Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

Turning Cybersecurity into a Strategic Advantage


Most C-suite leaders think about cybersecurity as a way to stop threats. But in today’s intensely competitive digital economy they should be thinking about cybersecurity as a strategic advantage that not only protects business value, but enables new business value.

The prevailing focus on threats to protect business value isn’t surprising. Modern digital businesses go beyond traditional walls and spawn new attack vectors in today’s dynamic threat landscape. Businesses face a cybercrime wave that is increasing in intensity and sophistication. According to a recent article in Forbes, “Corporate and home computers have been hit with an average of 4,000 ransomware attacks every day this year, a 300% increase over 2015,” citing United States Department of Justice sources.

While we must continue to work diligently to protect valuable data and assets, to achieve growth, the biggest opportunity comes when we make cybersecurity a foundational component of our digital strategies. One of the biggest downsides to cybersecurity weakness is how it inhibits innovation. In fact, 71% of respondents in a Cisco survey said cybersecurity risks and threats hinder innovation in their organization.

Organizations that have any doubt about their cybersecurity capabilities delay important digital initiatives and risk falling behind the competition tomorrow.

As Mike Dahn, head of data security and industry relations at Square, Inc., put it in this Cybersecurity as a Growth Advantage report, “I think it’s really important that we stop thinking about security as a defense-centric approach that is sold by fear, uncertainty, and doubt. We need to start thinking of it as an enabler that supports innovation … and helps the business go forward.”

You know your organization is well-positioned to move forward when:
  1. You recognize that cybersecurity concerns can hold back innovation and hinder growth. While cybersecurity concerns can hinder the development of new digital business models and driving innovation, smart organizations realize they must move forward, or be left behind by digital disruptors and other agile competitors.

  2. As a business leader, you are much more engaged in cybersecurity issues than your typical peers. Sixty-six percent of Boards do not believe they are properly secured against cyber-attacks. (Source: Cybersecurity in the Boardroom, Veracode 2015). And, the Board, the CEO, and other key stakeholders likely hold you responsible for cybersecurity issues, even if you don’t hold an IT or technical role. That’s because the success of digital programs that are shaping the future of the business, is predicated upon strong security practices. As business leaders develop digital initiatives they proactively collaborate with IT to ensure that security is included in plans from the earliest stages.

  3. You believe your organization is prepared to address cybersecurity challenges in three key digital capabilities – Big data/analytics, cloud computing, and the Internet of Things (IoT). These capabilities are critical to digital growth strategies that depend on connectivity. The level of confidence you have in incorporating these digital technologies into your business processes and offerings allows you to accelerate innovation and time-to-market and capture a greater share of digital value at stake.
The digital era is here. Those who embrace it will have a competitive edge, but not without a secure foundation that allows innovation with speed and confidence.

Take time during this year’s Cyber Security Awareness Month to evaluate how you can turn cybersecurity into a strategic advantage. If you are not sure where to start, our Security advisors can help. If you are already on your way to a digital transformation, we can help you assess your readiness and work with you to design and implement a secure digitization strategy.



Guest Blog - written by my colleague and good friend, Ashley Arbuckle.  Ashley is Vice President of Cisco Security Services.  This blog is also published here.

Insiders: The often forgotten threat


Insider threats are of particular concern to organisations, as the impact of a rogue insider can be catastrophic to the business. The 2016 Verizon Data Breach Investigations Report showed that 15% of data breaches were a direct result of insider deliberate or malicious behaviour. Given that it is not likely that all insider breaches are discovered and/or reported, this number may well be under represented in Verizon’s statistics. In addition, insiders often have legitimate access to very sensitive information, so it is no wonder that it is difficult to detect these breaches. Regardless, they can negatively impact the business in a big way, and must not be overlooked.

As I speak to a lot of customers about this, I see views of insider threats vary considerably by industry vertical. For example, financial services and gaming companies see financial objectives as the main motivator; manufacturing/high technology/biotech see intellectual property theft as their biggest concern; and personal services store and process large amounts of personally identifiable information, which they must protect from insider theft. The unique challenge faced is that insiders are often more difficult to identify behaving maliciously as they are often misusing their legitimate access for inappropriate objectives such as fraud or data theft.

Strong user access policies are a key building block to a good insider threat management strategy. Regular review of user access rights, along with job rotation, mandatory leave, separation of duties, and prompt removal of access rights for departing employees have been the core of managing insider risk for many years. Once you have these key components in place it's time to go to the next level.

As with everything in security there is no single answer, and frankly you should question anyone that tells you they can fix all of your security problems with one service. To reduce the risk of the insider threat, I would suggest the following strategy:

1. Classify your Sensitive Data.

This is the most critical step and often difficult as this requires the technology team and the business to align in order to classify what data is sensitive and to ensure there is consistency in the classification strategy. Remember to not boil the ocean; this step should focus solely on identifying sensitive data that could effect the business should it be stolen. Carnegie Mellon University has a good example that can be adapted to most organisations.

