Breach Response: Are We Doing Enough?Conversation with SANS's John Pescatore and NIST's Ron Ross
One commonality of the rash of recent data breaches, including those victimizing Community Health Systems, Supervalu and UPS Stores, is that the cyberdefenses many organizations had put in place to safeguard their data and systems over the years are no longer effective. The predators have become more sophisticated at the expense of their prey.
"The maturity model for the attackers has moved from Maturity Level 3 to Maturity Level 4 in the attacks, and the defenders need to do the same thing," says John Pescatore, director of emerging security trends at the SANS Institute, in an interview with Information Security Media Group.
Joining Pescatore in the interview is risk management authority Ron Ross, a fellow at the National Institute of Standards and Technology, who says growing complexity of IT over the past few years makes systems harder to defend.
More sophisticated applications and new devices such as smart phones and tablets being incorporated into the information infrastructure make governments and businesses more productive and their systems more complex. "The adversary lives in the cracks of complexity," Ross says, citing the National Security Agency director. "We're using it to the maximum capacity, but it brings in some inherent risks to that complexity, which I don't think we've come to grips with at this point."
Getting Vendors to Secure Wares
In the interview, Pescatore and Ross discuss:
- Why users must demand technology vendors produce more secure wares. "If we don't have this holistic view of the problem," Ross says, "... then we're probably going to continue to see these types of breaches until we reach whatever pain-point is going to be that tipping point where we say, 'Hey,' like the old movie where the guy's yelling out the window, 'I'm mad as hell and I'm not going to take it anymore.'"
- The role that chief information officers - not the chief information security officers - must assume to safeguard IT. "The dirty secret of security is that about 80 percent of what we do is make up for deficiencies in IT operations," Pescatore says. "Wait a minute; why isn't that Windows system configured securely; why isn't the system patched? That isn't security's job; that's IT operations."
- Information sharing, not of cyberthreats, but of approaches to secure IT. Pescatore observes that he hadn't heard of a major breach of a general insurance company in the past five years. They're doing something right that other sectors should emulate. "Everybody is hesitant to share the success stories," he says. "We all like to talk about the planes that crash versus the stories of the pilots who landed safely in every storm."
Pescatore and Ross also explain why organizations should implement penetration testing and business continuity planning to improve their responses to data breaches.
Before joining the SANS Institute in January 2013, Pescatore served as a vice president and distinguished analysts at the IT advisory firm Gartner. Prior to Gartner, he was senior consultant for Entrust Technologies and Trusted Information Systems and a security engineer for the U.S. Secret Service and the National Security Agency.
Ross leads the Federal Information Security Management Act Implementation Project, which includes the development of IT security standards and guidelines for the federal government, contractors and the nation's critical information infrastructure. He is the principal architect of NIST's risk management framework.