SAN FRANCISO – The headlines of online breaches at Canada’s Treasury Board, Ashley Madison, the U.S. Office of Personnel Management, Target, Sony and others give the impression that organizations around the world are sieves.
It doesn’t help that infosec pros know if an adversary is determined to break into a company they will.
But according to an expert at the SANS Institute all those headlines – and regular pessimistic surveys from vendors – have created the myth that no one can be kept out. But they also obscure a truth: cyber security works for a lot of organizations. If they can’t completely keep the enemy out, they are at least slashing time to detect, which means faster remediation – and lower costs for the enterprise.
John Pescatore, the non-profit security training organization’s director of emerging security, is on a one-man campaign to prove it. He’s created a site called What Works to collect stories of cyber successes.
At this year’s RSA Conference on Wednesday he was back to present more of them. Here’s three:
-Bovespa, an electronic trading environment had a firewall with 40,000 rules, adding 5,000 a year. It took two administrators two weeks to do a risk evaluation of proposed changes, often ending up saying no.
Tired of this, the IT department found a network policy management tool that gave a quick opinion for change requests, and also evaluated and chopped the rules base. As a result the work of the two admins could be done in two hours. “Essentially the next business they could approve a change for connectivity,” Pescatore said.
In business terms it moved things faster to market. There was no increase in security necessarily, Pescatore admitted, but IT could answer the questions from the business side faster;
–A small company that hire more IT people, who were being run ragged handing the 800 alerts a day the intrusion detection system (IDS) churned out, even with constant tuning of the appliance. Only two a day were meaningful, but the load was a burden.
So the company went looking for a better solution. After going through a competitive procurement it found a new IDS that slashed the number of alerts to a total of four or five a day. The number of important alerts didn’t change, but the fewer alarms meant the small IT staff could react more quickly.
“Some of the biggest success out there from people who have thrown out their incumbent vendor and tried something new,” Pescatore said.
— A financial services company had trouble vetting over 1,500 vendors and business partners So it found an IT supplier who rates companies on their security posture the way banks do with credit scores. As a result the customer can add business partners faster.
–As Pescatore came to the conference he learned the Australian Signals Directorate (a branch of the defence department) just released new figures under its “Catch, Patch, Match” program (application patching, operating system patching, minimizing the number of users with administrative privileges) had mitigated 85 per cent of malware it faced.
There are two common myths in cyber security, Pescatore told the session: First, you can’t stop everything. “But some people are stopping things pretty well, or stopping them very quickly if they do get through,” – and there’s numbers to prove it, he said.
For example, last year in the U.S. there were an average of 216,000 records breached. But, he said, take away the millions in huge breaches at the OPM and others the implication is many were small and/or were caught quickly.
The second myth is that you can’t prove security helps the business. The examples above prove the opposite, in that they enable business to work faster.
“We are here to enable business to do business. Stopping breaches doesn’t really matter if what we do interferes with business more than breaches interfere with breaches.” Pescatoe said. “Plus, if we can’t convince the organization that what we’re doing helps the bottom line, why should they bother?”
CEOs and boards understand the issue of safety and protecting the customer. “What they need to hear are examples from the security people is what we’re doing protects the business.”
“There’s a million things we can do in security. What you want to do is find something that can justify why you want to do certain things first” – for example, check the SANS top 20 critical controls list or PCI guidelines, recommend which controls CISOs should look after first.
Pick a big control that will show a business impact quickly – for example privilege management or whitelisting. Some tools come free, he noted, such as turning on security services from cloud providers, or DNS sinkholing, which he said is essentially a free added layer of phishing and drive-by attack protection.
CISOs should also make sure they’re collecting the right security metrics, Pescatore added, so you can demonstrate value and improvement. The number of malware attacks AV rejected is meaningless unless you can put into some business context.
“The speed at which you’re closing vulnerabilities, the number of machines we’re re-imaging a month, the time it takes to vet a supplier – these are meaningful metrics that if you can demonstrate improvement, gain trust, you can get money to go after more improvement.”