Addressing cyber-attacks is not just a technology issue. It requires a holistic view from the entire organization, says ISACA's Jeff Spivey, who emphasizes the need for a framework approach to security.
"The concept has always been technology, people and process," says Spivey, ISACA international vice president, in an interview with Information Security Media Group [transcript below]. "Those three need to be looked at in an equal format across the risk spectrum."
To get there, organizations should develop a framework for addressing security holistically, Spivey says.
"How are we approaching it?" he says. "How can we do that on a consistent basis moving forward?"
Those issues are addressed in Responding to Targeted Cyberattacks, a new book published by ISACA and written by information security professionals at Ernst & Young LLP.
Organizations need to understand how information security relates to the business, Spivey says, and come to an agreement on a model that addresses:
- What's important from information security;
- How security supports the business;
- How it provides the reliable IT services across the enterprise to support the organization.
In an interview about this new book, Spivey discusses:
- Why today's attacks are more of a business/people problem than one rooted in technology;
- Advanced defensive measures to improve detection and response;
- The role of awareness programs - and how organizations can improve them.
ISACA International Vice President Spivey, CRISC, CPP, is president of Security Risk Management Inc., a strategic security risk consultancy to global organizations. He is also the strategy advisor for RiskIQ, providing Internet-scale intelligence/visibility services for security and brand risk across the web. He is a member of the U.S. State Department's Overseas Security Advisory Council and serves on the advisory board for the National Center for Judicial Security of the U.S. Department of Justice. Spivey is a founding member of the Cloud Security Alliance and a past president and past chairman of the board for ASIS International. He is chair of ISACA's Relations Board and a member of ISACA's Strategic Advisory Council. He has served as co-chair of ISACA's External Advocacy Committee and as a member of ISACA's Knowledge Management Task Force.
ISACA on Cyber-Attack Response
TOM FIELD: Right from the top, let's talk about this new book released by ISACA. What new information do you have for organizations in this book?
JEFF SPIVEY: ISACA's new book was written by security experts from Ernst & Young, who are people that are helping with the problems at the frontline, at the top of these issues, every day. Much has been discussed about why organizations need to be concerned about these to start off with, and I think that this book offers a practical, multi-phased approach, allowing leaders to focus their resources and placing those in the right place, looking at the detection and response, as opposed to maybe placing too many resources on the prevention side of things, which may not be as realistic as it has been in the past. [It's] important to understand the problem, but also how we attack that.
Traditional Security Approaches Insufficient
FIELD: Given the types of attacks that organizations are seeing today, why aren't traditional security approaches sufficient anymore?
SPIVEY: Attacks change, so part of the root cause of this is that we have technology coming on at light speed - new technology, new ways of doing things. As these continue to grow in speed, frequency and new technology, there are more and more risks evolving from those. The risks that are there, the types of attacks that are exploiting new vulnerabilities in this technology - to be able to understand and have some type of a framework from which to address this is and will be more and more important.
When we look at this, we're looking at the book as somewhat of a framework - a new framework, a new adaptation - of how we approach these problems over a long period of time. Maybe a quick example is regarding mobile: mobile tablets and mobile phones. That's a new vector that maybe didn't exist, at least in the capabilities that it has now, a year or two ago. The changes that have come about because of the technology, in addition to the number of mobile technology that's out there, the companies [are] unsure how they allow bring-your-own-device or provide a device that hence can be connected to the heart of a corporate system. How does that happen? What needs to occur? On the back of that, you've got big data and all of the privacy concerns. You've got all of these new technologies. The book seems to give a good idea of what's coming and some ideas of adaptation.
Today's Attacks a Business Issue
FIELD: One of the things that strikes me about the book is that one of the points is that the new attacks that we're seeing are more of a business-and-people problem, not a technology issue. Could you explain that, please?
