Thursday 3 September 2015

Ah! I See That You Have a Machine That Goes 'Ping'

Guest Blogger: Nick Prescot
Senior Information Security Manager at ZeroDayLab

Many of us have seen the scene from Monty group of surgeons having lots of kit ready to deliver a baby; the administrator comes and all the machines are going 'ping' and the umbilical cord is severed with a meat cleaver and the machines that go ping have done absolutely nothing.  And this is what happens a lot of the time when a hacker gets into a system, it has bypassed all the machines that are supposed to go ping, but they didn't.

As much as I love technology, and I do have a fair amount of gadgets and 'Gucci kit', I do wonder on the over-reliance of technology within the information security sector. Yes, information security is a technical domain and the profession that we are prescribing is not talking about analysing works of art here where subjective matter and opinions count, but there is a certain tendency to solve a problem with a new machine that has a slightly different ping, rather than understanding the architecture that befits the networks that we process data on. One of many great quotes from Bruce Schinder recently is this; 
'If you think that technology can solve your security problems, then you don't understand the problems, and you don't understand the technology' 
We all know that Bruce likes to make hard-hitting statements and this one got me thinking...this is one of those quotes that looks great on a powerpoint slide but how does one educate the listener as to why it's important.  It's not the kind of quote that vendors are going to like because they want you to buy the technology because that will solve the problem. It's not the machine that goes ping that solves the problem, it's when it goes ping and what does that ping actually mean...and when the ping goes off, what happens next?
As with many things in life, the devil is in the detail here is understanding the security problems and technology has never been able to judge risk in the same way that a human does; we are not filling our SOC's with Cyberdyne systems T-101 robots where they think for themselves and provide a secure network.  It's a case of what is the risk appetite for your data.  For example, if you are just reposting news stories to a selected audience and you are not taking anyone's login details or payment details, you don't need a military grade firewall.  Then again, if you a processing financial data you need to take it more seriously. 
Every company has a different security posture and one of the biggest challenges is to gauge what the level of risk appetite and what controls you are looking to put in to mitigate the risk.  This does seem simplistic but the reality is a lot harder; you try and get your management team to understand the level of cyber-risk that there is when there is little data to support it and you don't know who's attacking you and why. 
This is where the realm of threat intelligence comes into play but a lot of the time it's just pinging alerts at you.  If you turn on a threat intelligence tool on in a corporate and enterprise environment, it's not long before the number of alerts become quite numerous and onerous.  It's a machine that goes ping and there's a lot of pings to deal with. 
So, how do you solve a problem like Maria?, I mean this whole information security thing when all these machines are going ping, the technology is overwhelming and the hackers are getting into all these websites.  Well, the key thing is not to put another box in your data centre that sends out lots of alerts and tells you that user A is being infected by malware but nothing much is being done about it because they are out of the office, working from home, they are in the middle of a sales deal and you can't bring in the laptop...spend hours looking at the malware and then giving it back to the person. 
There needs to be a blend of understanding what the risk appetite is in terms of how much time energy and effort is spent investing in security....i.e. the strategy.  Once that is ascertained, you need to appoint someone to be in charge of infosec (yes, that's people like me who have a job title of information security manager) and then develop and deliver operational parameters of what kit is used, policies and procedures enforced and the reporting of the information gathered for the auditors/management etc so that they know what their ROI is.  ROI in this case is not the profit of putting these systems but the amount of times that you haven't been hacked...yes the machines that go ping will tell you that when they are setup properly but they need to be articulated in the right format and meaningful. 
That said, this is a lot easier said than done....
More about me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.
Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

No comments:

Post a Comment