CISOs Go From 'No' to 'Know'

Written by

This year’s Eskenzi PR annual CISO forum attracted the security leaders of some of the largest UK organizations. Household names from insurance, banking, accounting, pharmaceuticals and media were all represented, as well as a large service provider and one true 21st century, born-in-the-cloud business.

Whilst media outlets are never going to see all issues to do with IT security in the same ways as insurers (“journalists have to act in anomalous ways compared to users in role-based organizations” said one), there was consensus in many areas. 

All accepted the reality of BYOD, however it is managed and implemented. Shadow IT was recognized as a widespread issue, but one to be managed not banished. The mood was well summarized by a comment from one CISO – “we have to move from NO to KNOW”; that is, do not block the users from trying to do their jobs, but do make sure you have sufficient insight into their activity.

A good analogy was offered up. Imagine a newly-built US university campus surrounded by newly laid lawns with no footpaths. Only after a year, when students have made clear the most trodden routes, are hard paths laid. Within reason, IT security can be managed in the same way – to suit users.

There was some disagreement about how news of software vulnerabilities and exploits should be reported in the press; is it better that some high profile cases raise awareness amongst management or does over-reporting lead to complacency? Denial-of-service (DoS) attacks were recognized as a ubiquitous problem; not to be accepted but controlled. Perhaps the greatest consensus was reached about the need to deal with privileged user access. One CISO observed that if the use of privilege internally is well managed it goes a long way towards mitigating external threats as well; hackers invariably seek out privileges to perpetrate their attacks.

The two-day event, which as well as CISOs included industry analysts (such as Quocirca) and a host of other IT security professionals, was sponsored by a dozen or so IT security vendors. So what message did attendees have for them?

"If the use of privilege internally is well managed it goes a long way towards mitigating external threats"

Wallix, a supplier of privileged user management tools, would have gone away with a renewed sense of mission to limit the powers of internal users and unwanted visitors. As would Duo Security, whose two-factor authentication, through the use of one time keys on mobile devices, also helps keep unauthorized outsiders at bay.

Of course, hackers will do all they can to find weaknesses in your applications and infrastructure; all the more reason to scan software code for vulnerabilities with services from Veracode both before and after deployment. Nevertheless, vulnerabilities will always exist, so when a new one is made known, Tenable Security can scan your systems to find where the dodgy components are installed and highlight the riskiest deployments for priority fixing.

Should hackers and/or malware find their way onto the CISO’s systems, new technology from Illumio enables the mapping of inter-workload traffic, including between virtual machines running on the same platform. Anomalous traffic can be identified, reported and blocked – it is a common tactic of hackers and malware to ingress one server and attempt to move sideways. Hopefully, such traffic would not include anything related to DoS attacks which could be blocked by services from Verisign or from other such providers that may base their prevention on DoS hardware appliances from Corero.

Enabling users to safely use the web is a key to saying YES and remaining safe. OpenDNS, amongst other things, protects users wherever they are from perilous web sites and other threats. RiskIQ eliminates the unknown greyness that can prevail in such matters by classifying any web resource as either known or rogue. Venafi says its monitoring of systems, and cleansing them of SSL keys, acts like an immune system for the internet. Meanwhile Pulse Secure (a 2014 spinoff from Juniper Networks) combines its mature SSL-VPN technology with network access control (NAC) to provide endpoint monitoring way out in the cloud. It also has newly acquired technology called Mobile Spaces to enable BYOD through the creation of local mobile containers on Android or iPhone devices.

Impressive claims from all the vendors. However, one CISO was keen to remind suppliers: “Do not over-promise and under-deliver”. His peers all nodded in agreement.

What’s hot on Infosecurity Magazine?