Defenders Shall Exploit the Advantage of Knowing the Context

Although digital autonomy comes with a set of drawbacks from data security point of view, the latter isn’t any deterrent for businesses to take those risks and fuel the business growth. It’s the job of the security teams to secure the environment and enable businesses to take the risks.

Grant Geyer, Senior VP, Products, RSA (the Security Division of Dell Technologies), spoke to Rahul Neel Mani, Editor, dynamicCISO during the RSA Conference APJ. His key advises to the CISOs were:

Always quantify the risk and assign a value to an asset

Classify data assets into critical and non-critical and then assign appropriate controls

Establish a context and take advantage of it

 Below are the excerpts of the detailed interview:   

DCISO: How do you think the industry and businesses have evolved on their agendas and approach towards “cybersecurity” and “risk management”?

Grant Geyer (GG): If I wind the clock back for a moment, the job of CISO – a decade and a half ago – was to put controls in place for protecting the environment. S/he was mostly involved in taking binary decisions on what people should or shouldn’t do. It worked during those days. There were tall walls around the enterprise.

In the world that we live today, those walls have withered away to make way for workforce productivity. Staffers log into systems from anywhere. They access third-party, SaaS-based apps not within an enterprise firewall. This heterogeneous environment (or the digital autonomy) has caused a fundamental shift in CISO’s role – from putting controls to a being a trusted business advisor. A CISO is that function who’d educate business on risks associated with business decisions. Alternatively, the businesses also need to work on the executive team’s risk tolerance for ‘good-risk’ or ‘bad-risk’. So, in the world prior to digital, it was about ‘high-risk’ or ‘low-risk’, which has now changed to, which risks would a business want to accept.

Despite the disliking of security teams the business will implement new applications, 3rd-party cloud-based solutions etc. If a CISO can help protect this expanding surface, s/he is a “Hero.” If not, then “Zero.”

Squarely, it’s a CISO’s or a CRO’s job to help business understand the risks and in that light, the companies with foresightedness have a greater degree of keenness to look at cybersecurity and risk management as important goals. It’s important to have a ‘risk-orientation” in the digital world than to keep focusing on making binary decisions of ‘yes’ or ‘no’.

DCISO: Grant, it is getting difficult for the CISO/CIO or a CRO to define the risk in a moving, agile enterprise where things change every day. Who should be termed ‘responsible’ in case the risk isn’t protected?

GG: One of my biggest observations here is on the ways in which security teams communicate. More often than not, they will talk about:

Attack type

Attributions of an attacker

Methods used to get into the environment

Number of records stolen

By and large, these are technical details of the incident occurred. They are mostly oblivious (or unable to) spell out the business impact.

On the other hand, if you talk to a general consul about the legal risks they talk the language of ‘dollars and cents’, which means they can tell you about documents being stolen, potential customers impacted etc.

One of the areas that’s going to be increasingly crucial to equalise the dialogue is the concept of “Cyber Risk Quantification.” CISOs must provide a value to every asset, whether it’s a public cloud infrastructure, a 3rd party risk associated with your core assets or anything similar. Businesses have to build models around quantification. For example, one could say that ‘a single credit card breach takes 400-hours of business time to detect and respond’. Even though these are hypothetical values, they help you quantify risk. Also, this helps you decide where your $ for controls should be placed.

If this process is followed scientifically, you will be able to give answers to questions such as:

Am I investing in the right places?

What is the effectiveness of controls put in place?

How do I change the controls to align with the changing risk landscape?

DCISO: Even matured companies, which do due diligence and have a methodical approach to cyber risk quantification, are breached. SingHealth data breach is a classic case. How do we tackle those instances?

GG: We have to admit that Internet is fundamentally a broken place. It doesn’t stop cyber-attacks from occurring. Technology infrastructures, however intelligent, are porous in nature. There are so many loopholes that hackers can exploit. It will be foolish to claim that one can protect the environment completely.

