Social Network For CISO (Chief Information Security Officers)
It is important to understand the new trends that are occurring amongst cyber security experts to make sure you properly protect your organization. The following are some key trends that you need to be aware of.
1) Data Co-relation Before adding more devices to a network, perform data correlation across the existing devices first. Networks are becoming so complex that no single device will be able to give enough insight into what is happening across an organization. To better understand both normal and anomalous traffic, data correlation has to be performed across all critical devices. Each device/server has a piece of the puzzle and only by putting all of the pieces together, can organizations understand what is really happening and take appropriate action against.
2) Threat intelligence analysis* Many of the products in the security industry are becoming more commoditized. Many consoles and network devices are very similar in how they work and operate; the key differentiator is having accurate and up to date threat data. Organizations cannot fix every single risk. Therefore as the risks grow more focus has to be put against the real attack vectors. In order to mitigate risks/threats, you have to adapt to the threats. A growing theme is the defense must learn from the offense. Threat must drive the risk calculation so that the proper vulnerabilities can be addressed. Only with properly threat data, can the avenues of exploitation be fixed.
3) Endpoint Security* A cyber security expert needs to protect all facets of their operation. As more and more devices become portable, the importance of the endpoint becomes more critical. In terms of the data it contains, there is little difference between a server and a laptop. A server might have more data but laptops still have a significant amount of critical information. However, the server is on a well-protected network and the laptop is usually directly connected to untrusted networks, including wireless. Therefore, we need to move beyond traditional endpoint protection and focus on controlling, monitoring and protecting the data on the end points.
4) Forensics (Pro-active rather Reactive approach) Attacks are so damaging that once an attacker gets in it is too late. In addition, with technologies like Email, File, Network, Database analysis tools, performing reactive forensics is very difficult, if not impossible, for any cyber security expert. Therefore, more energy and effort needs to be put against proactively identifying problems and avenues of compromise before major impact is caused to an organization. With the amount of intellectual property that is being stolen and the reputational damage, proactive is the only way to go.
Author of 'Linux Forensic' (Dr. Phil Polstra) is conducting a hands on Forensic course at SACON. You can register here
5) Signature detection (signature-less be better approach) Signature detection works because the malicious code did not change and it took a while for large scale exploitation to occur. While signature detection is still effective at catching some attacks, it does not scale to the advanced persistent threat (APT) that continues to occur. Therefore, signature detection must be coupled with behavioral analysis to effectively prevent and detect the emerging threats that will continue to occur. Since the new threats are always changing and persistent, only behavior analysis has a chance of being able to deal with the malicious attacks in an effective way.
6) ‘End Users’ the prime target and will remain there ALWAYS.. Everyone likes to focus on the technical nature of recent attacks like WannaCRY, Petya etc, but when you perform root cause analysis, the entry point with most of these sophisticated APT attacks are a user, someone who is not a cyber security expert, clicking on a link they are not supposed to. After that, the attack became very sophisticated and advanced but the entry point with many attacks is traditional social engineering. Advanced spear phishing attacks that trick the user in performing some action they are not suppose to. While you will never get 100% compliance from employees, organizations need to put energy against it because they will understand the short and long term benefit.
( Read More : Machine Learning & Analytics For Threat Detection )
7) ‘data encryption’ good but not enough ‘key management’ is Crypto is the solution of choice for many organizations, however they fail to realize that crypto does not do any good, if the keys are not properly managed and protected. Crypto has quickly become pain killer security because organizations are focused on the algorithms and not the keys. The most robust algorithms in the world are not any good without proper management of the keys. Most data that is stolen is from encrypted databases because the keys are stored directly with the encrypted data.
8) ‘Cloud computing’ security is still the pain Even though there are numerous concerns and security issues with cloud, not even a cyber security expert can argue with free. As companies continue to watch the bottom line, more companies are wondering why they are in the data center business. By moving to both public and private clouds can lower costs and overhead; however as with most items, security will not be considered until after there are major problems. Attackers will always focus on high payoff targets. As more companies move to the cloud, the attack methods and vectors will also increase at an exponential rate.
9) Protocols As the Internet continues to grow and be used for everything, new protocols will continue to emerge. The problem is the traditional model of deploying new protocols, no longer works. In the past, a new protocol was developed and would take a long term to achieve main stream usage. This allowed the problems to be worked out and security to be properly implemented. Today when a new protocol comes out it is used so quickly, the problems are only identified after there is wide spread use, which quickly leads to widespread attacks.
10) Integrated/embedded security devices Not only is technology becoming integrated into almost every component, more functionality is being moved to the hardware level. Beyond the obvious implication of having more targets to go over, embedded devices create a bigger problem for a cyber security expert. It is much hard to patch hardware than it is software. If software has a problem, you can run a patch. If hardware has a vulnerability it will take no longer to fix and increase the attack surface. ATMs, Smart grid is a good example of items 9 and 10 combined together.