Technology CISOs: It's time to get back to security basics

01:35  11 june  2021
01:35  11 june  2021 Source:   techrepublic.com

Anti-Trump Republicans spend up to $50,000 each on private security

  Anti-Trump Republicans spend up to $50,000 each on private security A group of anti-Trump Republicans who backed impeachment are paying for private security out of their campaign accounts, financial disclosure reports reveal.Also spending big on security protection are some of the most high-profile Democrats in Congress, including Rep. Alexandria Ocasio-Cortez, and Rep. Eric Swalwell of California – a favorite political target of Trump's.

The cyber threat landscape has become more dangerous over the past year and the C-suite is paying greater attention—but all the tools in the world won't help until organizations home in on good cyber hygiene. That was one of the messages from CISOs who participated in a virtual think tank webinar hosted by ReliaQuest Wednesday.

Image: iStock/sdecoret © Provided by TechRepublic Image: iStock/sdecoret

More about cybersecurity

  • Ransomware attackers are now using triple extortion tactics
  • How to prevent another Colonial Pipeline ransomware attack
  • Top 5 ways to protect against cryptocurrency scams
  • End user data backup policy (TechRepublic Premium)
  CISOs: It's time to get back to security basics © Matthew Henry/Burst

"The fundamentals of being good at cyber hygiene is the most neglected" aspect of cybersecurity, said Chris Hatter, CISO of Nielsen. "If you're not good at the very basics and making sure you understand the basics on your network—like patching and remote monitoring—you're not set up for success."

XDR defined: Giving meaning to extended detection and response

  XDR defined: Giving meaning to extended detection and response The definition for the term "extended detection and response" or XDR continues to vary significantly. Forrester helps define XDR and explains its origins here.To help clarify this, Forrester has released research on what XDR is, what XDR isn't, and what clients need to look for when evaluating XDR solutions. This research is a rigorous breakdown of what to expect from XDR solutions based on interviews and survey results from XDR end users and over 40 security vendors.

Dave Summit, who recently stepped down as the CISO of Moffitt Cancer Research Institute, agreed, saying that "the fundamentals are key to a successful program. If you don't have the fundamentals down … you're missing everything else."

SEE: COVID-19 workplace policy (TechRepublic Premium)

Another neglected area is dealing with legacy systems not getting replaced fast enough, added Summit, who is now a fellow at the think tank Institute for Critical Infrastructure Technology. "We have security company after security company coming out of the woodwork and everyone seems to offer the right solution for all your problems and we all know that's not the case."

Alert fatigue is another issue, Summit said. "We haven't gotten to a good place of understanding what events mean and how to properly filter them to know what they mean to your organization. That's a big one that takes cyber down quickly."

IBM Security announces new ways for customers to adopt a zero trust approach

  IBM Security announces new ways for customers to adopt a zero trust approach In addition to new blueprints, IBM Security also announced a partnership with the cloud and network security provider Zscaler.Security professionals should apply zero trust as a framework to update security programs. It will facilitate a smoother adaptation to the risks which emerge from the changing business environment. IBM Security cited a recent ESG study which found that 45% of organizations who were more mature in their zero-trust strategies were able to smoothly transition to a remote or work-from-home model, which was in contrast to those who were the least mature at only 8%.

Moderator Jon Oltsik, senior principal analyst at ESG, said he'd add training as a most neglected area. Additionally, "in terms of risk, how do you improve or work on maximizing risk identification and really understanding cyber risk as they relate to mission-critical applications?" Oltsik said.

Not only have cyber threats grown more sophisticated, but the number of malicious actors has grown—they are more persistent and better able to communicate and collaborate with each other, said Oltsik.

"They communicate better than they do on the provider side,'' Oltsik said. "Pandemic-influenced remote workers has increased and the cybersecurity skills shortage" are other factors.

"It's not getting any better and the skills shortage is often misinterpreted as we don't have enough people, but we also don't have the right skills," Oltsik said.

Other pain points for CISOs are that the security tech stack has grown complex and they have to keep up with innovation, changing technologies and different vendor landscapes, he said.

What is ransomware? Everything you need to know about one of the biggest menaces on the web

  What is ransomware? Everything you need to know about one of the biggest menaces on the web Updated: Everything you need to know about ransomware: how it started, why it's booming, how to protect against it.What is ransomware?

When it comes to cybersecurity decision-making, today there is a lot more involvement from boards—and a lot more being asked of security teams, said Joe Partlow, CTO of ReliaQuest.

Defining risk

The ability to understand risk is one of the skillsets Summit said he believes is lacking now. For quite a while, cybersecurity was more focused on day-to-day technical operations and now it has moved into the managerial space, he said.

"Risk management is very much a team sport—you really can't do this in a vacuum,'' agreed Hatter. Sometimes business units don't feel that any of their data is private or sensitive, and organizations need to have a process for defining risk "in ways that make sense to a particular business unit,'' he said. When risk is clearly defined, IT can get into deeper metrics to find out what systems are vulnerable and mitigate any that have been compromised, Hatter said.

The goal of cybersecurity used to be protecting data and people's privacy, Summit said. There has been a major shift in that thinking.

