IBM Says Know Your Security Posture: The Key To Incident Response is Understanding Your Risks
Earlier this fall, the Internet was brought to its knees by an army of Internet of Things devices. Given this successful attack on core Internet highways, can any stand-alone company expect to protect itself? How can businesses identify, combat and even predict threats? IDN speaks with IBM Security’s Peter Allor to get suggestions, insights -- and hope.
by Vance McCarthy
senior security strategist
"A company should ask, ‘Am I strong enough to withstand the loss of x data.’ The answer will tell you a lot about your current security profile."
Earlier this fall, the Internet highway was brought to its knees by an army of Internet of Things devices. It was the largest-scale successful DDoS attack on the core of the Internet ever.
The attack has raised many questions, as it should. IDN is focusing on two:
In light of this attack, what chance does any one single company have to protect itself against a constantly-changing battlefield?
How are CISOs, strapped for budget and skilled personnel, supposed to identify, combat and even predict threats?
IDN spoke with Peter Allor, senior security strategist for IBM Security. For years, Allor has been instrumental in IBM’s strategy and offerings for securing critical infrastructures. Today his portfolio expands to embrace today’s era of digital transformation technologies – including cloud, mobile and IoT devices.
Allor shares great advice for securing today’s digital business. Perhaps even more valuable, he shares problem-solving perspectives, insights -- and even some hope.
#1. Treat Your Security Problem as a Business Problem.
“This is a business problem, not a security issue,” Allor said. “The line of business execs will often know what will hurt a company. What is the risk if I lose this data or this asset? LOB (line of business) execs will know what most importantly needs to be protected – whether it be customer data, employee info, merger and acquisitions plans or ‘secret sauce’ to the company,” he added.
The list of ‘Security To Dos’ starts with business – not IT, Allor insisted. “IT will always need to be involved,” Allor concedes, “but before any CISOs set out a [security] plan on their own, a company should ask and answer the questions that start with ‘Am I strong enough to withstand the loss of x data.’ That will tell you a lot about your current security profile.”
Many of the answers may be unknown, Allor said. But that’s OK. “If you don’t know, then it’s time to find out. And if you are vulnerable, that’s how you start to find and fill your gaps.”
While business leaders at companies spend a lot of time and expense on industry-specific compliance issues, “[they] also need to be more focused on security,” Allor stated. It will pay dividends by helping companies be better prepared, get faster responses, even making sure security protections are kept up-to-date, he added.
One other thing IT-centric security projects learn from the business side. “Prioritize and go from there,” Allor said. “You won’t solve all your problems overnight. You can raise your [security] posture over time.” The important takeaway is set security priorities based on what’s at risk, not just the technology, he added.
#2. In this New Normal, Your Organization Needs an Intelligent (Integrated) View of Its Business’ Security Posture.
In part, today’s “new normal” refers to today’s huge changes in the digital enterprise. It also includes the undeniable fact that corporate assets are under an expanded ever-present threat to cyberattack.
Knowing your “security posture” starts with a simple step: “Know your network,” Allor says, “The main question you always start with for security is ‘How do I manage my risk?’” Allor told IDN. “To answer that, focus on your network. You need to discover some basic things.”
Among them, Allor lays out these questions:
- What hardware is connected to my network? (desktops, laptops, smartphones, tablets and devices)
- What software runs on my network? (apps, data, IAM, SSO, etc.)
- What are my endpoints? (Is my network on-prem, distributed, tied in with cloud(s), etc.?)
- What data am I running on it? Is it structured, unstructured, etc.?
- Where is the data?
- Who has approved access to your network? What assets do they have access to, or what is the profile of the types of assets they regularly access?
After this baseline assessment of your network, assets and people, there is a second part. Tear down the silos and get a consolidated, understandable view.
“Companies have so many security products, so many vendors and so many [IT] people working on them. But nothing talks to each other. So, companies need to think about an integrated approach and ask, ‘How can we move to get all our [security] tools to work together,’” Allor said. “That is how you change your risk management, and now you know what to update,” he added.
“There is a host of different things we have to look at,” Allor said and shared a few.
If you build an app that lets customers input their data, you will want IAM [Identity and Access Management] and governance.
If you build an app that touches your backend, anyone who codes can make a mistake in their code.
When you test your apps or data service, you may want to be sure real data is not visible to development engineers.
To catch hidden vulnerabilities, you may want to Red Team test, where you have employees simulate attacks on your network.
“Your network needs an ecosystem to protect at the weakest link,” Allor added. That requires bringing all the silos together – technology, people and processes to work and respond in an integrated fashion.
#3. Lowering Risk Exposure is Easier Than You Might Imagine.
Companies have control over many of the root causes of breaches, Allor said.
It may be hard for companies to believe, but IBM conducted a security study that found misconfigured apps or systems account for 42% of breaches. Another 31% of breaches arose from end-user error, such as clicking on a fishy URL contained in a phishing email. “Even professional developers are at fault, albeit at a much smaller level (6%),” he added.
“Add it all up and the systems you have control over make up some three-fourths of all your threats,” Allor told IDN. That could be scary to many, but Allor counters such a fact should also provide comfort.
“Once I get a strong view of my network, I am in a perfect position to understand and improve my protection systems, and take steps to minimize risk,” he said. “I can prioritize what needs to be upgraded, patch [misconfigured] configurations, change lockdowns, assess identity technologies and policies, and so forth,” Allor added.