The answer (to the current set of problems) lies in classifying the assets into critical and non-so-critical and then put appropriate controls required. This can at least protect your crown jewels, which, if breached, can cause colossal damage. Even then if an attacker gets around, it’s easy to spot and mitigate the risk. After the detection, it’s about how responsive your cyber breach program is to respond to the incident.

Some of the organisations, that I work with, even do ‘table top’ exercises. What is a table top exercise? E.g. in case ‘Company A’ got breached in a certain situation, how would ‘Company B’ would have reacted or tackled in the same situation. These diligent procedures work well. Because of the ubiquitous nature of data, elimination of risk is an incredibly expensive procedure. Therefore, the need of the hour is to have a mechanism in place where, instead of stopping the incident to occur, the security teams should aim at detection and response.

DCISO: One of your recent blogs says keeping the bad guys out is the responsibility of SOC (Security Operations Center) and letting the good guys in is the job of IAM (Identity & Access Management). Aren’t they the two sides of the same coin tied together with ‘identity’? Tell us how RSA’s acquisition of Fortscale help bridge the gap between SOC and IAM?  

GG: It always surprises me why, in an enterprise, the security analysts, SOC and IAM teams aren’t always connected! A recent study suggests that in 81% of breaches reported, at some point, involved takeover of credentials or privileged access. That means 81% of breaches have identity at the core. In the context of pervasive visibility, we need to consider visibility of the user as the core to mitigate risks. SOCs, as they look at cloud, endpoints, IoT devices and other things, they also need to understand user behaviour. If they find users doing something above baseline, an alert should surface. Similarly, the IAM team, while authenticating users, besides looking for password and authentication, should also look at patterns like usage of machines, locations, browsers, time of logging and so on. These data sets enable security teams to segregate data into ‘normal’ and ‘aberration’. If it’s an aberration, maybe you perform a step of authentication.

At RSA, our view is that these are two sides of the coin. If the SOC sees a suspicious user, it should inform the IAM team to establish user identity. By doing so, the systems should work effectively together and the teams will also work in tandem. RSA’s acquisition of Fortscale is a step towards bridging this gap. The decision to acquire Fortscale was to not only make the SOC smarter but also to take advantage of Fortscale technology to monitor user behaviour.

DCISO: Do you think any average-sized organisation can today afford to have separate SOC and IAM infrastructure, and teams?

GG: It’s unfortunately the nature of the problem. The level of complexity is so deep and vast. Let’s draw an analogy from the airline industry. Why do they have separate teams to fly the machine, service it and another one to look after the passengers? Won’t it be prudent to have one team doing all jobs? But it’s not true. You need specialists to perform a particular job. The same holds true for security. It is wrong to see the security practitioners as one job and security market as one market. In reality, because of porous environments, there are different specialised techniques and people required to perform different jobs i.e. protecting identities, detecting frauds, managing risks, monitoring controls etc.

DCISO: In the end, I would like to ask about the advantage provided by technology from preventing businesses falling prey to the new, lethal attacks that are emerging in digital economy.

 GG: The broader concept in which we can find answer to this question is ‘asymmetric nature of cybersecurity’. Countries, companies and cities – all – want to ride the digital wave. The more interdependent these entities are, the more opportunities it creates for the bad guys to take advantage. There are nation-state sponsored actors, fraudsters who don’t have the same economic or military might but cyber gives that asymmetric opportunity for them to level the playing field. That’s where the problem lies. The technologies used by good guys are also available to the bad guys. The asymmetric advantage of the attackers is that they need to be right only once while the defenders need to be right always. On the other hand, the only asymmetric advantage that the defenders have is the ‘context’. Today, it would be daunting (if not impossible) to defend an entire digital surface of any organisation. But if you can identify the key areas that provide the real opportunity for disruption, and have key tenets of data governance in place, you can get that asymmetric advantage. That’s where technology can help CISOs achieve – the ability to establish the context.

Leave a Comment

Your email address will not be published.

You may also like