KNOWLEDGESTREAM AT-A-GLANCE
The Future of Cyber Security in Transforming Business
ABSTRACT
The pace of cyber security threats is accelerating faster than most people realize. With the emergence of new technologies and the explosion of endpoints via mobility and IoT, it is almost impossible to stay current. We're assembling an ongoing Discovery Board of industry leaders, including CISOs, compliance officers, consulting practice leaders, and CTOs/CIOs to explore best practices. A few themes that may be explored, but not limited to, include: Architecting for IoT security Malware prevention Authentication best practices Disaster recovery IT security roadmapping Compliance and risk Scenario vetting and planning Data governance Blockchain
PARTICIPANTS
OBJECTIVES
1. :
2. :
3. :
4. :
End Date: Dec 14, 2018
CONTRIBUTIONS
ACTIVITY
429 Days
24 Themes
59 Contributors
1300 Posts
1338 Comments
580 Followers
OUTPUTS
11 Slide Deck
3 Video
THEME #1
People vs. Technology in transforming businesses
THEME #2
Today's Cybersecurity Breaches
SURVEYS
THEME #3
Cybersecurity game changers
SURVEYS
THEME #4
Should companies invest in blockchain now or wait a few more years? If yes, how? If wait, why?
SURVEYS
...efforts to develop and expand BC's application breadth and depth should be going on very actively, minus the hyperbole and sales-speak.
...blockchain is not only a currency, but may become more, as for example bring more transparency to the supply-chain.
THEME #5
Are companies adequately addressing IoT risks?
SURVEYS
Every company wants to utilise latest technologies like IOT but gives Security less priority and because of this they get compromised
IoT will bring forth millions of connected devices that are typically less rigorously security hardened and optimised by the vendor - and thus the threat vector increasing.
THEME #6
Security consulting -- Teaching to fish or just driving the boat?
Security is everybody's responsibility - Global truth. Now there are two parts for security 1. Business Security - Form CxO to employees disclosing IPs or secrets unintentionally, NDA, Human errors etc. 2. Tech Security – breaches due to technologies, cyber attacks, ransomware etc.
THEME #7
Meltdown and Spectre -- The biggest impact is to security or to IT?
Drawing so much attention to this draws our attention away for the more immediate operational risks right in front of us, and quite possibly places us at greater risk from things much more readily exploited.
THEME #8
What is the biggest challenge facing CISO's today?
SURVEYS
THEME #9
Security Orchestration and AI to address talent shortfalls?
THEME SUMMARY
We're not there yet as a full replacement. AI/ML today is most powerful when it augments and empowers analysts. Risks include talent development and hijacking of automated processes.
- Not all organizations are ready for AI/ML - this is an evolutionary, not revolutionary, technology
- The first AI/ML use cases in security will be to augment and expand the performance of human analysts
- Before pursuing AI/ML organizations need to determine their talent development strategies
- Organizations need to evaluate the risks of automation or hijacking automated processes
THEME #10
How have ransomware attacks changed the risk equation for organizations?
THEME SUMMARY
Organizations, regardless of size and capabilities, must plan to deal with ransomware attacks. Three out of four respondents to our survey think that the risk has increased or is now the highest risk
- Ransomware forces organizations to deviate from their standard asset-based risk logic
- Ransomware is now blurring the lines between nation-state and criminal motivations
- While the risk appears manageable on paper (patching), the reality for many organizations is that the risk must be balanced with other organizational realities
SURVEYS
THEME #11
Cyber incidents in the news - help or hindrance?
THEME SUMMARY
The problem of communicating incidents to leadership is that it must be communicated positively and recommendations need to be actionable and realistic.
- Regulations present a new component of consideration
- Balance executive fear, uncertainty, and doubt (FUD) with the need to communicate action positively
- One effective communication strategy: what we can learn from what happened at X company
Learn from other's mistakes
The security organizations can leverage from the cyber incident in the medias by : - the anticipation of the cyber incidents - the verification the efficacity of the enterprise practices. - the concentration of the needs on the worste incidents
THEME #12
Mergers, acquisitions, and divestitures - oh my!
