Tightening enterprise cyber security in an age of APTs and cyber espionage is like extensively baby proofing your home or apartment in the hope that your child never gets a scratch; it’s not going to work, and eventually someone is going to get hurt.
On our show “Cyber Espionage, APTs and Enterprises” Wellpoint VP and CISO Roy Mellinger said very simply that the paradigm of enterprise security has shifted. “You’re not going to keep the bad actors out, because they are going to get in; it is how you respond.”
Think of a baby again. As a parent you’re going to want to do all you can to protect your child from any kind of harm. You’ll try and teach your child what to do and not to do, and you’ll throw a lot of money at protective measures. But kids are smart, and if they try hard enough they’ll find an unexpected way to wreak havoc and hurt themselves in the process.
If and when that happens, there are two things you can do: You can rush the baby to the hospital each and every time, wrap the whole house in bubble wrap, sue the makers of your coffee table for building so many sharp corners and keep your baby even more cloistered and protected with the misguided sense that nothing terrible will ever happen again. Or you could brush the kid off, help him understand so that the same mistake doesn’t happen next time and try and do better with the next kid.
Good parenting is not going overboard on the same protective measures that didn’t work the first time around; it’s about responding quickly so that no lasting damage is done, putting the accident in context for the child to understand and making sure you take care of the basics, like having a car seat, child locks, gates in front of the stairs and no dangerous objects laying around.
CISOs could learn a thing or two from mothers and fathers everywhere. Traditional methods of firewalls and malware detection aren’t doing anything to prevent the real malicious threats from compromising your organization and evading detection if they so desire.
McKesson VP and CISO Michael Wilson calls it “Whack-a-Mole,” with policies and employee education and response plans being implemented across the board, but all of it ultimately resulting in a losing battle where issues keep popping up. Wilson sees a shift in the role of a security executive from a technical background to one of a more strategic, risk management executive with a more holistic scope. This person will have to work in support of the CIO to understand the risks of availability, information theft and system interruptions that a company is truly sweating over.
“The CIO is sitting there going, ‘This seems to be an unchecked issue. I throw money and resources at it and it’s still an issue. In fact it’s more of an issue the next year. What’s enough?” Wilson said. “The reality in this context is that there might not be enough, so we need to get very focused on the resources that we have and protecting those crown jewels.”
The new idea for the smart CISO is to do what a parent might
- take care of the fundamentals,
- respond quickly and
- understand the biggest risks.
Mellinger says that all of the successful attacks that could be described as APTs have relied on compromised user credentials, so doing the basic needful of hardening your systems and boosting user awareness is the first defensive measure. The second is the need to respond quickly. Mellinger again explains that finding an APT lingering on your system for an extended period of time can amount to astronomical costs, but it’s manageable if it can be detected timely.
But most of all, Mellinger says CISOs should be asking, “Who is your primary adversary and who is most likely to attack you from a risk management perspective?” Being able to study their approaches and understand the intelligence that’s available is a more targeted and effective approach to enterprise security.
Like a parent and their children, damage and risks can happen to everyone, and everyone should be deeply invested in their wellbeing. “We all survive or fail together. This is almost a corporate social awareness issue,” Wilson said. “It doesn’t matter that the threats and targets may be different or that we’re competitors; the issues are the same.”
Hear more from Wilson and Mellinger on our show “Cyber Espionage, APTs and Enterprises.”