Strategic Insights: Securing Information in an Unsecure World (Montreal)
A wealth of excellent information on a variety of IT security issues was presented at The IT Media Group (ITMG) Strategic Insights breakfast “Securing Information in an Unsecure World”, held November 20 in Montreal.
The session was hosted by John Pickett, VP, Executive Programs, ITMG, who interviewed guest experts Neils Johnson, Principal Technologist for Symantec, Matt Broda, Technical Fellow – Security with Bell Canada, and Sébastien Lapointe, Information Security Officer, National Bank of Canada.
Attendees included senior IT and security executives from a dozen leading organizations in a variety of industries. Highlight topics include: Security and the business; Shifting security priorities; Instilling a culture of security; Mobility and Cloud; Data classification issues; Business lines bringing in technology; Present and future threats.
IT and security executives interested in attending future IT Media Group events can receive invitations by becoming a VIP subscriber.
Comments in this highlights document have been edited for publication.
Security and the business
Lapointe: There are a lot of people you have to interact with when you are trying to do what you think is the right thing in managing the security risk in your organization. People have different perspectives on how security should be done. The operational people will say “this is the tool we need” because there are certain threats out there. That's fine, but what about the business? Where is the business going and where are the risks in your organization? The basic challenge is to make sure you talk with everybody; find out everybody's concern, especially the business. And speak the business language.
Shifting security priorities
Johnson: In the past we have thought of security in terms of infrastructure, of devices, of hard tangible stuff. We’ve thought of it in terms of firewall and intrusion detection and antivirus and those kinds of things. We still have to do that – we can't take our eye off that ball – but today the priority can no longer be on the infrastructure; it has to be on the information at rest and moving through the infrastructure. I don't care how good your staff is, all data in the clear is vulnerable. So now we have to have an intelligent clarifying conversation around risk tolerance. What can we afford to have exposed; what can we not? The stuff that cannot be exposed has to be encrypted.
Will encryption become a thing of the past? Yes it will, but not today. So we need to be looking down the road and saying where are the bad guys going and what are the preemptive strikes we need to make for tomorrow?
Broda: There are two components to the problem. One is situational awareness, which basically means you know what's going on. And today, arguably, many organizations don't. And the other problem is the community defence. You can no longer afford to go it alone. You need to figure out how to protect whole supply chains and whole verticals and countries, because that's where the game is played today. The attackers are getting stronger because they're motivated by business reasons. So first of all, beef up your situational awareness. Take advantage of all these information sources and understand what is happening in your network. What does it mean? What is happening to your neighbors in the same vertical and potentially other companies that you're working with? That's where the technology comes in. That's a lot of information. You're dealing with overload, and you're still dealing with very few really good security resources and people. So you need to put in some smart technology to collect all this information and then analyze it.
Once you get the situational awareness, you get this really good cyber-threat intelligence on what's happening in your business, and you get it to the level where you can understand who is against you, who your adversaries are, what their modes of operation are, and you're able to anticipate the attacks and redirect your defenses where they are needed. That's when you can get to the point of actually creating smart defence around your organization at many levels. Bell is now putting in place additional defences which we can do upstream in our network, blocking some of the bad stuff at the borders of Canada.
Instilling a culture of security
Lapointe: It's not a one-size-fits-all when you want to train your people. For some people, security is just a compliance thing, and annually they'll say, “I read the documents and did the computer-based training on my Internet”. We have to make sure we get their attention and say to them: in your day-to-day job these are your risks. How are you going about things? Do you realize that this could put the organization at risk, that you could lose your job, that you could affect the company's reputation? You have to adapt your security awareness program to your clientele and make sure you have focused on those that are more at risk. And make sure you listen to them if they have complaints. By listening to them first, you can build credibility, so that they understand that you’re here not just to restrict them and be a watchdog, but to work with them and add value.
Mobility and Cloud
Broda: These days, with BYOD and Cloud, a lot of your data and business activity resides outside of the security perimeter. The kids are playing in the fields outside the castle walls. What do you do to protect them? It's a policy issue because change is what the CISO and the security organization need to be doing. They need to learn how to deal with SLAs, to deal with contracts, relying on other parties to provide them with security benefits without influencing how they are derived technically. Compliance also comes to mind. Compliance is a big issue but still I see a lot of organizations that are looking at compliance in terms of, okay, let's do compliance, let's tick the box, now I'm secure. But there is a flaw in that argument – a step missing. Meeting compliance requirements does not equal being secure. It doesn't equal having a functioning security management system. You ticked the box but you still may have major holes in your security defences. So compliance should follow good security practices, not lead them.
Lapointe: Mobility is at our door and now we have to manage it. We have to have clear policies and communicate to our people what the expectations are. We can’t start wiping out people's data on their personal phone. There are solutions that can manage containers on the devices and obviously we have to get there. We can’t simply lock everything because young people want those nice tools and they want to be efficient in doing their work. So we have to enable them but we also have to put on the right set of controls to make sure we enable the right policies and measures in order to have the appropriate level of risk.
Johnson: In the very near future we see two-factor and three-factor authentication being a bit archaic simply because of where the bad guys are attacking: not just on the device but along the pipes. They will still be part of the process but there are other stronger processes coming down the road. For example, your signature could end up being as good as or better than your user name and password, considering the biometric capabilities on mobile devices these days. Tomorrow there is absolutely going to be the need of integration or inter-connectivity between policy and data classification and authentication/authorization – who gets access to what, and what do they need to happen when they get there? And that's going to be part of the solution when it comes to BYOD.
