In the wake of recent merchant breaches, I have found myself on an increasing number of calls with customers, reporters, and business leaders from various industries. Invariably, the questions asked all boil down to one overarching interrogative: "How do we avoid becoming the next breach victim?" After I attempt to calm nerves and reiterate that there are no silver bullets out there, my answers tend to center around three fundamental areas that I offer up to you for critcism or comment. Here goes...
1. Be Harder Than The Other Guy. Folks often ask me whether or not they should put the alarm sign in front of their house when they buy an alarm service. My answer to them is "yes, absolutely!" Most burglaries and break-ins are by amatuers looking for easy targets and/or targets of opportunity. While the alarm sign will alert the 1% who are specifically aiming to break into your house to cut the phone lines, it will also steer the remaining 99% to your neighbor's house if your neighbor doesn't have an alarm sign posted. No alarm equals an easier target, so becoming a harder target than your neighbor is an attack deterrent. The same principle applies in cyberspace. If your protections and controls are preceived to be more durable and more resilient than your competition, it stands to reason that the bad guys will attempt to acquire data from the weaker target instead of attempting to breach the harder target. We can see this occurring in a strategic fashion if we step back and observe the class of businesses that hackers are attacking; instead of focusing predominantly on financial institutions and payment processors, we have seen concerted efforts against merchants, contact centers, and other potential 3rd party "aggregation points" for data. Even within certain classes of targets, there is value in informing your adversary -- in general (but not opaque) terms -- of the strength of your protections in order to discourage attack. (Note: Those of you reading this post who have some military experience will recognize this approach from your unconventional warfare training; if you think about it for a bit, you'll see that the same principles apply when facing off against the hacker community :o) )
2. Be Best-In-Class At Incident Response. If you accept the premise that even the most prepared defenses will be breached -- and they will, believe me :) -- then the ability to identify, contain, and eradicate the threat as early as possible becomes critical. There are statistics out there which state that the average time between infection by a sophisticated attacker and its detection in the network can be measured in months if not years. Investing in the technologies and the personnel needed to shrink this window is a critical step in breach avoidance. Note that investing in personnel does not just mean headcont; more importantly, it means training and education to improve general security knowledge; an understanding of the threat; and critical thinking skills. This training needs to go beyond just those within the security team but to all members of the extended incident response team.
3. Add Threat Intelligence To The Mix. If this year's RSA Conference is any indication, the importance of understanding one's adversary has come back into the forefront of the security discussion. This will be considered good news by those who have long stated that we have become so process and business focus that we have diluted our understanding of hard-core security. Still, I wonder how many people understand the difference between threat information and threat intelligence. True threat intelliegencce, in order to be useful to the enterprise, requires an understanding of what knowledge is of paramount use (priority intelligence requirements); what the best sources are for obtaining that knowledge (collection management); and what actions need to be taken based upon the information obtained (risk management planning). In the absence of these key components, threat information becomes yet one more firehose from which the the security team must drink from whilst attempting not to drown.
While these answers may provide small comfort to organizations looking for quick-fix solutions, they represent the basic building blocks for moving toward a risk-based security program. Consider using these concepts when discussing security needs with your business leaders. Enjoy!
Walking the vendor booths on the floor at RSA was a mind boggling experience within itself to see such a plethora of products & services fixing every type of conceivable security problem. While no silver bullet exists as explained by Kim, I do believe many companies already have many silver bullets within their own disposal, but are not using them. If you take a step back and look at a security program from a strategic perspective, you will see the high risk areas that need to be addressed, but using internal solutions purchased by other people in your company you do not know about. The silver bullet, many of these solutions already exist within an enterprise. When high risk is discussed collectively in an executive setting, other groups may have tools that can help mitigate the identified risk areas without having to select new vendor products. It is very common in a large enterprises that nobody has a vendor tool list to see what is available on the "company menu" to reduce risk. Think before you buy the next "shiny object," as your company may already have a solution.
ReplyDelete