SPIVEY: The concept has always been technology, people and process. Those three need to be looked at in an equal format across the risk spectrum. A lot of times technologists will solve the problems with technology. The book addresses the other sectors as well, so it tries to look at it from a more holistic view of understanding that, yes, technology does have new vulnerabilities, but what is our framework? How are we approaching it? How can we do that on a consistent basis moving forward? The book explains some of the caveats that are important regarding the people side.
We get back to the illustration of mobile just a minute ago. A lot of times the mobile-side people are not aware that they may not have as much security in the mobile as they did on their desktop at work, or maybe even their laptop that they're using from home and still getting into a work network. The ability of the ADPs - the advanced distributed threats - the new vector allows for risk vulnerabilities, exploitation of those vulnerabilities in a way that they haven't had before.
For instance, there's malware getting on a mobile phone. Now there's malware that can listen in to the conversations that are going on in the room and can take pictures at any time or all times. There's one malware where it's sending pictures out and creating a 3D image of the room that you're in at the time that you're talking. It has the ability to listen into your phone calls, look at all of your texts, look at all of your e-mails and understand passwords versus credit card numbers that you may be typing into the system. The sophistication is strong, and it's also associated with mobility.
It understands geo, so it understands where your geo is because of the malware. It understands where you are. Are you at the headquarters at the time? Are you associated at all with the headquarters? Are you a vendor that's associated with the headquarters or with a network or with a larger company? The sophistication of what's there continues to be strong and adaptive. Bad guys are a step or two ahead, and the knowledge of the company to understand that and how that affects that particular company, that particular enterprise which could be the government or any organization, is extremely important to understand. That's addressed in the book regarding intelligence and the role that it plays as well.
Training and Awareness
FIELD: One of the book's recommendations is a greater emphasis on training and awareness. It strikes me that these traditionally are weak spots for organizations; they don't train and produce awareness well. How are we going to make it work this time as opposed to all the other times we've tried to do this right?
SPIVEY: The book is good at addressing what the needs in the awareness side are and how dynamic those needs are. The same way that e-learning, if you would, is adapting to providing information at the time that you need information, the book addresses and the industry is addressing an understanding of what we can do from an awareness standpoint.
Let's mention, for instance, the ISACA COBIT 5 framework of building a security culture. The same way that we have a lot of industrial companies that build a safety culture, the ability to build a security culture within the organization is important. I would challenge our past that it has not necessarily been ineffective because it's not good; it's been ineffective because of the lack of focus, resources and/or the lack of understanding.
The opportunity that we have with new technology right now, on the good side of things, is this advancement of technology. It still has its bad sides, but part of the good side of this is the ability for it to help us with awareness from the standpoint of: What are the problems; what are the issues? Allow feedback, not only pushing information. Try to make sure that it's absorbed by the employees and the vendors that touch the organization's system, to understand: What the rules of the road are for this organization; how I deal with that organization; what are the restrictions with passwords; where is the private information; where do I need to make sure that I'm exerting greater emphasis on supporting the rules of the organization around security?
The awareness component is very strong. As we see the increase of cyber-intelligence groups within organizations - either inside of the organization or the outside vendors providing it to organizations - organizations are starting to be more sensitive. They're starting to be more aware of the security issues so that then they can vet those back against their current policies and procedures, and be able to adapt those quickly as the landscapes change and as the threat vectors change.
It is and will become more important, this awareness and timing component, which I suggest is going to move along the same lines as e-learning is for the greater populous. The understanding of snippets of information when you need it, direction of policy when you need it, as opposed to trying to have a once-a-year or twice-a-year program that then may or may not be fully understood at the time, and certainly may be forgotten over time. This is more of a consistent approach to the awareness level.
Four Emerging Capabilities
FIELD: One of the things I admire about the book is it comes down to recommendations for four emerging capabilities that organizations need. Can you talk about these four capabilities and where you believe organizations are going to find them as they develop?
