BLACK HAT 2019: CISOS SHIFTING SECURITY STRATEGY FROM MAGIC TO DATA
Black Hat is always an interesting event, and this year was no exception. Bounties for attacking devices were running rumor mills floating around the floor. Presentations showed off everything from phones being compromised to IoT hacks. Needless to say, everyone was keeping vigilant as they walked around the conference.
The talk of the town for CISOs the past couple of years has been machine learning, with hints of talk about artificial intelligence. Vendors presented it like magic that would solve all of our cybersecurity problems. After talking with CISOs at Black Hat this year, I am seeing a trend of rolling back to concrete, verifiable data.
Instead of looking for a black cloud of magic to properly identify bad actors, I was hearing more emphasis put on things like cloud sourcing on repeatable process. Yes, please! This is an awesome trend because it is driving better metrics that result in better data for the security operations center. This means we can have a better process for finding why there was an attack. That process can be logical, process-oriented and repeatable at scale. Security professionals are moving beyond the buzzwords.
Now what does this shift mean for your organization?
One of the best quotes I heard this week was: “The burden of IoT security falls on you. Challenge scale. Challenge the process.” The number of IoT devices is growing rapidly and the number of operating system variants is growing just as quickly. How does the technology you choose today address that change? How does your vendor address and incorporate the hundreds of new devices? And, as CISOs were talking about at Black Hat, what is the data-driven, automated, repeatable process that you can use no matter how many times that same type of IoT, OT, managed or unmanaged asset connects to your network?
This mantra also advances other discussions I had with CxOs in business meetings and walking around talking with other vendors. They talked about how they are evolving all parts of their security programs to start reporting with more actionable data—not just around IoT. They can then use that data to improve their security processes. For example, in the case of vulnerability assessment, how can they improve the process around verified vulnerabilities? Usually the security organization hands a bunch of vulnerabilities to the data center and endpoint teams and says “fix it.” Rinse and repeat each month. Overworked IT staff have validation and a process to follow, plus the burden to prove that the vulnerabilities are fixed.
CxOs are asking questions like: How can my organization automate patching for identified vulnerabilities? How do you accelerate delivery of the patch and verify deployment before the next scan? How do you apply compensating controls around the device that you cannot patch? Can you take an improved profile or context from an external vendor to provide pre-connect profile information (or even post-connect when talking wireless) to change how you audit an endpoint as it connects back on the network?
So, take some inspiration from the CISOs I talked to this week and ask whether your vendors will SCALE to meet your needs. Ask what data they can help you collect and how that can be useful for your organization. Ask how they can help you automate and improve your processes. An ecosystem of technology, especially in security, is what it will take to move from a crawl to proactively running great security operations. These questions will help CISOs make better decisions beyond the buzzwords and build an effective security operations center.
Security is no longer the organization that has to say “No.” No, you can’t deploy that new business application because it does not meet policy standards. No, you cannot allow that vendor access to our infrastructure to assist with better maintenance of our equipment. These process and data-driven improvements let us have a different type of conversation about saying “YES.”
That shift gets me excited about security becoming truly mainstream in an organization. YES, let me help you deploy that application and do it in such a way that you have better trust with your customers and partners. YES, let’s bring more vendors in to help improve uptime for mission-critical operations. YES, let me show you the great things your teams are doing to not only beat the drum of security, but to protect your corporate brand with these great dashboards on your environment. We will all do better when we work together.