[BreachExchange] What Executives and Board Members Should Demand of Security

Thu Feb 9 19:58:43 EST 2017

https://www.infosecurity-magazine.com/opinions/executives-board-demand-of-
security/

If there is an active intruder in your network, you would likely not know.
Like most organizations, you would be in the dark.

It is entirely possible that months or even years ago, an outsider gained
access to the network and quietly began to explore it and expand their area
of control. Over the first weeks and months, the attacker gained access to
all the servers and began looking for files that might have value.

They may have access to the email server, and it may provide abundant
material suitable for extortion or other purposes. If some of these
confidential emails become public or are provided to competitors, investors
or other interested parties, the damage could be catastrophic.

In this instance, the attacker had not done anything with the assets. The
attacker is quietly lingering, waiting for the right time to capitalize on
their position.

Today the vast majority of enterprises have no effective means of detecting
an active attacker on their network. Is someone lurking in your network?
Your company probably has no idea.

Without a doubt, one of the most important new capabilities of enterprise
security should be to detect an attacker early in the process, before theft
or damage can occur. A parallel capability is also quite valuable—the
ability to know whether the network is free from attackers. I call this
security assurance.

With the costs and penalties of a data breach becoming increasingly more
expensive, enterprise executives and boards of directors should start
demanding that their security heads provide regular reporting attesting
that the network is safe from internal or external attackers. The question
to ask should be: is there an active attacker currently on our network? The
answer should be definitive and based on full visibility that detects
attacker activity, namely the internal reconnaissance and lateral movement
necessary to carry out an active attack.

Soon, regulatory bodies will start penalizing organizations that have a
data breach if they have not taken available precautions to protect the
data. The General Data Protection Regulation (GDPR) describes the need to
take appropriate steps to protect the data of EU citizens. Future
litigation will likely revolve around this issue.

Did the organization employ the means to find an active attacker? Did they
continually monitor for the presence of attacker? Did executives and the
board hold the security team accountable for detecting and shutting down
attacks?

The ability to attest to a network being free from attackers should become
a primary measure for security. Today, organizations often report on things
like the number of end-user computers hit with malware that required help
desk support, or the number of vulnerabilities found and addressed in
network defenses. These are all fine, but a more meaningful metric would be
a clear sign that the network is safe from a hidden intruder.

Customers and partners may start asking for this kind of certification.
Large law firms already have to go through significant security reviews
with their biggest clients. Companies that take credit card payments have
to go through PCI reviews. Both types of review processes could greatly
benefit from an attestation that the network is attacker-free, particularly
since the implication is that if there were an attacker they would know
about it and be able to defeat it.

As a first priority, companies need a new level of internal visibility that
can precisely detect active attackers. Most enterprises lack this today,
largely because they have not even considered it. In fact, many don’t even
know about some of the most promising technologies.

At the same time, the procedures and strategies have generally not been
developed to utilize these new tools. It does not mean giving up on
preventative security, but it does mean shifting some budget and resources
to add network attack detection.

By modernizing security, enterprises should gain the ability to defeat
internally- and externally-based attackers. The next priority is to start
offering security assurance reporting to those accountable for the health
and viability of the enterprise. Executives and boards need to ask the
right questions, and security teams need to provide answers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170209/8f397170/attachment.html>