Cyber threats are becoming more pervasive than ever and the worrying news is that breaches, which are almost inevitable now, will only rise in the future. The types of breaches have also taking a different dimension. Coupled with the shortage of skilled cyber security professionals, it is quite likely that the cost of beefing up defenses and dealing with attacks will have a huge dent on corporate IT budgets. This calls for a very different incident response management and risk mitigation strategy. Unfortunately, most organizations still fall under the category of ‘Hunted’ than being the ‘Hunters’. The approach of incident response in most organizations is still reactive. Rahul Neel Mani, Editor, dynamicCISO caught up with Peter Tran GM & Senior Director at RSA Security (Worldwide Advanced Cyber Defense Practice) during the RSA Conference 2017 last month and spoke about various aspects of incident response and how RSA’s ACD can help organizations in making sense of their security programs. Here're the excerpts:
DC: What’s the genesis of the Advance Cyber Defense practice and how has it grown over the years?
PT: Advance Cyber Defense (ACD) is part of RSA’s broader risk and cyber security practice. ACD was created as a result of RSA’s own public breach in March 2011. At that time, a tremendous amount of effort went into redesigning our own response capability to threats and that’s what we know as Advance Cyber Defense. This practice at RSA addresses issues of incident response, cyber threat intelligence, and design and operation of security environments. This could be anywhere in the world and in any – small to the largest global - enterprises.
However, this year RSA has expanded the ACD practice adding five key areas into it. This includes Risk Management, Incident Response, Cyber Defense, Identity Assurance, Threat Detection and Response, and Advanced Cyber Defense. We are now trying to address very advance issues around security operations, overall breach readiness, incident response discovery and all the other material gaps that an organization isn’t aware. The new form of ACD also offers a better lifecycle of identity and access control.
DC: Despite having solutions and technologies available, there still are identifiable gaps in enterprises because of which breaches happen. Why is that so?
PT: In the last 10 years, due to changing computing environments and pressures on the cost structures, most enterprises have either been planning to move or have already moved from an ageing, on-premise IT infra/Datacenter to a cloud or mobile-based infrastructure. Ironically, most enterprises don’t know yet how to ensure the security of these infrastructures. Specially, in the past two years organizations have realized that IT innovation has been so fast that it has outpaced the security measures to safeguard their cyber assets – smart devices, IP-enabled devices or even unstructured data. Hundreds of traditional applications including the accounting, HR, CRM etc. are no longer sitting on physical IT infrastructure. They are now being consumed as a shared service or application as a service model. All the data that these applications generate is also stored on cloud. More than the gaps, it is about enterprises being unaware of how to monitor and detect the anomalies.
RSA’s new notion of business-driven security is one step that comes closest to overcoming these challenges. Everything, whether it’s tactical or otherwise, is based on the business outcome. With the problem of IT innovation outpacing the security preparedness, that I just described, business-driven security is the only answer. Most cloud environments are realizing these challenges and by 2020 we will see a lot of cloud-based security offerings, cloud-based internal security infrastructure etc. The successful advent of smart cities is one of the many examples that are taking place in the real world where security is not an afterthought but part of the planning.
DC: Through the programs offered under this ACD, you seem to be helping organizations from being ‘hunted’ to be the ‘hunter’. What steps do you suggest organizations to follow to be breach-ready or have a robust incident response mechanism?
PT: The classification on an incident is whether it is a ‘known incident’, ‘unknown hunted incident’ or is it ‘unknown known and unknown’. When we work with an enterprise, the first thing that we look at is the current incident response program. We evaluate it on the basis of eight critical parameters/areas including its maturity and effectiveness. For example: If a company ‘X’ has 1000 events a month and they could only respond to 25% of those incidents, it will be categorized as an inefficient program and they are clearly not the ones who are hunting. At best they are reacting to the data collected from perimeter security tools and processing it. We work with the organization to realign technology and monitoring in a certain way. We change the process automation of the existing incident response so that they can see the indicators of a potential compromise early on rather than waiting for the actual ‘alert’. This is, in our terminology, called hunting for the incidents. So this is all about redoing the process, realigning the technology and if required, reinvest in buying new technologies to make the organization breach ready. This helps an organization in uncovering and retiring an incident much quicker.
DC: For the benefit of our readers, tell us about the ACD service portfolio.
PT: At RSA we ensure that organizations know they are spending in the right areas and allocating their priced resources efficiently and effectively. Our portfolio of ACD is meant to enable an organization to formulate a security program that is entirely business-driven and meets the risk management objectives of the organization.
Our ACD program has three key constituents:
The key area that we focus on is detection and response. This is where we analyze the behavior and give a proactive guidance to the enterprise that there could be a possibility of a compromise or there are loopholes to be plugged in. We have never done all this before at RSA. Our practices earlier were compartmented by sheer functions. The blend of these functions is something new that we are going to offer in the market in 2017.
DC: Assuming that an organization has turned from being hunted to be a hunter, how can it put threat intelligence to better use than just using it for regular compliance purposes or routine drills?
PT: Threat intelligence is a very vast field. First thing that one needs to be careful about is that it has to be well defined. You should know what outcome are you expecting from it, especially in times when most data comes from unknown sources and is classified as unstructured data. The data that you collect from internal systems does tell what’s going on. But the data from outside gives little clue on what might happen to an organization. Even if you pair the two and analyze it appropriately, the freshness of data lasts only for so long. If you isolate and look at a particular domain/IP that’s identified as rogue and malware is being delivered to it, the data may only last for three days at best. That’s where most enterprises go wrong in their approach. They aren’t ageing their threat intelligence tools and processes. Most of the current threat intelligence tools aren’t sufficient to analyze the data from internal and external sources. The data gets collected and just sits idle. These are the organizations that are prone to be ‘hunted’. On the other hand, the ‘hunter’ will take that data and will look at it in real time to take an action. It is not highly complicated but because of the sheer volume of data, most of it becomes stale and that is where we differentiate between a hunter and a hunted.
DC: With the Industrial Internet or Industrial Control Systems (ICS) now connecting to the public Internet, the threats to critical infrastructure have grown multifold. We have heard of massive breaches in electric grids, power plants, healthcare systems and so on. How does the Advance Cyber Defense help in such scenarios?
PT: When we talk about ICS, there are a few things to keep in mind. Most of these systems are over 50-60 years old. That was the time when infrastructure was designed without keeping the security infrastructure in mind that we see today. It was based on monitoring of its availability and integrity. That’s the reason why these older systems are increasingly being attacked and breached. Such incidents have only grown in the past. At RSA, we closely works with many energy providers in the Middle East and Europe. We have found that their IP-enabled systems and IT-systems are being overlaid with these age-old ICS because they can’t just rip them out. That’s where the problems of breaches kick in. However, if you look at the renewable, non-conventional energy companies like Wind, Water and Sun, they have got modern monitoring systems attached to them and thus are less vulnerable. We are helping the old ICS infra organizations in designing a comprehensive monitoring system, which takes care of distribution, collection and telemetry and move them to the new monitoring systems. We also consult them what their operating environment should look like.
Subscribe to our newsletter for all the latest updates and special offers.
Click Here To view archive additions