Self-hacking key to Daimler’s cyber defence strategy

Vehicle manufacturer Daimler has a team of hackers to test the effectiveness of its cyber defences from the perspective of an outside attacker

Vehicle manufacturer Daimler has a team of hackers to continually test the effectiveness of its cyber defences from the perspective of an outside attacker.

“We found traditional penetration testing did not go far enough to expose vulnerabilities that could be exploited by attackers,” said Lüder Sachse, chief information security officer at Daimler.

“By trying to break in like outsider attackers we can learn more and we are more likely to find any potential vulnerabilities,” he told the Gartner Security and Risk Management Summit 2014 in London.

Sachse said this approach has led to some “tough lessons” about getting the basics done correctly, but has enabled the IT security team to focus on what most needs to be done at any given time.

“We are no longer dealing with things on a theoretical basis, but can focus on eliminating the actual vulnerabilities that our hacking team finds in the context of a real attack,” he said.

Exposing security vulnerabilities

The company’s hacking team has helped expose basic security vulnerabilities that were thought to have been fixed up to 10 years ago.

“For the first time we were able to ask for budget for real threats to specific assets rather than pitch for projects to fix theoretical risks to meet compliance requirements,” said Sachse.

Daimler adopted this approach after the IT security team realised a security compliance checklist provided no guarantee that the company’s critical information was safe.

By trying to break in like outsider attackers we can learn more and we are more likely to find any potential vulnerabilities

Lüder Sachse, Daimler

They also realised it was impossible to ensure 100% protection at all times of the firm’s up to one million live IP addresses and that application penetration testing did not take the overall IT estate into account.

Faced with the challenge of securing 500 linked sites and more than 274,000 employees at 8,421 locations, Daimler adopted a new model for handling information security in 2012.

“In this new approach we started to attack our own company from outside, regardless of organisations boundaries and geographical regions,” said Sachse.

Another key element of the new model is having information security officers at each of the key locations.

“This means I can act directly into locations, which helps overcome the challenge of implementing changes from a central location,” said Sachse.

“Reporting directly to the CIO also means that I can have those hard discussions when necessary and get quick decisions,” he said.

Security as a shared responsibility

Daimler’s information security group is organised into five departments, each covering a different aspect of information security: threat intelligence; standards and polices; architecture and design; IT service management; and awareness and communication.

“When you have so many people spread across the world, it is important to keep up the community and spread information,” said Sachse. “This includes collecting information on good things that work.”

Using ideas from within the community helps promote acceptance and helps local information security officers build business cases for their managers supported by successes in other regions.

Daimler users an annual internal security conference to further promote understanding on security topics across the group that is attended by more than 500 members of staff.

“I can definitely recommend this for global companies because you have one point where people come together to discuss issues of mutual interest and maintain an essential security community,” said Sachse.

Sachse has also worked to make security the responsibility of more than just the people in the security team.

“Line functions are continually made aware that they are responsible for implementing the guidance that comes from the security team,” he said.

Sachse said another important principle that Daimler has implemented in security is to do fewer projects, but to do them well and maintain focus so that they are completed and applied throughout the group.

In response to the shift in recent years to predominantly outsider threats, Daimler deals with the remaining insider threat through a strong security culture that makes it risky to steal data.

“Using this approach we have been able to keep technical controls and impact on usability to a minimum while reducing the risk of insider breaches because everyone understands the risk,” said Sachse.

Increasing IT resilience

On the other hand, he said the volume, range and complexity of external threats continues to increase, particularly in the form of hacktivisim and cyber espionage in the past three years.

“These threats cannot be underestimated and, with cars increasingly being connected to the internet, we are putting a lot of effort into ensuring our products are not compromised in this way,” he said.

Whereas in the past, Daimler has security tested only each control system in isolation, the hacking team now probes for potential security vulnerabilities in the context of the whole car.

Total security is not possible, but it is also often unnecessary. It is better to improve the resilience of IT systems and reduce the time to discovery of any network intrusions

Lüder Sachse, Daimler

“Total security is not possible, but it is also often unnecessary,” said Sachse. “It is better to improve the resilience of IT systems and reduce the time to discovery of any network intrusions.”

Another element of Daimler’s security model is the recognition that it is necessary to maintain two levels of security: baseline security for all IP addresses and enhanced security for critical data assets.

Using this approach, baseline security is considered good enough when they can resist an attack over a period of four hours.

“Attackers are unlikely to spend longer on systems that have no critical data,” said Sachse.

For systems that do contain critical data, Daimler requires the much higher resilience level of five days.

Protecting legacy systems typically require additional firewalling and network segmentation to achieve the required level of protection as there are often no security updates for such systems.

Although Sachse provides guidance on how regional information security officers can achieve the required levels of resilience, it is up to them to find the best way of meeting these standards.

 “In this way, they get dedicated information on the vulnerabilities and risks that apply to their systems to enable them to identify priorities.

“And in turn, this information is fed through to the central IT security team that enables me to identify the group’s vulnerabilities and shape future IT security projects accordingly,” he said.

This community approach also enables the central IT security team to identify good local practices, which can be shared across the group.

Once implemented elsewhere in the group, these best practices are reassessed and modified if necessary to ensure continual improvement across the group.

Reducing security complexity

Sachse is determined to reduce security complexity and has overseen the start of five projects in the company to specifically address this issue around areas such as patch management.

He also places a lot of importance on security awareness training, not only for users, but also for IT professionals.

“In a working environment with high workload and high pressure, people tend to forget things like information security or they choose to do something else less difficult or complicated,” he said.

Sachse emphasised the importance of governance in a global, decentralised environment.

“The stronger the governance, the better,” he said. “Without it, you stand no chance of implementing controls successfully throughout the organisation.”

And finally, Sachse said it is no use identifying threats without having the capacity to address them. For this reason, Daimler has adopted a support model that uses trusted partners to meet demand.

“In this way we address the problems and can keep line managers engaged without sending them into panic mode,” he said.

Sachse believes that only by getting an attackers' perspective through hands-on security can organisations identify the most important security vulnerabilities and how best to eliminate them.

Read more on Hackers and cybercrime prevention