SPIVEY: The four emerging capabilities are important; the ability of having capabilities at all is important. Secondly, make sure that they're maturing in the organization, as the organization is trying to mature, better understand its defenses and how it's managing the security risk.
The first of those is centralized log aggregation and correlation. This is important because many companies have logs, but they may not be put together. They may have silos, as corporations, organizations and enterprises do, and don't talk to each other at all. Even in some cases within the same IT security organization, they may not be brought in to be understood as an aggregate, and, secondly, to understand how one may relate to the other. The assembly of that information from many different silos and the correlation support [is important], so that in the same way that big data is and will be doing more and more, [we're] able to analyze that and look at things maybe in a fresh new way and understand correlations we didn't understand before.
The second is the ability to conduct forensic analysis across the enterprise, the ability to understand what has happened, where it's happened across the enterprise, and understand where information regarding an incident is. Being able to bring that in together across the entire organization is important. [Also it's] the ability to sweep the enterprise for indicators of compromise, the ability in a holistic way to be able to understand indicators that are important; and these are indicators of compromise. It's already happened.
There are different phases of these attacks against an organization. The first phase they may be able to get in and get administrative access. Then they may start to be able to get to another phase, being able to start understanding other people's passwords. Then they may be able to start understanding where the important information is; in the case of other countries, nation-states, or other competitors, being able to get important information, intellectual property. It's being able to understand how - if they're in there - and being able to get an early warning that they're in there, and then being able to do something about it. The indicators of compromise are very important.
The other is the capability to inspect memory and to detect malicious code. All of these are around early warning, understanding that they're already in here; they exist; we've already been compromised. But, possibly, we haven't gone all the way to understanding the jewels, if you would, knowing where the jewels are or starting to siphon off information that they should not be siphoning off.
Evolution of Security Controls
FIELD: A final question for you: It's clear that the attacks and the attackers are evolving. How can organizations ensure that their security controls also evolve at the same pace so we don't find ourselves soon with security approaches that are no longer sufficient?
SPIVEY: It's a great question. I would go ahead and say that in many organizations the controls are not efficient now. They're not effective now. I don't want to put us way behind the eight ball, but the alignment of current controls based on yesterday's model needs to be updated significantly. ... The book addresses this. There are new, fresh looks at how this occurs, but the organization has to understand and, from the top down, be in agreement on the new model: What's important from information security; how it supports the business; how it's aligned to the business and providing the reliable IT services across the business. As we look at the controls that are in place, what are those controls and are they up-to-date based on new policy and procedures? What are the controls that support that as those policy procedures are supporting the business so that there's alignment that's there?
In the past, I would challenge that our controls fully did that. I think that the book illustrates, as well as the emergence, if you would, of this new model dictates, that the controls, one, be reviewed. My suggestion on reviewing would be at least every quarter, if not in a more dynamic way of collaboration of all of these security organizations, to understand that if there's a policy that's not making sense or controls that are not supporting the policies and the procedures, that those immediately could change, that these controls adapt quicker, because we're our own worst enemy in trying to review these on only a periodic basis, which may be every year, which may be every half year. The bad guys aren't looking for those same milestones. The bad guys are changing every day, every week. There are new threat vectors that are coming out. [It's] the ability of understanding: How does that fit with our policy and procedures? From a control standpoint, do our controls let us achieve what we want to achieve and the support of the business? I say the support of the business - the support of the enterprise in the case of government - of what we're supposed to do within our organization.
The controls are very important. Intelligence supports this wholeheartedly ... the ability to have some intelligence in the organization for [whether] we have the right controls in place, are they working and are they providing the information that we need. Getting back to the people process, are the people and the process supporting the controls and the new information coming from the controls? People are using a certain vector; are the controls picking that up? Are we making adaptations to assure that our processes are changing as we're picking up things? This particular threat vector is getting stronger and stronger as we go forward.
I think that the controls are extremely important, but it's a part of that more holistic view of security and how it's supporting the business.