THEME SUMMARY
IT Security is becoming a more prevalent risk factor considered in a merger, acquisition, or divestiture. Organizations are using third parties and third parties to effectively manage their risk.
- Both organizations need a REALISTIC assessment of their capabilities - sometimes a third party can help
- There will be a surge in activities - regardless of whether the activity is a merger, acquisition, or divestiture (MAD) - in which a third party could provide short-term staffing
- Once organizations know their capabilities, nailing the transition plan is CRITICAL to success
Get your plan right
most important activity was securing a transition agreement that allows/requires both entities to work closely together for a 3-6 month period post-close.
A good analysis of the apps, infrastructure, and the network is a must before you close the deal. Sometimes you pay more for band-aids than the real remedy.
Third parties can help
I have seen a few uses of a team of digital experts who act as a third party under strict confidentiality requirements. The concept is commonly used in evaluating customer contracts between competing entities without divulging critical information.
The company's IT pros must therefore be brought in to bring their expertise to bear in contribution to the discussions of these elements, complemented by a third-party to objectively assess the validity and potential impact of the identified and derived risks the IT will also contribute.
THEME #13
Hit the bench(mark)
THEME SUMMARY
Benchmarking, like many security activities, is a necessary evil for organizations. Benchmarking, if done properly, explains risk to leadership, identifies best practices, and ensures compliance.
- Compliance to standards (ISO, NIST, GDPR) should be baseline benchmarks
- Corporate Boards in particular have an interest in benchmarking to communicate and understand risk
- Instead of benchmarking technologies and documentation - organizatons should benchmark their practices
- Benchmarking without acting on the findings, good or bad, is wasteful exercise
Compliance and Standards - the baseline
Thus my experience with benchmarking is rather mixed:Â the first did not work due to the rigidity of the artificially established parameters of the OB, and the second one did not work well enough due to the individualized nature of the applied solution
Standards and compliance, because they cover a broad array of scenarios relative to cybersecurity provide only directional guidelines are may indeed not appear to be prescriptive enough.
Benchmarking with out action is a paperwork exercise
Standards and compliance, because they cover a broad array of scenarios relative to cybersecurity provide only directional guidelines are may indeed not appear to be prescriptive enough.
As I keep reading through all of the posts here, one thing that keeps coming back to my mind is that benchmarking among all other criteria (security / compliance audits, etc...) is only useful if one actually makes use of the intelligence that is derived from said benchmarking.
Good benchmarking communicated properly communicates organizational risk
What is "becoming" is the wider acknowledgement of this crucial factor by those in governance positions who finally grasp its true importance (rather than the "techno-druidic" status it once had).
It's not uncommon to hear people talk about culture metrics or benchmarks without first defining what culture even is. The result is imprecision and confusion, and perpetuates the idea that culture is subjective and fuzzy, an unreliable target of analysis
Static to Dynamic - Away from benchmarks to best practices
THEME #14
Communicating the value of Security
THEME SUMMARY
Security organizations are moving away from low-value compliance-focused and break/fix operations to helping the business manage cyber threats as part of a broader risk portfolio.
- There is a continuous race between organizations and hackers. The one side wants to build up a (fire-)wall and the other one identify the week brick
- Security as a bottom line business value proposition is the key to allowing the business decisionmakers and IT department to work toward a common goal.
One of the most successful ways to get employees engaged in the learning process is to let them know what you are sharing is relevant at work and in their personal lives.
It gives you an opportunity to get more folks engaged (sad but true) and they truly seem to dig in to the information you are sharing.
Once you have that engagement it's key to keep the messages flowing from a 'we are here to help you' perspective - rather than a punitive approach. At the end it's all about engagement -- and increased engagement is a key message for the business.
