CISOs have to drop reactive strategies to cyber threats – including chasing alerts — and instead be more proactive if they want to stay ahead of attackers, a Canadian security conference has been told.
“The reactive strategy has failed,” Nik Alleyne, senior manager of cyber security at Forsythe Solutions Group, said Wednesday at the International Cyber Security and Intelligence Conference, held north of Toronto.
Threat hunting, predictive analysis and related techniques are the tools the infosec team needs today to persevere, he said.
“Hopefully you have some type of baseline that guides your decisions,” he said, which allows the team to “figure out what’s different” on the network. That will reduce the time to detection considerably.
While there are a wide variety of attack techniques, they can be winnowed down somewhat by identifying threats targeting your vertical, he said.
Being proactive also means conducting vulnerability assessments and regular penetration tests.
In an interview Alleyne said the proof reactive strategies have failed is in the headlines so far this year: He cited revelations of the extent of the Yahoo breaches (3 billion records), the Equifax debacle, the recent so-called Paradise Papers from a Bermuda law firm – although news stories don’t detail how reporters got hold of the documents – as evidence.
“Organization have to be proactive,” he said in an interview, “both in the way they defend their networks, and more importantly how they detect because obviously prevention mechanisms haven’t done the job we expect them to do.”
Alleyne. who is based in Mississauga, Ont., admitted that small and medium-sized firms may not have the resources to undertake proactive techniques, such as threat hunting. They should consider outsourcing some of their security to managed security providers, he said.
In addition to being proactive, Allenye said infosec pros also have to conduct a thorough investigation of a breach of security controls when one occurs, which must include lessons learned.
“You want to understand when, where, how and who did it,” he said. “Failure to effectively track an incident’s timeline will significantly impact how you respond” — for example, does a backup restore come from yesterday’s data or further back?
The biggest mistakes security teams make, he added, is “probably rushing, because it takes time to understand (the attack). Today I was notified, but what happened before that, what led to the compromise? Once you figure out what led to the compromise you need to figure out what happened after, because the time to detection and time to incident will be different.”
As for the importance of lessons learned, he believes it is obvious: “If you have no lesson learned, how to do prevent it the next time? How do you detect it sooner the next time.”
If, for example, a CEO opens an email with a malicious PDF, the lesson may be more awareness training is needed (for that official, and possible for the entire firm). And, he said, if the malware took advantage of a software vulnerability, the lesson is the patching procedures aren’t good enough. If it took quite a while to deal with the infection, then maybe the incident response team – assuming there is a response team, and perhaps one of the lessons is the need to create one – should stage a table-top exercise to better know what to do next time.
Interestingly, for someone who can list how many threats organizations face and the number of breaches per year, Allenye believes we are getting better at cyber security.
“I think we are because organizations in general are putting more emphasis on it, governments are putting more emphasis on applying rules and regulations and so on. So overall we’re getting better in terms of the processes. Are we getting better in detection? That is debatable.”
Also at the conference Ulf Mattsson, CTO for security solutions at U.S.-based Atlantic Business Technologies, urged developer teams to move to the so-called SecDevOps processes for including automated reviews of code as it is being written. This is important, he said, because successful attacks on Web applications are a leading cause of breaches.
Done properly SecDevOps will alert developers in the middle of work to security risks. Among the advantages is it doesn’t leave security scanning to the end of development, which can stall the release of software.
Above all, he stressed the importance of transparent security testing. “You can actually get unbiased security metrics from this (SecDevOp)s cycle,” he said, which will show whether the number of vulnerabilities in code is declining over time. It’s a metric that can be shown to a board to demonstrate how security efforts are improving, he added.
The conference was organized by the Ontario College of Management and Technology, which offers diplomas or certificates in a range of studies including cyber security.