If you want to get a grip on cyber security for a global, multi-billion dollar organization with thousands of employees, then you can’t be looking up everything you need to know using a series of colonial phone books.
Ask Jim Randall, the global head of cyber security for PwC, what his focus is since joining the consultant firm since moving from his post as the global head of cyber operations at Zurich Insurance Group, and that’s what he’ll tell you. It’s an analogy used to describe Randall’s unique approach to cyber security. This approach helps him attain what he says are three critical principles of security: least privilege, visibility, and control.
It all starts with building an enterprise DNS platform, which Randall accomplishes with Toronto-based enterprise software vendor BlueCat Networks.
“A lot of people would scratch their heads and ask why DNS lives in the security portfolio,” he acknowledges. But this isn’t about arguing who gets to control a business process, it’s a strategy to achieve a set of security principles.
“You have to get to one DNS so you can apply it in response, in visibility and control for your estate, for prevention,” he says. “Otherwise you’re failing to use a very fundamental piece of plumbing in another way that can cover your entire estate without another agent, without more SIEM, without more people.”
At its core DNS, or domain name system, is a networking technical detail often overlooked by leaders operating at the strategic level. DNS identifies the address where physical assets connect to the network – from smartphones to laptops to IoT devices. It imbues identity onto the object and provides the pinpoint on the network map that allows it to interact with the rest of the network.
It’s so fundamental to network operation that at many companies, it’s become just one more artifact maintained along with the rest of the legacy infrastructure. But as companies grow in size and scope, keeping up the namespace directory of all the endpoints becomes cumbersome. That’s the situation Randall entered into at PwC, finding local and regional DNS systems, each built for its local territory, rather than one true global directory.
That creates problems in sticking to Randall’s three security principles:
- Least privilege. Not many enterprises can really say they are giving proper authorization access to individual applications based on identity. A fragmented DNS system makes it too hard to always know identity of a person and a system as they enter the network.
- Visibility. Having access to all your logs and the configurations of your systems is critical. A country-to-country model is expensive to maintain and does not provide immediate, centralized troubleshooting data and security optics to analysts. Effective IT and effective information security both depend on this visibility.
- Control. You also need control over “phonebook” configurations and to be able to test that control you have over endpoints and users, so you know it can be relied upon as part of a response strategy.
Randall executed on a BlueCat implementation at Zurich, a company that’s much smaller than PwC, which is the second-largest professional services firm in the world and one of the top four auditors. Now he’s working to execute on a new global DNS framework at in his new role, but on a bigger scale.
“You can squeeze more security effectiveness out of traditional infrastructure by turning knobs and dials, you can find and apply new capabilities,” Randall says. “DNS is only ever going to be DNS. But when you wrap it with other capabilities like access enforcement and DNS hygiene and automated response, you get cyber readiness.”
Randall sees advantages that are to be gained at multiple tiers of security. At detection, he’ll is able to automate the blocking of known bad-domains and signatures. At response, he’ll be able to reduce the time to contain and isolate threats with DNS analytics. At remediation, you’ll have new intelligence that will inform how to complement security strategy with other defenses in the network.
To get there, Randall’s getting his DNS migration pilots underway. He’s polishing up his policies for DNS resolution and looking to demonstrate some early value from the analytics available. And he’s working from a familiar playbook.
“This isn’t revolutionary – it is evolutionary. We don’t have to seek out a new way to manage our DNS. Our mission is to learn from the inefficiencies of the legacy model, and to evolve, integrate and optimize how we allow access, monitor and automate for the security principles.”
And it’s global challenge, not a colonial challenge.