THEME #15
There is a move among many firms away from AntiVirus to End Point Protection.
THEME SUMMARY
Disparate, unconnected point solutions may be effective individually, but leave much to be desired in terms of cohesiveness of operation and clarity of findings/feedback.
- A "dashboard" through which to display conditions and alerts in a synoptic manner is often desired by those managing this function in order to simplify monitoring and response initiation.
- I think the biggest winners will those companies with a full line of such products that get integrated into such a platform, whether on prem or cloud based. Those that do not will likely be the loser
Sadly, there is no clear definition of what constitutes EP. Is it AV, Anti-Malware, Anti-Ransomware, Firewall, Phishing Protection, Browser Protection, etc... It would be helpful for a standards based organization to cleanly define EP.
Vendors are not willing to reveal how their platform works except to say it is based on Machine Learning or Artificial Intelligence.
NG vendors are famous for making outrageous claims about their product but will not allow independent testing. I personally know researchers who have received legal action from NG vendors because they were exposing flaws. Again, flaws are what we, as security professionals, need to know.
Despite of all the statements of the death of AVs, their makers keep selling huge amounts and updates of these.
As mentioned on the article it is difficult to have a 100% solution for everything and indeed AV firms are changing to adapt to the new scenario.
They are trying to add a new layer of security. The idea is to have a kind of internal machine learning studying users' behaviours detecting anomalies. Someone stated that blockchain could be the future of AV.
THEME #16
As our next theme I would like to speak of a new bread of cybersecurity products that have new innovative capabilities
THEME SUMMARY
Even if there are vendors on the market doing a great job of advancing their products at warp-speed evolution - your business may be locked in thus facing vulnerabilities current products don't addres
- I’ve seen this play out before when, in emerging markets, many players come to bear followed by mergers, acquisitions, and disruption. Who do you commit to during times like this?
- AI is key for Cyber Security and Hackers. One side implements a smarter and faster AI, then the other side gears up with something better. One to bypass the virtual wall, the other to make it stronger
Are they really "next generation"? These platforms take days if not weeks or months of tuning. It can be a full-time position for someone just to tune the platform. For me, that is not "next generation" it is job creation at a time when the products shoul
The terms are being used interchangeably by marketers. They are not the same function. Cybersecurity vendors are pitching their solutions as "next generation" because they use machine learning. Which, I guess you can argue that is true. But how many are a
Machine Learning cannot determine new threats that it has not seen in its data set. It only knows and understands what is in that data set.
Artificial Intelligence is similar to Machine Learning in that it learns via a data set. The biggest difference is that it can make an assessment of the new malware.
THEME #17
Many firms are turning to Unified Compliance as an approach to optimize their efforts and investment
THEME SUMMARY
Unified Compliance approach to cybersecurity can bring many efficiencies to cybersecurity by at what costs?
- A unified approach can bring efficiencies by eliminating redundancies and providing an organized approach to ensuring complete coverage of all required scope.
- However, it often leads to adopting to a single vendor rather than a best of breed set of solutions that many times leads to an inferior selection of products in one or more areas.
Unifying these functions into a single platform for the sake of efficiency and economy is fine, so long as each function is not compromised by the presence of the others
Correctly performed systems integration and dashboard construction could provide the same service visibility and operations efficiency, though with greater initial effort, across existing platforms.Â
Such things seem to reflect an attitude on the part of "business" that is an annoyance that we can sublimate through enough tools and layers, and the more automation the better (IOW - cheaper).
The reality of organizational maturity is that the overall mix of capabilities (infrastructure and development) blended with improved operational capacity allows us to begin considering utilizing unification. But there are more pieces to this than simply
Correctly performed systems integration and dashboard construction could provide the same service visibility and operations efficiency, though with greater initial effort, across existing platforms.Â
Such things seem to reflect an attitude on the part of "business" that is an annoyance that we can sublimate through enough tools and layers, and the more automation the better (IOW - cheaper).
