As a manufacturer of network and security solutions Cisco Systems is on the radar of most infosec pros around the world. It’s also on the scope of threat actors for anything from its intellectual property to customer data. So CISO Steve Martino has his hands full.
His team sees 1.2 trillion security events a day on the Cisco network and analyzes 17,000 files daily, he told a Toronto audience Tuesday at a forum hosted by the Information Technology Association of Canada (ITAC). Of those events, 22 are “incidents” — defined as “some security thing that goes wrong” — that have to be investigated.
But, Martino said the lessons he’s learned over the years can be applied to any organization.
“You need to align security with your business” he stressed. It helps that the company’s mission statement is to securely connect everything to make anything possible. “That allows me to have the dialogue with everyone in the business (on) how important security is, how to make that align, how to make those choices.
“It’s about measurement,’ he said. “If you don’t measure it you cant improve it.” So, for example, he realized shortly after becoming CISO that the IT department was tossing away the vulnerability report it delivered daily because delivering new capabilities, not security, was the IT priority. After meeting with the CIO there was an agreement on two metrics: Vulnerabilities were prioritized and a time set on how fast they were to be fixed.
“The key was she was going to hold her vice-presidents and managers accountable for those metrics,” Martino said. “We reduced vulnerabilities by 64 per cent the first year and online closure rates were raised were reduced by 86 per cent.” That improved the overall hygiene of the environment, and it has been maintained. “That’s the kind of balance and approach you need to ensure you’re building things the right way.”
Constantly testing the effectiveness of security controls through phishing test, red team exercises and other methods. Cisco does a penetration test of its infrastructure every quarter.
“Some people are horrified if they found something,” Martino said of pen tests. “I celebrate it, because I know there are things I didn’t expect and didn’t plan for. By knowing it you can do something about it.”
He also recommends CISOs build integrated defence tools for more efficiency, and have resources for hunting for things that have gone wrong.
In an interview, Martino said the biggest mistake CISOs make is not understanding their business and what it’s trying to do. “I think we get into a mode of ‘We have to protect’ and lock everything down.” But if you don’t understand the firm “you’re going to bump into people, frustrate the business, overly constrain them.
The second mistake is looking for “shiny objects [new products] that make everything better.” However security “is hard work. It’s doing a lot of little things, them well, doing them consistently.”
Martino also admitted the biggest mistakes he’s made were in losing it in the face of a possible crisis. “It’s easy to over-react … and bring all hands on deck, when it’s not that critical a problem,” he said – and doing the reverse. “It tires the team, creates animosity between the people you need to partner with.” Over time he’s learned how to differentiate between big and little problems.
“What happens when you over-react is people tune you out.”
As expected, Cisco uses its security products to the max. And because of its size – a billion-dollar corporation that operates in over 170 countries – it can do things like set up a virtual private network in the homes of 26,000 staff that directly connects to the Cisco network.
But the BYOD program is straightforward: Every device an employee uses to connect to the network must be enrolled. There are nine things each device has to conform to before it can get on the network (including encrypt data, turn on auto software update and have a password or screen lock).
Analyze possible threats
The defence starts with analyzing the possible threats to the company (not how many events, but who would want to attack us, what would they want and when — for example just before issuing quarterly financials an attacker might want financial data to manipulate stock price). That leads to looking at what type of malware and/or techniques an attacker would use. Having compiled a list of threats the security team builds its defences, which leads to governance (having the right policies and processes to do what’s needed).
“I don’t believe in generalized [security awareness] training – it has to be very job-specific,” he told the audience. The only exception is training for phishing attacks. Cisco set up a Web site called PhishPond where all staff are phished once a quarter, with staff members able to see their results. If they fail a test phish they get a short online tutorial. A month later there will be another test phish to see if they’ve learned. Through this approach, he said, the click-through rate for test phishes has dropped by over 600 per cent. Finally, he also urged infosec pros to broaden their horizons. “My job at Cisco is to balance risk, not to stop people from doing things … If I don’t understand what the business is trying to do and why they’re trying to do it I can’t help them balance that risk.
“|I would tell security people to walk in somebody else’s shoes. Have that industry knowledge. Live in sales for a while, live in marketing for a while before becoming a CISO.” If you can’t do that surround yourself with people from other departments. “It will give you an understanding of why sales team wants to do something you think is crazy.”