Wednesday, 9 September 2015

Are You Hiding Behind a Security Technology Comfort Blanket?

Guest Blogger: Stuart Peck,
Pre Sales Manager at ZeroDayLab
Having recently moved into a Pre-Sales Manager role my perspective on information security has changed tremendously over the last 18 months, quite something after being in this industry for over 10 years.
The threat landscape is ever changing. The shift in sophistication of Cyber Criminals and State Sponsored Actors using covert tactics and tools to evade detection is testified by daily press reports of yet another breach in security at a well-known brand; just take Carphone Warehouse or Ashley Madison. There’s one thing that hasn’t changed over the last 10 years; the reliance on technology to fix a problem that is very human, I think the following quote sums this up quite well:
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand technology.” Bruce Schneier.
I’m not suggesting that technology doesn’t solve problems created by current threats, just that there is still focus on trying to find the silver bullet through technology solutions.  Unfortunately this does not exist (yet at least). Take Spear Phishing as an example; IT Security departments employ Anti-Spam, URL Filtering, Web Proxies and Advanced Detection Technologies but find they are still battling a problem that in essence targets human behaviour and psychology.
When a highly-targeted campaign of just 10 emails yields a 90% chance that at least one person will click on a link or open a weaponised document; this is not a problem that technology in isolation can fix. That statistic is even more potent when you understand the ease of crafting and deploying these attacks; for example why would a threat actor waste hundreds of man-hours crafting a targeted campaign when they could apply to a job opening on an organisation’s website with a well-crafted email, delivering a weaponised CV attachment that will quickly get an attacker a foothold on the target company’s network.
The popular solution is to deploy the latest shiny toy that counters “today’s latest threats”, and report back to the board that the current residual risk has been treated. High fives all round right? No, it’s the technology comfort blanket effect.
In theory the risk has been addressed, maybe but just until cyber-criminals have devised another tactic to bypass the controls.  It does not overcome the core risk of Spear Phishing; humans opening well-crafted weaponised emails. Your technology comfort blanket may give a warm feeling that the business is defended but it cannot account for human error, lack of awareness of the security policy, and changing threats.
A human problem created by humans, underpinned by technology.
Let’s consider the Target breach where over 40 million credit card details were harvested and stolen by Cyber Criminals. Target had deployed FireEye (in monitor mode), which detected the malware used to breach the POS systems, however Target’s US-based security analysts ignored the alerts raised not only by FireEye but Target’s very own security operations team in Bangalore. The technology actually did its job, but it was let down by a lack of a robust incident response process allowing Malware to execute without intervention.
I see this countless times; companies invest in technology to provide alerts and management reports on threats, which either don’t get actioned in time or end up in someone’s drawer. It’s the technology comfort blanket effect #2, the reliance on technology but no human interpretation of the data, notification or action to manage the security event, which is even more critical than the information being generated in the first place.
So how do we put down the comfort blanket?
Technology has become the core focus for information security strategy; whether this is driven by analysts such as Gartner or Forrester, or highly-effective vendor marketing- the reality is that the changing environment demands that it sets as part of a wider strategy that Actionable Threat Intelligence combining Business Philosophy, Governance, People, Process and Technology are closely aligned. 
1) Generate Actionable Threat Intelligence
Understanding threats, especially adversaries is a great place to start, and I’m not talking about scenarios on a risk register, I'm talking about real threats, generated through proactive intelligence.
Knowing the capability, intent and techniques used by an attacker generated through intelligence should drive decisions around where controls around Governance, Processes and Technology can be tightened in anticipation of attack.
2) Continuous education top-down, bottom-up, fed by actual threat intelligence.
With the increased number of attacks targeting employees and executives, security awareness training shouldn't be a once-a-year, tick box exercise. Create a network of human sensors through a programme of continuous education, driven by governance and fed by intelligence.
This will ensure that humans become more of a failsafe in the kill chain and attacks that penetrate protective controls are less likely to be executed. As I always mention in security awareness training sessions, if you don’t click on the link or open the attachment the attack won’t work.
3) Create a strategy that focuses on reducing the time from detection to responding to security incidents.
The key here is implementing processes and procedures that ensure that information generated by detection and monitoring technology is actioned quickly. Technology, People and Process should work in harmony to ensure the right information is disseminated to the correct recipient, who can then react in the appropriate manner to deal with the attack.
The quickest way to reduce detection to response time is regularly testing the organisation’s incident response policy through red-teaming exercises to ensure that the company has the capability to protect, prevent, discover, detect and respond to each scenario.
If correctly implemented the business should not need to ask the questions about whether they are protected from breaches they are reading about in the news, they will already know- and won’t be hiding behind that comfort blanket!

No comments:

Post a comment