THEME #18
Crowdsourced Approaches to Cybersecurity
THEME SUMMARY
Many firms are using a form of crowdsourcing referred to as bug bounty programs as a means of attracting outside talent to help debug their programs before it is released to the market
- with the proper best practices and controls in place a bug bounty program can produce the desired results
- it takes alot of preplanning and oversite and must be run be experienced staff to be successful and the individuals you engage must have proper background checks
Clear well thought through Rules of Engagement and a controlled environment are key to having a Successful Bug Bounty Program
Good to keep it with a team you can vet since you can involve the internal technology team in the process. This helps eliminate some of the defensiveness that can occur when the outside group starts reporting issues.
t's helpful to provide the external folks visibility to releases and change mgmt so they have a feel for what might have changed since the exercise last occurred.
The independent and unbiased outside views usually lead to identification of design and implementation flaws in the solution that usually get missed internally by resources
Good point on the signal-to-noise ratio of feedback.. was concerned about that too.. quality of feedback from crowdsourcing or bug bounty might not be as good as internally vetted efforts but also might find things that otherwise you won't internally.. so need to strike a balance somehow..
Christopher Gebhardt we funneled all the bug reports through the internal QA resources and they were then folded into the existing process once validated.
THEME #19
How has the Impact of your adoption and use of Digital technologies impacted your Cybersecurity program?
THEME SUMMARY
The move to digital has made cybersecurity more complex, digital, and costly for all firms, however, it’s hit the SMB market extremely hard.
- Firms in many cases are leveraging the some of the same digital technologies like AI in their cybersecurity solutions to increase their capabilities and effectiveness to meet these new challenges
- Firms must be creative in evaluating the various options available to them from on premises to CSP's to hybrid to determine what would be the best way to meet their firms technological needs
For many of the smaller firms adopting and migrating to cloud is a necessary step to be able to compete and safeguard their operations
Complexities of new digital approaches have prompted many of my SMB clients to adopt cloud based environments. Toolsets available for managing these technologies (Microsoft Azure Suite, AWS, etc) make adopting cloud based technologies the only realistic option unless the SMB is resource rich.
This type of attack win in most of the time against human based cybersecurity defense, since AI have the ability to learn and re-perform attack automatically non stop 24/7. No other choices to defense the perimeter using also 24/7 tools with the ability to learn.
One possible source of relief for firms is to pursue security standardization
What must occur is for companies to adopt a uniform standard for the assessments like the Cloud Security Alliance's CAIQ document.
The CAIQ is 250 questions of cybersecurity. If you were to go through it, it would answer all your questions so why send out a unique document that just asks the same questions (more often than not, poorly!)
THEME #20
Let's keep our great discussion on Digital & Cybersecurity going and change the focus towards skills & competencies
THEME SUMMARY
Cybersecurity demands are changing and growing and a large driver is new digital technologies
- Some cybersecurity products are actually leveraging new digital technologies like Artificial Intelligence in order to make the products more effective and adapt more quickly then humans can
- Its imperative from new recruits through career security professionals that all be given constant training to keep their skills and knowledge current and so that they are effective to meet new demands
Cybersecurity professionals new to mature resources need a blend of basic to advanced certifications/training to keep current in their field
A blend of technical and soft skills are required for cyber security professionals to be effective
Technical skills understanding of IoT and cloud security AI and machine learning malware protection open source application penetration and intrusion detection DevSecOps Indident response
Personal (soft) skills attention to details excellent communication skills customers service collaboration curiosity and learning passion
THEME #21
Lets continue on the theme of digital & cybersecurity and do a deep dive on IoT
THEME SUMMARY
IoT brings with it many great advancements but at the same time it comes with many new cybersecurity threats & vulnerabilities
- One of the big reasons for these threats is a lack of a well thought through Architecture and best practices of how to use and deploy IoT securely
- Additionally as applications of this technology are still being identified we have not thoroughly identified the vulnerabilities that exist with the new uses of IoT
The threat landscape of IoT is growing quickly as we continue to evolve and deploy IoT unless we make security a top concern these vulnerabilities will rise exponentially.