2. Implement a Protection Plan

a. Instrument the network....
so you can detect atypical accesses to your data. To validate if your instrumentation is setup correctly, you should be able to answer the following questions:

  • Have new users started accessing sensitive data?
  • Have your authorised users accessed more sensitive data than usual?
  • Have your authorised users accessed different groups of sensitive data more than before?
Many fraud management professionals would recognise these questions as lead indicators of possible fraudulent activity, and astute HR professionals would recognise these as possible lead indicators of an employee about to leave the business. Both of these scenarios are very typical lead indicators of insider data loss. You should try to make use of fraud management and HR personnel to assist you in determining what to look for and actions you can/should take when you detect a possible insider incident.

Data flow analytics may also assist from the technical side as well. Cisco Stealthwatch uses NetFlow to build profiles of expected behaviour for every host on the network. When activity falls significantly outside of expected thresholds, an alarm is triggered for suspicious behaviour. Data hording is one typical use case where data flow analytics detects anomalous behaviours. For example, if a user in marketing usually only accesses a few megabytes of network resources a day but suddenly starts collecting gigabytes of proprietary engineering data in a few hours, they could be hoarding data in preparation for exfiltration. Whether the activity is the result of compromised credentials or insider threat activity, the security team is now aware of the suspicious behaviour and can take steps to mitigate it before that data makes it out of the network.

b. Data Loss Prevention software...

or DLP as it is more commonly known, is software that monitors data flows much like an IPS as well as monitoring data usage at the endpoint. Network DLP uses signatures like an IPS, but the signatures are typically keywords in documents or data patterns that can identify sensitive data. Endpoint DLP can be used to control data flow between applications, outside of the network and to physical devices. This becomes especially important if there are concerns about sending data to external data storage systems (Google Drive, Box, SkyDrive etc.) or to USB attached storage. DLP can control access to all of these systems, but it is a matter of policy and vigilance as new capabilities are released at the endpoint.

There is a lot of skill in effectively setting up DLP software and much of the complaints about the lack of effectiveness of DLP comes down to a lack of proper data classification and poor DLP software configuration. There is also an argument that network DLP is losing relevance with the increasing amount of encryption of network traffic. This is certainly true and enterprises need to have SSL interception properly configured to maximise the effectiveness of their DLP investment. Still not all traffic will be able to be decrypted and you must determine whether your risk appetite will allow for users having encrypted communications you cannot monitor. This is not exclusively an IT decision, but one that needs to be decided by a well-briefed executive.

c. Network segmentation....

is unfortunately something that is often not done well until after a security breach. One of the benefits of a properly segmented network is that a malicious insider keeps bumping into network choke points. If these choke points are properly instrumented then alerts flow to warn of potential inappropriate access attempts. This gives the defender more time to detect and respond to an attack before sensitive data leaves the network. For example, if your Security Operations Centre (SOC) observes a user in Finance trying to access an Engineering Intranet server then you should be raising an incident to address why this user is trying to access a server that most likely holds no relevance for their job function.

3. Honeypots

These are one of the more controversial strategies that may not be for everyone. The honeypot should be setup with decoy data and a similar look and feel to the production environment. The decoy data needs to look authentic and the knowledge of the existence of a honeypot needs to controlled on a need to know basis. The great advantage of a honeypot over other technical strategies is that all traffic that goes to the honeypot can be considered malicious and by its very nature as the honeypot has no business relevance. The honeypot is only there to trap those that could be looking for sensitive data inappropriately. I have found it useful in the past to use the same authentication store as the production environment so you can quickly see which user is acting inappropriately, or you may have an external attacker using the legitimate credentials of an insider to hunt for sensitive data. Either way, you need to act quickly and deliberately to head off possible data loss. Like every data loss scenario you need a robust process for managing these incidents types.

4. Use of non-core applications, especially social media applications

There has been an explosion of social media applications in recent years ranging from Skype, WhatsApp, QQ, WeChat, LINE, Viber and many others. Businesses are worried that their staff are using these applications to send sensitive data out of the business. These applications are often used for business purposes and depending on the sensitivity of the data this may be considered inappropriate behaviour. Our favoured strategy is to use some of the recommendations above, classify your data, and instrument the network to look for inappropriate use. But, from the user’s perspective, they are trying to perform their job in the most efficient manner and no one wants to discourage “good behaviour!” If there is a legitimate business use for a social media application, we recommend that a corporate social media application be deployed so staff can be efficient in their job. Security needs to enable users to get their job done and not hold up business progress and increase business complexity. Additionally, users must understand the ramifications of their actions and know what data can be sent externally and what cannot leave the organisation without appropriate protections. Education is the key to achieving an effective balance and reminders, like a “nag screen” that alerts the user that they are accessing sensitive data can reinforce the user’s training. Document watermarks and strongly worded document footers about the document sensitivity can also serve as another valuable reinforcement.

