[BreachExchange] Embrace the Machine & Other Goals for CISOs

[Audrey McNeil]

http://www.darkreading.com/threat-intelligence/embrace-
the-machine-and-other-goals-for-cisos/a/d-id/1328433

Depending on how you look at it, the past year was either tough for
security professionals or it showed the world how complex and interesting
this field really is. After all, we're not working to identify some
deterministic software bug — we're combatting real adversaries who are
constantly testing our defenses.

Like many of you, I spend a lot of time talking to customers, partners, and
other security professionals, and there is clearly a lot we can do to
become more effective for our organizations. Here is my take on what the
security community should resolve to accomplish or overcome as we move
forward.

1. Embrace the machine.
We have access to programmable technology today that is compatible with
other systems, and capable of massive correlations using data from many
sources — logins, proximity card data, Web behaviors, locations. We have
agents on users' machines that log information about process execution. And
we have rich, intelligent sources of threat information from third-party
vendors and other experts.

The ability to almost instantaneously correlate all that information means
that today's expert systems are doing things humans used to do but doing it
much faster. Machines can calculate those correlations in near-real time,
build information about what happened, and prioritize events for an analyst
to review.

Taking it a step further, today we see machines good enough at making
correlations that they instantly know the identified activity is malicious.
The challenge is to let go and allow the machine itself to loop back into
firewalls, endpoint security, and applications, and actively mitigate the
threat.

Embracing AI in this way can reduce response times from months to
milliseconds, produce logs that are more relevant, and create APIs that
respond to inputs from the bigger systems.

2. Consume farm-to-table security data.
CISOs need to understand the difference between primary data and secondary
data, and get as close to the source as possible when automating systems.
The closer our data points are to the user, the less risk we run of bad
modeling.

The key is to capture logs at the time of creation so, unless the event
logging system itself is compromised, you’re going to get unfiltered truth.
If you go back to a machine after a bad guy has cleaned up his toolset and
deleted the log, the tracks may be covered.

To this end, you have to constantly evaluate log sources to see how quickly
the data is logged, what the source is, whether there is redundancy — and
identify the correlation points that enable a true picture of what’s
happening with each machine on the network.

3. Give back to the community.
On both a human and machine level, getting better at security is an
iterative process. When an intrusion analyst identifies something,
engineering should imbue that knowledge into the correlation engine.
Eventually, this process will allow you to automate what the analyst does
in a virtual movement between the machine, engineering and the network’s
defenses — making every piece more effective.

Now it's time to share what you’ve learned. Ideally, that information
should go to a major threat intel vendor to be correlated with other data
so the broader security community can benefit as well.

4. Let analysts analyze.
Information security pros and analysts are expensive, and if there's a host
of things that machines can suppress, this frees those human resources to
add value elsewhere and reward the C-suite for the investments they've made
in security.

And believe it or not, this is also a retention mechanism. Why? Because now
only the really hard problems are turned over to analysts, which makes them
happy. This is ultimately why many of us go into the security industry in
the first place. We're dealing with human adversaries who are actively and
continually adjusting their software and tactics to get into your network.
It's a battle of wits and knowledge. That part of the job is much more
compelling than poring over extensive activity logs.

5. Prove your value — and the value of future investments.
CISOs are great at a lot of things, but demonstrating our value isn't
always one of them. For many years, security was neglected. Only in the
last decade has it come into its own, and only in the last couple of years
has it really entered the broader public consciousness. Now we need to take
another step toward connecting the dots between risk and value.

When we hear that competitors, customers, or peers have experienced
breaches, we should alert management. If a company similar to yours lost
customer data or intellectual property, or was hacked because of software
you have in common, brief management on that too. Build a case study or a
presentation to demonstrate how your architecture can (or did) prevent a
similar attack.

Ditto when things happen in your own network. When your defenses detect a
ransomware attack, it demonstrates the value of management-approved
investments. The endpoint security software you bought detected the attack
within 100 milliseconds. Your AI correlation engines booted the fix back
into the email filtering system. The backup system just paid for itself
because you were able to recover the lost work and the copy was only three
hours old. The system worked. You won.

And if you didn't win, what mitigations could have prevented the loss?
Management should know that too, so they have a clear understanding of
where to invest next.

Commit to Making It Happen
So what’s the point of all this? First, you need time to close the gap.
Going 200 days until detection of an intrusion isn't acceptable when it’s
possible to detect many threats in 150 milliseconds and fan out a
protection to every machine in the enterprise in another 150 milliseconds.

And second, organizations can only achieve that level of effectiveness when
the CISO and upper management commit to embracing automation. Yes, it takes
engineering, technical knowledge, and the right gear. But in the end, it's
the commitment by the organization that makes it all work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170317/c885335f/attachment.html>