I will suggest that the threat landscape has the potential to mushroom exponentially as the IoT adds an unimaginable amount of computing power to the mix, most of which won't be watched regularly by the owners.
And to Marsha Williams' point in her post, the lack of forethought by most of the people adding to this realm is only going to make it more challenging.
What improvements and best practices could we put in place to stem the tide of IoT threat & vulnerability proliferation?
California is leading the US and perhaps the world in IoT security with the passage of SB327. The law calls for any IoT smart device to ""protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."
The main reason is because there is no scalable business model for IoT, specially when applied to huge areas such as smart cities.
If there is no perfect business case in which all companies can work together, it is difficult to establish how different "things" will communicate with each other and what type of information they will exchange, so companies could spend more resources on improving the security aspects.
THEME #22
Let's continue our discussion on Cybersecurity and IoT by focusing on Distributed Denial of Service (DDoS) attacks
THEME SUMMARY
DDOS attacks although rising in prevalence impact businesses much differently based on a number of factors
- The importance of the internet and connectivity/availability to one's customers raises the concern of DDOS attacks
- DDOS attacks can also lead to penetration of a firms security and lead to access of secure data
DDOS attacks impact different firms at different levels depending on the importance of internet access to the business and revenue of a firm
f you ask some people about the level of concern for DDoS you hear a VERY wide range of responses from "existential" to "just a nuisance."
One of the reason for DDOS attacks is to disrupt services. E.g. if the website of your competitor is down highly likely the traffic will be redirected to yours.
DDOS attacks can have beyond the interruption of connectivity to the internet and to a firms clients.
For someone like eBay, it is an major threat resulting in crisis handling. Same for Walmart, Amazon, etc. For a car dealership?
A person hacked into a temperature sensor in the fish tank of a casino and laid a trap. When the sensor did a periodic upgrade of its software, he got access into the database of all high net worth customers of the casino
THEME #23
Ransomware attacks have been declining in number but increasing in sophistication. Let's look at how they are changing
THEME SUMMARY
Ransomeware has been changing in numbers of occurrence and level of sophistication
- While we are seeing fewer instances of ransomware we have seen a morphing of the target being much larger breaches where the impact is orders of magnitude larger financially.
- Cybercurrency is one of the areas where we have seen large uptick in occurrence and sophistication of attack
- We have also observed that the ransomware attacks on individuals have reduced and user have become more proactive in regularly backing up their files which has reduced exposure
What changes are we seeing hackers using in approaching Ransomware?
The attacks get more sophisticated, as phishing emails not only get more personalized, but also the attackers use more time to work on the details.
hackers are using intelligent algorithms. Using Big Data (for example from Crawlers systematically analyzing user profiles and creating potential org charts), such apps provide precious information (Smart Data) for attackers
A successful attack requires preparation, preparation, preparation. Furthermore an efficient hacker-organisation, incuding IT-experts, psychologist, linguistic experts, etc.
As Ransomware becomes more sophisticated what new tools, technologies and approaches can we use
Say if blockchain implemented on hospitals patient data, since it's has decentralized characteristics, with multiple encrypted data stored in different locations, it would be hard for ransomware to attack the vectors.
blockchain information is encrypted on the various servers. So far the technology is not that widespread enough so that hackers started seriously started to think how to attack this.
AI can tackle vulnerabilities, e.g. it could stop hackers where firewalls and anti-virus are not successful. Maybe it can't stop every malware, however, after building models of positive and negative behaviors, it helps the security team to detect the bad ones.
THEME #24
We are all facing a huge rise in use of Mobile Devices let's discuss what security measures are being taken for Mobile