These are my insights from the second day of Canada’s MapleSEC Cybersecurity conference. Jim Love, CIO for IT World Canada
Building resilience was the theme of second day of Canada’s nationwide Cybersecurity event, MapleSEC as we moved from the Day 1 theme of threat awareness to ways in which those threats can be addressed.
Cat Coode from Binary Tattoo was the host for the day. Coode, who was named one of the top 20 Canadian Women in Cybersecurity, kept this content-filled day rolling forward with her energy and her knowledge. If you missed it, you can register and catch the recorded version of the event.
DNS as a Defence
The first day of MapleSEC focused on the weaknesses in DNS and how these are addressed using DNS over HTTPS (DoH). Today, CIRA’s Mark Gaudet returned with a new twist – how CIRA and others are leveraging DNS to provide effective security for home and enterprise users. CIRA’s Canadian Shield (a free product for home users) uses DNS to block threats including phishing and infected sites.
Gaudet also described some of the new areas that CIRA will be announcing over the next month, as they add a threat feed to filter out fake ecommerce sites and other sites that are trying to defraud shoppers.
How to Reduce Threats and Make Your Life Easier
Erin Hutchison, product marketing manager from CIRA, used a literary theme to explore the how training could yield effective employee behaviour. CIRA’s recent cybersecurity survey, (which can be downloaded from the MapleSEC site) found that 95% of respondents felt that training was effective in reducing cybersecurity incidents.
That well established link between training and effective cybersecurity led CIRA to develop its own cybersecurity training for companies. That program now has over 200 customers across Canada. CIRA’s training program is interactive and leverages simulations to keep a high level of engagement with a gamification approach and to measure the effectiveness of the training. In addition to the training course, there is also a great deal of free support material on CIRA’s site including a launch plan and other resources.
Erin also provided some of the links from items she covered in her talk so I could share them in today’s diary.
Flow chart link:
https://www.cira.ca/resources/factsheet/how-phishing-simulations-reduce-cyber-risk
5 steps to launch training guide:
https://www.cira.ca/resources/cybersecurity/5-steps-to-implement-training
Zero Trust
Jonathan Nguyen-Duy, vice president and global field chief information security officer for Fortinet, headed a panel on Zero Trust. As Nguyen-Duy pointed out, “Zero Trust is not new, the concept has been around for over a decade.” But it has come into prominence as an approach because of the heightened cybersecurity threats and the increase in vulnerability created by work from home during the pandemic. Yet despite the amount of attention it has received, Nguyen-Duy pointed out that only 37% of organizations have adapted to it.
The panel discussion focused on Zero tTrust, with a discussion between the moderator, Andrea Knoblauch, technical solutions architect for SoftChoice and Mark Gaudet, business development manager for CIRA. Here are some of the questions and their answers – you can hear the full dialogue on the site.
What is Zero Trust? What all three on the panel could agree on was that Zero Trust is the “term that (we) have the most confusion about.” From that point, each had different nuances to add to a potential definition.
Nguyen-Duy defined Zero Trust as a holistic approach which establishes boundaries for the user and says, “outside these parameters, these are the things you cannot do.” Knoblauch noted that “it’s really about “mitigating risk by really looking at who needs access to what.” Gaudet from CIRA extend that from the point of view of what CIRA was doing with DNS and how access could be restricted to various domains by only allowing permitted domains.
Nguyen-Duy noted that Zero Trust takes time and involves a mix of software, hardware and business process, but asked how big the organization has to be for Zero Trust to make sense as a viable security strategy. The consensus was that it was not the size of the organization that mattered, it was the amount of resourcing that it requires. So even larger organizations like universities, health care and municipalities might desperately need Zero Trust, but may not be able to marshal the resources to do this effectively.
Knoblauch noted that those organizations that had embraced DevOps, regardless of size, may be in a “great position to start looking at Zero Trust.” With larger sized organizations, she noted, “it’s driven primarily by compliance.”
From there the discussion moved on to a lot of different areas. For the full discussion, check it out on the conference site. But the panelists left us with two great insights. First, Gaudet noted that “this is not a single product nor will it apply to everything. Implement it as an incremental thing.” To which Knoblauch added the idea that we should “keep an eye on our architecture. You can leverage Zero Trust on prem or in the cloud”.
Cyber Insurance
Mikel Pearce, a lawyer with Strigberger Brown Armstrong LLP gave a great primer on cyber insurance. Pearce was succinct and direct. Here are some great quotes from his presentation:
“Who needs insurance? Everyone. Nobody is too small.”
“Most insureds don’t have the expertise to handle a breach.”
Who gets hacked? Pearce looked at the numbers and his answer was consistent with that of most security professionals. Over a five-year period? “Everybody.”
Pearce noted that most insurers are losing money in the market as claims far exceed premium revenue. That will ultimately lead to increased premiums, but it is also forcing insurers to work with clients more closely, because those who manage risk and incidents well escape a great deal of the costs. In fact, insurers are now offering “pre-breach consulting” and even offering “breach coaches” that help to guide you. He cited Home Depot as an example of a company that was breached but did everything right in handling the breach and as a result reduced their exposure and ultimate payout dramatically.
If you really want a quick primer on cybersecurity insurance, you might go back and check out the recording of this session.
AI to the Rescue – Self Learning AI: Redefining Enterprise Security
If you are a security professional, you will agree with the fundamental premise of JonNabil Zoldjalali, director of cloud security for DarkTrace. First, according to Zoldjalali, “The new era of cybersecurity has begun. A next generation of attackers are leveraging AI driven attacks.”
Zoldjalali explained how hackers were using AI to read your tweets and using that information to design a tweet that you will click on. That’s just one example of how these AI enabled tools, now widely available, are changing the face of cybersecurity.
Faced with this onslaught, Zoldjalali noted, “the legacy approach just can’t keep up.”
Training and awareness are critical. Zoldjalali likened traditional cyber criminals to magicians. They can fool you with a trick, but “when the trick is understood, it loses its appeal.” AI gives them a constant source of rapid reinvention with more complex attacks. In addition, he noted, “businesses are becoming more complex.”
Our hope lies in adopting “self-learning AI.” In this concept, the “good guy’s” AI looks not for classic signatures, but instead learns your business, its context, and its expected behaviours. Then it watches for inconsistencies.
Given the current resource issues in cybersecurity, the idea of an artificial intelligence that can learn, monitor, and protect is compelling, but it is hard to believe, or at least could prompt some skepticism. Is there a Turing test for cybersecurity AI, where we can judge it following Turing’s maxim that real AI exists when you can’t tell it from a human response? Zoldjalali seemed prepared for this question as he showed a report produced from AI that he says was, to many people “indistinguishable from a report prepared by a human.”
On to Day 3 – Privacy and Governance
It has been an information packed two days. Day 3 is today, Thursday October 7th, and it will wrap up what we have explored and discussed, and take it even one step further into the practical realm of Privacy and Governance. Among our powerhouse slate of speakers is the woman who invented the concept of Privacy by Design, Dr. Ann Cavoukian. She’s just one of the many stars of Canadian cybersecurity who will be with us on Day 3. It’s still not too late to register and to get access to the recorded sessions from Days 1 and 2.
I hope to see you there.