In other words: Know your vulnerabilities, then set your priorities based on real information, then one can make changes and act.
#4. Use a ‘Security Framework’ as a Detailed Road Map: Define Risk, Find Vulnerabilities and Make Fixes.
There are a variety of security frameworks that lay out guidance about how to think about your security landscape. Allor is a big proponent of the NIST frameworks for security and risk management, which addresses 5 core functions:
- Develop an organizational understanding to manage cyber-security risk to systems, assets, data and capabilities.
- Create an understanding of the business context, resources and risks so the organization can focus and prioritize its efforts.
- Develop and implement safeguards to ensure delivery of infrastructure services and to help limit or contain the impact of a cyber-security event.
- Develop and implement activities to identify the occurrence of a cyber-security event.
- Develop and implement activities to act following detection of a cyber-security event.
- Support the ability to contain the impact of an event.
- Develop and implement activities to maintain resilience and to restore capabilities or services impaired due to a cyber-security event.
- Support timely recovery to normal operations.
In fact, IBM has based its security framework on this work.
“For us at IBM, we have a strong guiding principal for security: If you know what is attached to your network, hardware, software, configurations, endpoints and so on, you can then know what you have in greater detail. After that, you can do continuous vulnerability assessments, where you scan your own network,” Allor said.
Just these basic steps offer a huge amount of information and insight about your security profile.
Allor shared some examples.
If you find a piece of network-attached hardware is jail broken, restrict it. You may further want to look for similar hardware (in type or by vendor) and give all those a closer look. “You may not know exactly what’s going on with that device at the moment, but you can restrict it or take it off the network” and do a deep drill down later.
Same thing with software. “Say you find an OS running on your network [either directly on the network or a device connected to it] needs a patch. Patch it,” Allor said. “You don’t need to know the exact nature of the threat before you patch it,” he added. The idea is to: “Make sure your OS is at the safest level you can make it.”
Even short of new software patches, there are security improvements companies can make. “Be sure to take the time to enforce all your configuration settings,” he added.
“Going after the quick-easy or the low hanging fruit and doing that repeatedly, you are basically taking care of 80% of your problems. Now, I can then go after other subsets like mobile and IoT – the next wave crashing,” Allor added.
Allor makes one last point on the importance of a Security Framework. Having a framework keeps you from falling in love with the latest shiny object.
“There’s always the next great thing,” Allor said, “some new threat out there and some new product you have to have to fight it off.”
“Once you learn how to use a security framework, you learn how to better defend. The threats, even the new ones, will roll back,” Allor stated. “What’s important is what do you do as a constant over time? Just know and maintain your network. Do the basics, all that blocking and tackling we talked about. A risk framework approach is important because it lets you know what level you need to be at to protect your network and all that’s on it. The framework is an engagement with Executives, LOB, IT Operations and Security.”
As for future threats, when you know what you need to protect, at the risk of the very business itself, you’ll know what level you need to be at in the future, he added.
#5. Add Automation – Benefit from an Ever-Protecting ‘Security Lifecycle’
“At this stage, you are ready to bring all the pieces together and explore on-going automation to promote an effective security lifecycle,” Allor says.
Bringing together the above steps, here are Allor’s guiding principles for securing the digital enterprise:
- See security from a business perspective.
- Get an intelligent (integrated) view.
- Use a Security Framework to set your road map.
- Define best practices (and identify where new tooling may be required).
After these steps, organizations are then ready to bring in automation – and take an always-on “security lifecycle” approach.
“You can start by automating all the simple stuff, where you can start to do operational configurations or work from products sets that talk to each other. Now your ability to manage your network [and all that is connected to it] is taking care of a large part of your problems,” Allor said.
He adds that automation also infers you know a bit about how your network works to deliver assets or information to privileged users. Ask questions like: Where is my data? Who is using it? and where do they typically access it from? Where are my backups? How do I make sure it’s encrypted for whatever risk posture I need?
Automation does more than simply keep security up-to-date, or make it more efficient for IT. “With automation, you are also taking away the ability for people to create vulnerabilities,” he said.
Allor has some closing thoughts for companies that may feel overwhelmed.
“You are not starting at zero on your security journey. You have a base level, so knowing an inventory of what data you are defending and what you are using in protecting your networks and systems. You just don’t know how that can be valuable to you yet,” Allor said.
Use all that information to determining your risk. Then, ask how to integrate security to reduce your risk – and elevate your capabilities. “Finally, know who you can coordinate an incident response with. From partner and vendors to upstream providers and law enforcement” When something happens, there is a lot of support and expertise to rely on,” he said.
Allor also summarized the successful approach IBM uses to work with customers to secure the enterprise, especially as they move through a digital transformation:
“Our belief at IBM is to put tools in place to help companies become more aware and better see where they are and how to use what they already know to identify, prioritize and tackle the biggest risks,” Allor said.
- Centrify Analytics Service Uses Machine Learning and User Behavior To Stop Breaches in Real Time
- Splunk Continues To Expand Its Adaptive Response Initiative To Detect, Battle CyberThreats Faster
- 2017 Survey: Security Professionals Say Their Enterprises Score ‘Below Average’ in Ability To Assess Cyber Risks
- ForgeRock Says IoT is Pushing Security To Become ‘Password-Less’ and More Friction-Free
- Exabeam’s CEO Brings Speedy Analytics, Teamwork To Fight Against Ransomware