5. Hunt for caches of sensitive data

You need to have the ability to hunt for caches of sensitive data – one phenomena that that our security consultants see time and again is that people have the habit of creating a cache of sensitive data to steal before they send or take it out of the organisation. This is true not just for insiders, but often with external attackers that are preparing to exfiltrate data. Our consultants use endpoint tools to look for caches of documents in user directories, desktop and temp directories as the most common places to find document caches. Often the documents will be compressed into an archive such as a ZIP, RAR or GZ file for quicker data exfiltration and to avoid tripping the DLP keyword filters. Whatever tool you use to hunt for data caches it must be able to return the name and type of documents when it does its scans. You should select a tool that can hunt on the basis of a threshold of data volume and be able to dynamically tune the amount. Some of the more sophisticated DLP solutions can implement this functionality also.
Complexity is the arch nemesis of a good security program

Like every good superhero we have our arch nemesis, and this is often the complexity of our security environment and not the bad guys that are trying to compromise our networks. The 2016 Cisco Annual Security Report recently found the average number of Information Security vendors in enterprises was 46! A shocking number, but one which goes to show that there are a lot of point products in this industry.

One of the constant comments from our customers is “can you make all of these products work together?” We hear you, and recommend that when you are devising your strategy to combat the insider threat that you also consider that the output from these controls is going to have to be acted upon, and you cannot continue to overburden the existing SOC team. We recommend that you review how the insider threat strategy will integrate with your existing threat management process and platform as a key consideration before you get involved in the “speeds and feeds” bake offs with products.

We hope this blog has given you some ideas about key strategies you can deploy to prevent, detect and respond to insider threats. If you would like to learn more about how to get started, Cisco Security Services can work with you to conduct an Intellectual Property Risk Assessment to get a full view of insider threats in your business and can assist with designing a custom strategy to address these threats.

Guest Blog - written by my colleague and good friend, Mark Goudie. Mark is Principal and Director of Security for APJC at Cisco.
 

The 'Senior Cyborgs' are Coming!

Richard Staynings and other panelists at the Louisville Innovation Summit

The Silver Tsunami of Baby Boomers hitting retirement by itself would be enough to worry the most well prepared healthcare system, however in the United States, rising healthcare delivery costs and little to no change in the number of professional caregivers is putting the system under never before seen pressures. Everyone is looking to provide more cost-effective ways to provide care and keep people independent, safe, happy and healthy at home, and that was the focus of a panel discussion at this week's Louisville Innovation Summit.
Senior Cyborgs & the Rise of Digital Health
The session discussed the evolution of disruptive digital health technology, a new force of digital caregivers and the entrepreneurs that are changing the way care is delivered. The audience learned about new technologies to deliver care to the elderly, to monitor and assess their condition, mood and well-being as indicators of onsetting medical conditions, and some of the technologies that will enable the elderly to stay in their homes rather than in much more expensive and often despised elderly residential care.

However with increased adoption of clinical alerting and other medical technologies being sent home with post-acute patients, combined with an ever-increasing number of across-the-shelf health monitoring and tracking systems filling homes, the bigger question, which unfortunately often goes unanswered, is how can this ever growing mass of medical devices be secured. The confidentiality, integrity and availability of medical systems and the protected health information that they produce needs to be secured in the home just as it would in a hospice or hospital. This lack of security confidence has in many cases slowed the adoption of technologies that enable patients to spend their twilight years in the comfort of their own homes. It appears then, that security is the primary key to unlocking the doors to what the elderly are asking for and what Medicare Administrators would prefer to fund.

One other key that appears to be required however, is the need to change healthcare payment models for both private and government funded programs such that providers can get paid for community-based care. The panel agreed that current payment and reimbursement models are hugely out of date and this is one of the reasons why the United States lags the rest of the developed world in its adoption of cheaper and more convenient telehealth and telemedicine.

Other areas of discussion focussed upon the need to improve the interoperability of digital health systems, such that meaningful data and meta-data can be better exchanged between providers with different EMRs, and other clinical information systems. We heard that the industry itself has made some strides towards this, but competitive business practices have failed to break down the proprietary data formats used by different HIT vendors. Government will probably need to take a bigger role in mandating common data formats so that meaningful use can be fully achieved.

Read more at TechRepublic and at grandCARE both of whom also reported on the session.

Taiwan National Day

Richard Staynings
The Author pictured here with Ambassador Zhang Chu Zhang

I was privileged to be invited to celebrate Taiwan National Day this year with an assembly of Ambassadors, Senators, Congressmen, State Representatives, Mayors, retired Generals and other US military personnel who served in the 1950s and 60's protecting the country at the height of the Cold War.

Economic, political and cultural relations with the Republic of China (Taiwan) have never been higher. Great to meet everyone and a very happy Taiwan National Day.