Cyber threat prevention is ideal, but detection is a must, says Eric Cole, SANS Institute fellow, cyber defence curriculum lead and course author.
“Organisations need to recognise that they are going to be targeted, they are going to be compromised and they are going to be broken into,” he told Computer Weekly.
Cole believes organisations need to put more effort and energy into detecting systems that are already compromised in their network.
He is critical of the IT security industry for its continued focus on threat prevention, and for expressing shock and surprise at high levels of compromise among organisations.
Cole believes that an organisation saying it is never going to get compromised is like someone saying they are never going to get sick.
“But nobody would ever say that; instead we look at ways of minimising the frequency of getting sick and minimising the impact that it will have on our lives when it happens,” he said.
Similarly, organisations should accept that attacks are going to happen and focus instead on minimising the frequency they occur and minimising the impact when they do.
“The aim should be improve the capability to control, contain and manage what is happening in the IT environment in the event of a breach rather than focusing only on prevention.
“Organisations need to recognise that they need to do a better job at detecting and stopping the adversary by focusing first on four core fundamentals of security,” said Cole.
The first step to transforming an organisation’s cyber defence strategy, he said, is to identify all information assets by drawing up an inventory.
“If you do not know what is on your network, you cannot defend it effectively,” said Cole.
Second, organisations need to improve their configuration management capability.
“If you do not know how devices on your network are configured and set up, you cannot know how to protect and secure them,” he said.
Third, organisations need to ensure they have sufficient change control capability to manage change in the IT environment.
And finally, organisations need to do a better job of network segmentation to isolate critical systems to make it difficult for attackers to move laterally in an organisation.
In this way, Cole said organisations can improve their capability to find, catch and control attackers after they have broken in.
“Being able to analyse the traffic within your environment to detect compromised systems is what is really going to make a difference in security,” he said.
Cole believes that organisations should focus on being proactive by setting up an environment that can better manage an attack and recover.
While these things are fundamental to cyber defence, he believes there are several reasons few organisations are doing them well.
The most common reason is that organisations think they already have a foundation in place and that those four elements are already taken care of.
“Most organisations want to talk about putting the latest, greatest technology into their environments because they assume the basics have been taken care of,” said Cole.
The reality is that most organisations’ security programmes have not been built on a solid foundation, he said, which means they now have to go back to do the basics.
However, this in itself raises another barrier to getting the basics done because few information security professionals are willing to admit the proper foundation work was not done in the first place.
“The trick to getting around potential embarrassment and the executive tendency to chase the latest blip on the security radar is to root cause analysis on threats such as the Hearbleed bug,” he said.
Cole believes that by demonstrating that asset inventory, configuration and change management, and network segmentation would contain and control the potential damage of the threat of the day, chief information security officers (CISOs) will get the resources needed to address these basic issues.
Another common barrier to addressing security basics is the fact that there is not a proper conduit to the executive to receive security metrics that are needed to make the right decision.
“Many organisations either do not have a chief security officer (CSO) or the chief security officer is buried several layers under the chief information officer, who is focused on uptime and availability,” said Cole.
Consequently, the messages about the need for foundational security are not getting through to the executive level because there is nobody translating the technical language into business language.
Cole believes that just as the CIO is now able to report directly to the executive team, a similar evolution of the chief information security officer’s role has to take place.
“Business has come to understand how important IT infrastructure is to the organisation, but only now are they beginning to understand that information security is just as important,” he said.
Cole predicts that with natural evolution, the CISO role will become just as important as the CIO role and have direct reporting to the executive team.
“CISOs need to understand both the technical aspects of security as well as the working of the business so they can translate things into language that executives understand,” he said.
This means they will have to create security metrics that can be measured and understood by the business and linked back to familiar concepts such as profit and loss.
“A very valuable tool, for example, is mapping security non-compliance metrics with the number of data breach incidents per department; there is often a direct correlation between the two,” said Cole.
Typically, 70% to 80% of security incidents come from one or two departments, and these are usually the same departments with a high level of non-compliance.
“This type of report enables executives to see the correlation between security and monetary loss, and identify the problem areas that need to be fixed,” said Cole.
The Infosecurity Europe Hall of Fame celebrates the achievements of internationally recognised Information Security practitioners and advocates.
Cole joins previous inductees that include Alan Paller, Eugene Kaspersky, Bruce Schneier and Mikko Hypponen among 25 alumni that have been honoured with the award since 2008.
“I was very happy and pleased by the nomination, but also shocked and surprised,” said Cole. “As with many of us in the industry, we are always working hard to make a difference and provide thought leadership, but seldom look back at what we have accomplished.”
He said it was a humbling experience to be ranked alongside the other alumi, but it had “put a big smile” on his face to go through all the reasons for the nomination.
In addition to his work with the SANS Institute, Cole has worked with the UK Centre for the Protection of National Infrastructure (CPNI) and briefed organisations within the Critical National Infrastructure, National Technical Authority for Information Assurance (CESG), National Counter Terrorism Security Office (NaCTSO) and the Counter Terrorism Security Advisor (CTSA) network.
Cole is an industry-recognised security expert with over 20 years of hands-on experience, a Master’s Degree in computer science from NYIT and a doctorate from Pace University.
He is also the author of several books, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat.
Cole is the holder of more than 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th US President and several executive advisory boards.
He is founder of Secure Anchor Consulting in which he provides security services and expert witness work, and has served as CTO of McAfee and Chief Scientist for Lockheed Martin.
More on SANS Institute
- SANS researchers warn RSA attendees about 2014 attack techniques
- SANS Institute praises Pentagon's cyber defence strategy
- 'Heartbleed' OpenSSL vulnerability: A slow-motion train wreck
- Would you recommend SANS Institute security training?
- SANS Institute: top 20 threats
- SANS Institute, MITRE release new top 25 dangerous coding errors list