As enterprise security comes to the forefront of organizational activity, it’s best to understand the size and shape of the threat landscape, and more salient trends affecting the industry.
To get his take on this, and the wide cyber security spectrum, we spoke with expert Kayne McGladrey, Director of Information Security Services for Integral Partners.
McGladrey, whose work focuses on identity and access management, leads a team that assists clients in multiple industries. The focus: insider and outsider threats on non-privileged or privileged credentials. McGladrey said that technology has matured so much, that overall cyber security is not about software installation.
“It surprises customers that (much of security is) not about buying and configuring a piece of software (any longer),” McGladrey said. “Cyber security’s not an ‘install process.’”
Here’s his take on the space as a whole:
CSHub: How would you describe the state of enterprise security and the threat landscape?
McGladrey: I’d say from long view, we’re now past regulatory compliance, panic-driven purchasing, which we saw with the rollout of PCI, HIPAA (etc.). The regulatory process associated with GDPR is less pronounced in the U.S. than other regions. There was a gold rush of solutions in the past five to 10 years. A lot of people bought stuff – they were regulated into buying solutions. Where are we today? Customers are looking at what they have, what they bought, and going: “Does this work? Did we buy this, and does it meet our needs?” They look at it today and might say, “Well, it’s terrible.” So, they throw it out to buy a new one. Financial institutions are in the throes of throwing out their solution. Often, it has nothing to do with the product. The enterprises bought it, didn’t train (employees), didn’t think through the policies and procedures. So, what this has caused in the market is – we’re going through a purchasing cycle again. (It can be a) big distraction. More mature enterprises, on one end of the spectrum, are looking at what they have today, saying, “Where’s the gap associated with this?” This is different from ones bought out of panic. Customers deployed them successfully. Where gaps are coming into play right now (appears to be) industry-specific – (in) application-to-application password management. Pretty much every company has some software that they either bought or wrote themselves, that has some kind of secret in it. (It could be a) password that, invariably, is used for other things. Passwords never change in applications (the app would stop working, change windows, etc.). From a threat-actor perspective: If I can compromise the end-user credential, and have access to whatever the user has access to (it’s a dangerous vector). So, every 30-90 days (we’ll have to change the password) to something no one can remember. App passwords are a gold mine because organizations historically never change app passwords. If you compromised one of those in a lateral movement sniffing attack you can then operate as that application. This leads to situations like the Panama Papers breach where a law firm had its app password for WordPress used for its database. The firm didn’t rotate its passwords on a regular basis. The third party compromised WordPress and got lucky on the database.
CSHub: How do you believe the talent crisis has affected the industry?
McGladrey: There are two points we need to consider. One, we have a wide variety of really good schools, good programs, generating really good candidates. They’re going out, getting into cyber security based on a four-year degree, maybe picking up a certification, and entering the workforce. A lot of modern cyber security is based on aviation for the military. Everything is a checklist, to make sure things are safe. For a tier-one SOC analyst: on their first day on job they’re going to have a checklist. Everyday. It’s boring, mundane. They’re thinking they’ll save the world, for the public good. Instead (higher-ups) try to make you behave like a automaton. Entry-level jobs are so disparate, candidates behave like machines. To solve that: (perhaps) pivot toward AI and machine learning. People are not good at doing checklists. If you miss checking one log file, or miss one red flag, well, a machine’s not going to get bored, a machine doesn’t do that. What people can do then, where the pivot leads, is allow individuals coming out with degrees and certifications to instead focus on higher-value work…
The larger problem: we have great schools, and great people. There’s no nice way to say this: candidates are coming from the same zip codes, with the same life skills, backgrounds and variances. There’s a sameness to individuals coming out of the schools, which is backed up statistically. A Kaspersky study from Dec. ’17 showed that 11% of cyber security jobs are held by women; 89% of them are held by men. So, just looking at the gender binary, it’s so unappealing to women. One half of the potential job candidates are not interested in the work. Here’s a challenge, and the easiest way to look at it: Google a picture of a hacker, or a cyber security employee. It’s a white male in a hoodie, beard optional – in every news outlet. If you’re growing up on the West Side of Chicago, you don’t know anyone who works in cyber security; you don’t know what cyber security practitioners do. All you ever see with the news about hackers is that they just don’t look like you. As children, they don’t (necessarily) know what cyber security people do. There’s a grossly incorrect perception of it (that) isolates the talent pool. We’ve (eliminated) one gender out of the conversation. We’re not encouraging them to explore cyber security careers. It’s a good paying job, in a great community, with peer support. It’s a meritocracy, not about what you look like. It’s based on skill, intuition, resilience, and persisting in going after challenges, those are the desirable attributes.
CSHub: What are some challenges that today’s CISO faces in his/her day-to-day role?
McGladrey: Challenge number one: keeping up with marketing hype – disambiguating it from reality. The reason why: vendors are not a charitable enterprise, they make a profit. In the course of doing that, marketing teams for organizations will produce all kinds of fantastical, sometimes not always technically accurate outputs that CISOs are going to see. A small organization (CISO might be) on the internet looking at the current trends, and bring them back to organizations. Large enterprises: (security professionals may have) lunch with sales people… A giant challenge: It takes a brave CISO to focus on what you’ve got and making it good. Ultimately, (it’s about the) people working in the trenches, (evaluating) other things. Those with vision (know) you cannot spend your way out of a problem. “How can we improve what we’re currently doing?” More effective organizations can enable business without increasing the risk and number of threats.
What’s going in the market, or the Dark Web marketplace? What is actually the current trending business model for threat actors? The ability to actually get factual information about what’s going on in, say, the Dark Web is very hard information to come by.
There are perceived threats and then there are the actual threats, which threat actors prefer you don’t know about. They don’t want you to know they’ve pivoted from ransomware to a coin-mining operation. They’d rather you did not now they’ve changed tools, tactics and techniques (TTT). The reason why – like any business, that’s their crown jewels, how they’re making money. CISOs want to protect their most valuable information, and help respond proactively, rather than reactively. What are good information sources? Who is my trusted partner or partners in this space?
CSHub: What precautions could be taken, in the short term, to intensify network security and perhaps communication with the C-Suite?
McGladrey: It’s hard to make a generic statement, because every situation is different. I’ll give some food for thought: if you’re already doing things, do the next thing. If you’re doing them all, good job!
At a base level: inventory what you’ve got. How are you going to protect your stuff if you don’t know what that stuff is? Second: Have an inventory of what your crown jewels are. What’s the most important data (and) stuff to you? What’s the biggest material opportunity? What is the thing that is going to be the greatest damage to the business if it gets out? It varies widely by industry. Medium-maturity organizations – they could look at security systems; they could check with finance on purchasing (patterns). Check out what the solutions are, and the exercise is to figure out how they apply to your crown jewels. If you’re doing really well, you apply that to the crown jewels.
Most organizations need to figure out where the gaps are. (Compile an) inventory of cyber security solutions. Are you paid up on maintenance? Are you upgrading them? Are you running a recent version? Find out from the vendor – (you might discover it doesn’t) support that version.
Focus on driving as much value on current solutions that you’ve got. Solution that does, say, endpoint protection: Does it do it at privileged layer, or end-user layer? Does it limit what users can do at workstations?
For high-maturity organizations: Go hire a red team and say, “Attack my network for the next six months.” Red teams give organizations actionable intelligence that the threat actors will not give you. The red team will.
Be Sure To Check Out: Balancing Security & Convenience: The Importance Of IAM
By: Dan Gunderman