.  And in the event of a serious security incident, past attempts to sugar-coat known risks will not go over too well.

9. You avoid conflict at all costs:  Conflict isn’t very pleasant, but sometimes it can be healthy and necessary when done properly and respectfully.  Maybe you disagree with someone’s approach.  Maybe you know that a given project will not benefit the organization.  Maybe you feel that a certain problem is at risk of remaining unsolved.  In these cases and others, it’s quite possible that there will be others that don’t see it the way you do.  But if you challenge them or they challenge you, it’s okay to be direct and have a bit of a respectful conflict.  That’s really the only way that both sides can be heard and understood.  Shying away from conflict accomplishes nothing other than to ensure that no one’s ideas get communicated.  Over time, it also teaches people that their concerns will not be dealt with and will instead be left to die on the vine of indirectness.

10. The story keeps changing:  The sad result of indirectness and conflict avoidance is that the story keeps changing.  Life in the security organization becomes a moving target where no one is really certain what they should be focused on or what will add the most value.  Obviously, this is not a great situation for the organization to be in and doesn’t help its security posture.  Directness is the only cure for this as far as I can tell.

Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.