"It's one thing to lose a patient's data, which is extremely important to protect, but when you start interrupting" people's ability to travel or the food supply chain, "you have a whole different level of problems … It's not just about protecting data but your operations. That's where major changes are starting to occur."

Is Marxism undermining the US military?

  Is Marxism undermining the US military? DIVERSITY AND INCLUSION? OR MARXIST INDOCTRINATION: The decision to relieve a junior Space Force commander of his responsibilities at Buckley Air Force Base, Colorado, is fueling growing debate about whether Marxist ideology is poisoning the apolitical tradition of the U.S. military. © Provided by Washington Examiner DOD header 2020 In an interview on the Steve Gruber Show podcast, Lt. Col.

Summit added that he has long said if companies were making cybersecurity a high priority long before now, "we wouldn't be in this position" and facing government scrutiny.

The cybersecurity field is "incredibly dynamic," Hatter said, and CISOs don't have the luxury of planning out three to five years. "We want to create and deploy a strategy that's sound and solid. But market forces demand; we recalibrate what we do and COVID-19 was a great example of that." CISOs now have to have as resilient a strategy as possible but be prepared to make changes.

Managed security service providers can help, Summit said, but CISOs are still feeling overwhelmed. "I feel we've been inundated with attacks, and everyone's taking notice and asking questions and security teams are overloaded with alert fatigues from tools,'' he said. "Now, people are asking the right questions, [but] that takes away time from addressing problems."

Making threat detection more efficient

ESG research has shown that 88% of enterprises are going to invest more in threat detection this year, Oltsik said. He asked the panelists what can be done to make threat detection more efficient.

Improving threat protection is not isolated to making sure you have the best technologies, Hatter said. "You need to have an organizational commitment to a level of standardization in IT that sets you up for success, and visibility to detect problems."

Ransomware attacks are not a matter of if, but when

  Ransomware attacks are not a matter of if, but when CISOs from Twitter, United Airlines and a Bain Capital partner discuss how to integrate security into all aspects of an organization at Rubrik's FORWARD conference Tuesday.Twitter CISO Rinki Sethi and Bain Capital Partner and former Symantec CEO Enrique Salem also discussed topics including how ransomware has evolved and how IT Ops and Sec Ops can better collaborate.

Without a commitment to standards, IT and security professionals will be in "a constant state of running after unmanaged assets,'' he said.

Summit said he believes the industry is going to see greater separation of cyber teams from IT and that "it's long overdue." The reason is the majority of cybersecurity problems are about misconfigurations and improper use of assets, he said.

"To me, that's the priority of IT. If you're doing the fundamentals correctly … you're lowering your risk level already. Then cyber teams can be focused on something different than looking for misconfigurations." They can spend their time looking at what's coming into the environment and being exfiltrated out and focus on what the real threats are, he said.

Tools, tools and more tools

Partlow said ReliaQuest sees an average of 30 to 40 tools in an enterprise, "and more often than not, that's just adding to the confusion and noise." Many are also not used to their full ability, he said.

"The number one thing that makes threat detection hard is not having visibility into the full [network] environment,'' he said. "You can't secure what you can't see." The best way to improve threat detection is to get that visibility and reduce the noise, Partlow said.

Hatter said he thinks vendors need to reconsider their pricing models "to give us more support and create more sophisticated rule sets. That's a pain point for me and other CISOs I've talked to."

Because IT teams already have alert fatigue, Summit suggested they speak to their MSSPs before they invest in more tools. "If you have a managed partner, take advantage of their experience. They're working for a wide range of clients and have a lot of valuable information that can help you decide what to look at."

7 secrets hackers don’t want you to know

  7 secrets hackers don’t want you to know The internet is a scam minefield filled with someone around every corner waiting to rip you off. Tips to stop hackers before they can start.Think I'm dramatic? In 2020, Americans reported more than 2.2 million fraud cases to the Federal Trade Commission, with nearly $3.3 billion in losses. Cybercrime pays big time. Just look at the $5 million Colonial Pipeline recently paid to hacker's ransomware demand.

He also made a plug for utilizing organizations like ISAC. "I can't stress enough how important they were to us" when he was at Moffitt, because of the ability to share information and learn the pros and cons of different toolsets.

"We learned a lot and that's how we selected a lot of our tools. I never recommend any team be isolated. Use a wide range of people out there."

Also see

  • "IT burden" and cybersecurity "trade-offs" take center stage in a new digital collaboration survey (TechRepublic)
  • How to become a CIO: A cheat sheet (TechRepublic)
  • Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)
  • New Employee Checklist and Default Access Policy (TechRepublic Premium)
  • ZDNet's top enterprise CEOs of the 2010s (ZDNet)
  • CXO: More must-read coverage (TechRepublic on Flipboard)

Debunking infosec purity and other security myths in the wake of recent attacks .
The security team at Forrester busts a number of security myths.A quick nose count among the Forrester security and risk (S&R) team determined that if security teams only hired people who had never worked for a firm that had suffered a security incident, most of us would no longer be employable.

usr: 3
This is interesting!