A CISO or Security Leader – the saviour/custodian of data security in an enterprise – is perhaps the most challenged C-suite executive today. On one hand, there are heightened expectations of the company board to comply with numerous regulatory frameworks and safeguard the data from being breached, on the other hand there is an ever-widening threat surface to deal with. The CISO has to look at it all – the Who What, When, Where & Why – to manage an organisation-wide security strategy.
Michael Adler, Vice President Product & Engineering NetWitness Suite, RSA firmly believes in a layered security approach. In an exclusive conversation with DynamicCISO.com Mike suggests combining multiple security controls at different layers to protect the crown jewels and data across the enterprise.
Below are the excerpts:
DCISO: Let’s first talk about some of the new attack vectors that are surfacing, (different than the old ones), and what do the security professionals need to do to mitigate the threat emerging from those?
Mike Adler (MA): As the world becomes continuously more complex, the expansion of attack surface is a natural outcome. It is now about the ‘Defence in Layers/Defence in Depth’ approach and understanding where the core risks lie in an enterprise. Creating a pragmatic security strategy includes having a ‘layered-defence’ and strong detection technologies.
I strongly suggest organisations to focus on a couple of areas to address the menace created by the growing threat surface:
You need to have strong protection techniques to take out the noise and do the basic hygiene. You also need to have strong detection technologies to detect the anomalies (undetected by the first layer of defence) and be proactive in addressing potential risks.
To put it in perspective, we all use door locks and still put trip wires and security cameras. Why? Because many a times door locks aren’t able to dissuade the intruder needing cameras to catch them. Detection technologies perform similar function. If, by any chance, the intruders (hackers) breach the first layer of defence, they can be still be observed, detected and remediated.
In case of increasing attack surface – zero-days, application vulnerabilities – the complexity has filtered down all the way to the users. Most users are signing into more than 12 applications on a daily basis. These apps are a combination of in-house, commercial, and SaaS-based apps not running on premise. Now thing about the attack surface that one has to deal with.
The CISOs have to not only secure applications, and users but also manage the identities in their orgs. The complexities are also increasing because of changing behaviour of users and attackers.
DCISO: You spoke about ‘defence in layers’. Can you explain how that unfolds?
MA: A security strategy actually begins with building a visibility framework across the layers of our defence. The visibility should cover everything – from logging into edge devices to the proxies, firewalls, endpoints and network packets traveling on an enterprise network. If you have a clear visibility across all of these, you will be able to understand the behavioural pattern and detect anomalies taking place.
As a security analyst, you need to look at users and identities on one hand and endpoints and edge devices on the other and then try to establish what are these two doing in concert. By doing so, one is able to track every element, join the dots together and paint a scenario. That’s what we know as a ‘defence in layers’ approach.
DCISO: How can security practitioners detect the anomalies in the network by analysing behavioural patterns and packet movement?
MA: It’s not a secret sauce but normally, there are behavioural patterns that users generally follow. E.g. a user, after a few initial browsing activities like responding to mails and visiting some favourite sites, logs into the enterprise application(s). This is the typical user behaviour. Security administrators should monitor it by looking at the content, and network flow to understand and establish patterns. The user could be suing any medium – a laptop, mobile, or a virtual machine – but it’s important for the admins to figure out whether the pattern is usual or it contains abnormalities. Equally vital for an administrator is to observe the traffic pattern on the network. For example, it’s important to notice what is a typical file size that any user is trying to send to a server and if there is any change noticed, that calls for an alert. Suppose someone logged into salesforce.com and downloaded a large file, which is not normal, what is that for? Another example is if someone starts making a lot of changes to files. These are some of the characteristics of abnormal user behaviour on the network, which decide behavioural patterns.
DCISO: Give us a real-world example of any such pattern studied where the customer was alarmed.
MA: Last year the deadly Struts attack engulfed the corporates. One of the large financial sector companies that we work with was under the suspicion of a similar attack. We started highlighting to them very abnormal behaviour originating from one of their critical servers. It turned out to be true that the server was infected and was being used to infect other servers in the organisation. The verification came after our team noticed anomalous network traffic originating from the infected server. Within 6 hours of the incident, we had the signatures into our platform to tell the customer how the attackers were discovering the struts versions in their organisation. In response, the infected server was shut down quickly thus saving the rest of the infrastructure from getting infected. All this happened due to closely monitoring the network patterns.
DCISO: Visibility into the networks and endpoints was easy when the enterprises had limited exposure to technology. Today, the exposure is limitless. How can CISOs manage the visibility in an expanded enterprise?
MA: I am firm believer that no one technology can safeguard the data and crown jewels. That’s why CISOs should know the relevance of ‘Defence in Depth’ concept. For example, when mobile devices come into your network, do you segment them into certain areas. When the identified portable devices come you’re your network, what’s your approach?
It all starts with an intelligent infrastructure followed by a systematic approach to gather data from the key intersections. A robust security strategy is one which consists of an intelligent infrastructure and a layered visibility and detection approach to get insights from each element of the data collection. There is a need for creating a solid security stack across the board and CISOs should not be afraid in adopting a layered approach – each filled in with an appropriate piece of technology helping in the overall security structure. I again reiterate there is no single solution in the market that can fulfil all your needs. You need pieces of strong protection and detection technologies besides having a strong, intelligent infrastructure.
DCISO: Where does RSA NetWitness platform fits in this layered defence?
MA: NetWitness purely fits into the detection layer. For infrastructure, we partner with other group companies of Dell Technologies like VMWare. We are not trying to replication things that some of our partners already have in the protection layer. NetWitness is the leader in the detect and respond area.
One of the biggest things that happened to NetWitness suite and detection layer recently was the acquisition of Fortscale – a pioneering innovator in machine learning-based user and entity behaviour analytics space. This will give us the ability to take the user behaviour gleaned from all the data that organisations are already collecting such as identity logs, windows logs, and firewall logs and make the user profiles ready for the behavioural analysis.
We have also introduced orchestration feature, which is really a key piece for SOCs to respond quickly to the alerts through an automated detection mechanism. This not only helps in trimming down the time taken by the analysts to detect anomalies and take corrective action quickly but also gives the ability to handle more alerts on a given day and accelerate the response.