Data classification issues
Lapointe: It's one thing to classify data but now it’s getting spread all over the place. You don't know where that data actually is and it's hard to tag that classification to the data throughout its whole life cycle. I'm up for a data-centric approach – it's the way to go – but it can be messy when you have all those marketing people spreading it out all over the place.
Johnson: Every time the crown jewels are replicated or duplicated or backed up somewhere you have just doubled or tripled or quadrupled your security requirements. Who cares where it happens to sit, it's still just as important. Do you really think the bad guys care whether they steal the crown jewels from over here or over there? Let's get down to the critical mass as far as what we need and what we don't need. So cleaning up the environment is step one. The second step is doing whatever is necessary to eliminate people from the process. People are probably our biggest enemy. We are collectively inefficient, ineffective, and error-prone. So if we can put tools in place that provide a high level of automation around discovering where that data happens to be resting in its various forms and that makes the heavy lifting of doing data classification very easy, we should implement them.
Lapointe: Ownership of the data is also very important. Classifying that information shouldn't be an IT thing. We can provide the guidelines for classification but the business lines should have ownership of the data and be responsible for it. And if it gets duplicated, the line-of-business owner will have to authorize it and know where it's going.
Business lines bringing in technology
Johnson: When the business wants to implement a Cloud solution, I would sit with the security team and the business unit and I would have a lengthy heart to heart conversation about developing a long list of hard, arduous questions that we are going to ask the Cloud service provider before we put the first thing up there. I want to know about security, about disaster recovery, about business continuity, about compliance. I want to know about the big technical questions. Is our stuff going to be isolated or are you going to co-mingle it with everybody else's data and just put a marker in there? I want a laundry list of questions and I'm going to have the right answers to them before I'm going to choose that Cloud service provider. And I want to make sure that what I'm getting back is in alignment with our internal policies, our internal structure. If there is not some alignment then why bother?
Broda: There’s another step even before that happens, because many organizations are using the Cloud already; they just don't know it. Their employees say, “Hey Joe, can you send me that file?” “Yes I can but it's too big. I'll just put it in Dropbox.” Stuff like that. And there's a whole cottage industry that grew out of that – companies whose sole purpose in life is to help you get the telemetry of who is using what, when and how. So you have to figure out what Cloud assets you currently run and start controlling them. Sometimes the policy is the easier part; the difficult part is figuring out what's actually happening today, because you may already have both feet in the Cloud, you just don't realize it yet.
Present and future threats
Johnson: There are 19 new exploitable vulnerabilities every day, so today it's not only about security technology, but more importantly it's about the intelligence sitting behind that technology. When the vendor says we have this really good stuff, your question to them is, “How does it know what to look for? Tell me about your intelligence systems that are saying, hey, go out and look for this." Today the bad guys are taking their development teams and breaking them up into five subsets. Number one is reconnaissance; they have tools that look for those 19 new vulnerabilities. When they find one they pass that information off to a team that just writes code to do the incursion. Once in, another team does nothing but map the asset. If it's encrypted, they don't go any farther. Once the asset has been mapped, another team prepares that data for exfiltration. The fifth team does the exfiltration, and it comes in one of three flavors: grab it and pull it out like a bull in a china closet; drive a tap into it and bleed it, because it's the gift that keeps on giving; or overwrite it with ones and zeros because the hack was socio-politically motivated. So today it's about technologies understanding what's going on collectively. Tomorrow we see the need for organizations of any size to have developed what we call an information fabric, which says I'm going to take a feed from every piece of my infrastructure, every endpoint, every technology on the information management side, on the security side, on the compliance side. Every piece is going to have to give its portion of this bigger multifaceted story to what is called a central point of truth, and that central point of truth is going to have to run the analytics, the diagnostics, to understand what the attack is actually about.
Broda: From a regulatory perspective, there are some things that are coming up. For instance, if you look at Europe and the US you're seeing more and more service providers getting into the business of identifying customers who have been infected and then helping them remediate. There is more and more focus on providing features that will either anonymize traffic or protect the customer traffic. From the Canadian perspective, we haven't gotten to that point yet. There are both technical and regulatory battles happening right now. There are privacy issues whereby we can act on information only to a certain extent and beyond that we can't really do much. But there is active work happening in Canada from a policy perspective to enable the service providers, for instance, to be in a better position to protect customers, and do things like notify a customer when they have been infected or their PC is part of a bot net, and then have them remediate.
Session Highlights Videos
Preparing for next-generation threats
The malicious forces seeking to break down your information security barriers are well organized and constantly improving their arsenal. It's important to keep one eye on the future and be prepared for it.
Mitigating Risks
Focus is moving from infrastructure protection to information, and data classification.
Post session interviews
Neils Johnson, Principal Technologist, Symantec Corp.
Matt Broda, Technical Fellow - Security, Bell Canada
About CIO Strategic Insights Breakfasts
These sessions, produced by The IT Media Group, follow the form of a talk show in which The IT Media Group's VP of Executive Programs interviews subject-matter expert 'guests'. These highly-intractive sessions also engage attendees through questions and discussion with the panel members. Strategic Insights breakfasts are designed for small groups of IT leaders to gain new perspectives on common issues and to network with peers.
IT executives interested receiving notification of upcoming events produced by The IT Media Group, please complete the VIP membership form, including business email address.