We all make mistakes and even in the era of digital transformation, business and finance grudgingly accept the reality. However, when it comes to information security, the preference is to minimise the mistakes because the repercussions can range from fines to revenue loss, to even a right to do business.
FutureCFO spoke to Daniel Chu, director of Systems Engineering at ExtraHop Networks for this take on the three most common security mistakes CIOs make. Not that we are squarely looking for weaknesses on the part of the CIO when it comes to securing the enterprise. After all, everybody makes mistakes.
Security automation strategy mistakes
According to proofpoint’s 2020 State of the Phish, 88% of organisations worldwide experienced spear-phishing attempts in 2019. Also, 86% were on the receiving end of Business Email Compromise (BEC) attacks in 2019. In its Q3 2020 report, Risk Based Security said data breaches exposed 36 billion records in the first half of 2020.
During a CXOCIETY-organised masterclass on AIOps, Bright Zheng, Watson AIOps technical leader, ASEAN, IBM, said that it is impossible these days to be able to identify all the security attacks coming into your organisation without the assistance of automation.
ExtraHop’s Chu said that to understand security automation requires we understand the challenges we face. Three worrying trends: security operation centres (SoC) face increasing sophisticated attackers; SoCs are still viewed as cost centres which can mean lean teams man these centres, and security skills shortage is real today.
“IT teams are asked to do more with less. When faced with the inevitable breach, the question becomes how fast it takes to respond to a breach. The FireEye Mandiant M-Trends 2020 Trends report revealed that in Asia-Pacific and Japan, IT teams within the region can take about 94 days to identify and remove a breach. This means that there is a significant amount of time between when someone gets compromised until the breach is discovered,” he quipped.
He added that businesses that have been breached start to consider implementing security automation processes. This helps the IT teams to respond programmatically as they can respond to formal investigations and identify insider threats faster.
He made it clear, however, that security automation is a force multiplier and not a replacement.
Thinking that security automation can replace employees is one of the many mistakes a CIO can make when designing security strategies.
The second mistake is many CIOs have an incorrect perception of automation. CIOs can only automate processes that are in the right place.
“There have been numerous promises being made about the opportunities that security automation brings but businesses need to understand that people are part of the process.”
The third mistake is not understanding your audience. When it comes to security automation, you are only as good as your telemetry and visibility. Security teams need to be aware of where their data for telemetry is coming from.
“With modern SOCs today, we have to remind our customers to not just focus on their Security Information and Event Management (SIEM) but also where the system is being accessed and making sure that the network has a good coverage,” he added.
For Chu, the network is a rich source of data as the entire traffic traverses it. He added that smart devices or legacy systems do not necessarily have install logs. “Combining logging agency pipe and network data gives IT teams more holistic visibility. This will help set up a lot of the automated tests when adopting a security automation strategy,” he added.
Network security in the cloud
An IDC survey of 300 CISOs found that security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.
Chu said that while cloud providers have tools and platforms to help secure their environments, these security measures are proprietary to them. The challenge for business comes when dealing with multiple vendors and technologies.
“There is a lack of a single unified way to manage them.”
“While all cloud providers have a shared responsibility model in place, where customers can leverage on the security offered by cloud providers, the customers need to safeguard their data by implementing the right configurations in the cloud,” he cautioned.
Advice to CIOs: change your mindset or else
Chu said a post-compromise mindset is about managing risks and talking about them in the context of resiliency.
“Resilience is about ensuring you have the right technologies in place to catch suspicious events, you have the process measures to react quickly to events, and also your security team is well-equipped to investigate effectively and provide more knowledge for the future, so we can prevent it from happening again.”
Chu is adamant that accepting that an organisation has been breached does not mean the CIO has failed at his or her job.
“IT leaders need to educate everyone within the organisation that it is about being ready and having the right plans and technology in place to respond to these attacks. It is not just about checking the box with automation, but really having that mindset of putting that investment into the people and process to be a force multiplier, and not necessarily just check a box and saying hey, we can reduce X amount of headcount by automating this type of workflow,” he concluded.
How to stay resilient in 2021
Chu acknowledges that technology will play an important role in securing mission-critical workloads and applications.
Having the right data set is important when investigating a security breach. It is one thing to detect something and another thing to investigate to determine if it is a true or false positive.
The other critical component is the speed at which businesses can react to such a breach. Does the organisation have specific workflows and guided decision trees to help IT teams understand what is going on and react quickly when a breach occurs?
“There is a substantial amount of tribal knowledge within the organisation that is not captured properly. Some people can see something because they have been around for a longer time and know that something is happening. This might be difficult to spot by someone who is just a new employee and might not have the right context.”
“The whole premise of this security automation is to take a lot of that tribal knowledge and automate it into a nice playbook, so that you can adequately catch and detect, respond to it quickly and investigate it against valid data, and follow up with documentation so we have these lessons moving forward,” he concluded.
Click on the PodChat player above to listen to the full dialogue with Chu.
- First off, in 30-seconds what is ExtraHop?
- What are the top three security automation strategy mistakes that CIOs make?
- How can relying more on automation help minimize the time to remediate incidents?
- Not all networks are created equal. What are the business challenges CIOs worry about when implementing security measures on the cloud?
- Security specialists warn us of expanding attack vectors. Why is it crucial for businesses to detect activity at every stage of the attack lifecycle?
- Every CIO and CISO have pre-conceived ideas of what infosecurity is. Why is it important for CIOs to change their mindsets when it comes to securing automation processes?
- Moving forward, how can businesses stay resilient when encountering potential network security threats?