This year’s Eskenzi PR annual IT Security Analyst & CISO (chief info security officer) Forum was the 8th such event and attracted the security leaders of some of the largest UK organisations. Household names from insurance, banking, accounting, pharmaceuticals and media were all represented, as well as a large service provider and one true 21st century born-in-the-cloud business.
Whilst media outlets are never going to see all issues to do with IT security in the same ways as insurers (“journalists have to act in anomalous ways compared to users in role-based organisations” said one), there was consensus in many areas.
All accepted the reality of bring-your-own-device (BYOD) however it is managed and implemented. Shadow IT was recognised as a widespread issue, but one to be managed not banished. The mood was well summarised by a comment from one CISO – “we have to move from NO to KNOW“; that is, do not block the users from trying to do their jobs, but do make sure you have sufficient insight into their activity. A good analogy offered up by another was of a newly built US university campus that was surrounded by newly laid lawns with no footpaths. Only after a year, when the students had made clear the most trodden routes were hard paths laid. Within reason, IT security can be managed in the same way – to suit users.
There was some disagreement about how news of software vulnerabilities and exploits should be reported in the press; is it better that some high profile cases raise awareness amongst management or does over-reporting lead to complacency? Denial-of-service (DoS) attacks were recognised as a ubiquitous problem; not to be accepted but controlled. Perhaps the greatest consensus was reached about the need to deal with privileged user access. One CISO observed that if the use of privilege internally is well managed it goes a long way towards mitigating external threats as well; hackers invariable seek out privileges to perpetrate their attacks.
The two day event, which as well as CISOs included industry analysts (such as Quocirca) and a host of other IT security professionals was sponsored by a dozen or so IT security vendors. So what message was there for them from the attendees?
Clearly Wallix, a supplier of privileged user management tools would have gone away with a renewed sense of mission to limit the powers of internal users and unwanted visitors. As would Duo Security, whose two-factor authentication, through the use of one time keys on mobile devices, would also help keep unauthorised outsiders at bay.
Of course hackers will do all they can to find weaknesses in your applications and infrastructure; all the more reason to scan software code for vulnerabilities with services from Veracode both before and after deployment. Nevertheless vulnerabilities will always exist, so when a new one is made known, Tenable Security can scan your systems to find where the dodgy components are installed and highlight the riskiest deployments for priority fixing.
Should hackers and/or malware find their way onto the CISOs systems, new technology from Illumio enables the mapping of inter-workload traffic, including between virtual machines running on the same platform. Anomalous traffic can be identified, reported and blocked – it is a common tactic of hackers and malware to ingress one server and attempt to move sideways. Hopefully, such traffic would not include anything related to DoS attacks which could be blocked by services from Verisign or from other such providers that may base their prevention on DoS hardware appliances from Corero.
Enabling users to safely use the web is a key to saying YES and remaining safe. OpenDNS, amongst other things, protects users wherever they are from perilous web sites and other threats. RiskIQ eliminates the unknown greyness that can prevail in such matters by classifying any web resource as either known or rogue. Venafi says its monitoring of the use of and cleansing systems of SSL keys acts like an immune system for the internet. Meanwhile Pulse Secure (a 2014 spinoff from Juniper Networks) combines its mature SSL-VPN technology with network access control (NAC) to provide end point monitoring way out in the cloud. It also has newly acquired technology called Mobile Spaces to enable BYOD through the creation of local mobile containers on Android or iPhone devices.
Impressive claims from all the vendors, however, one CISO was keen to remind suppliers; “do not over-promise and under-deliver“. His peers all nodded in agreement.