Cyber security: driving value from investments
Vendors are making great strides for interoperability and cooperation, but it can still be an uphill task to derive value, reports Jason Walsh
21 October 2019 | 0
There is a certain truth to the cliche that today every business is s technology business. Of course, tech itself will not be their central focus, but all businesses are reliant on collecting, storing and processing data – and with every passing day more and more are using ICT to connect with customers.
At the same time the threat to data integrity has grown exponentially. Hackers lurking around were long ago replaced by organised criminals exploiting systems and buying and selling credentials on the so-called ‘Dark Web’.
Getting the right technology and personnel is essential to counter the ever-changing threat landscape, but the who, what, where, when, why need to be considered as much as the how.
In other words, the social side of information security.
More than tech
Jason Hart, cybersecurity expert at Thales, said that a focus on technology alone still bedevils the question of information security.
“I go into companies and they have the latest whizzbang technology, but as an organisation the question is ‘what are you trying to protect?’ So, I ask them. They say ‘the business’, ‘the company’. So then I say ‘what in the company?’ and they say the ‘Web server’ or whatever. What I really want them to say is the data.”
Hart, who also founded WhiteHat, one of the world’s first ethical hacking groups, said that businesses need to think about the fact that not only are they responsible for the data they hold, but the data is the business.
“Fundamentally it’s a business issue. The business is the custodian of the data,” he said.
Eddie Doyle, global security strategist at Check Point, makes a similar point.
“It’s not about the technology; it’s about the people. Nobody is trying to brute force a Check Point file or any other provider in the upper quadrant of Gartner.
“They’re taking advantage of human errors: miscommunication, phishing… the real problem lies there. As far the solution goes, people need to start looking at data differently.
“The problem with PIIs [personally identifying information held on sundry servers] is that I don’t own the info.”
This could be rectified, he said, by the widespread implantation of biometrics, perhaps using blockchain, to give ownership of personal data back to the people from whom it was collected in the first place.
Richard Meeus, at Akamai Technologies, underscored this, saying that even minor breaches – perhaps even especially minor breaches – are costly for the companies targeted.
“The headline grabbing attacks, the huge, successful DDoS attacks, don’t happen that frequently, but small attacks happen all the time – and the actual impact on the business in terms of one user being exploited may not be that much, but when it happens a hundred times or a thousand times it really adds up.”
The cumulative damage, both financially and in terms of reputation, can be enormous, said Meeus.
“Some organisations can put the damage for each individual account takeover at somewhere around $500 dollars. They may have hit 500 users in one particular attack,” he said.
Cash out, reputation saved
Understanding the social causes of breaches does not mean slashing investment in security technology, services or personnel, however; particularly not in today’s risky environment.
The very topicality of security – breaches are never far from the headlines – does at least mean that businesses are aware of the risks, particularly in light of the EU’s general data protection regulation (GDPR).
Brian Honan, chief executive and principal consultant at BH Consulting, said that the good news is that the value of security is increasingly understood and that this can be seen in how the issue has moved up the corporate food chain.
“People are getting better. I often say that having been consulting for 15 years this year, a lot of the conversations in the early years would have been with technical people or the head of IT.
“Nowadays the conversation is more at the c-suite. The CIO is looking after it. Businesses are realising that so much more is reliant on IT and computers than years ago, starting from office admin but going up to logistics, manufacturing and more – and the Internet has become more critical for sales and meeting customer services and delivery,” he said.
In some cases, breaches can be catastrophic and purely IT-based solutions simply are not enough.
“If you take the example of Norsk Hydro, if you have an aluminium smelting plant you have to run it 24/7. If you stop [then] it solidifies and your equipment is scrap metal.
“They had all their processes written down on paper and jumped back to that,” he said.
The point however is not to suggest avoiding technology, just to understand that what is at stake is the viability of crucial business processes.
“The three pillars are CIA: confidentiality, integrity and availability. We need availability to be taken more seriously,” he said.
Karen O’Connor, general manager of ICT services and solutions at managed service provider Datapac, said that today budgets are growing.
“We’re finding that it’s actually becoming a little bit easier, particularly when it comes to security, to get a share of the budget,” she said.
As well it might be. Recent research conducted by Sophos suggests that attacks are rife, with 70% of 3,000 businesses recently surveyed responding as having been subject to at least attempted attacks.
“Everybody is getting attacked,” said Peter Craig, security specialist at Sophos.
What is required, he said, is a new way of presenting the case for security.
“It’s sometimes hard to justify the spend to the board [but] security is insurance. It’s insuring you against the threat, so there’s a job out there for us and our partners: we need to show them that there are financial risks for them.”
One issue is the increasing complexity of cyber security software and hardware – and of software and hardware in general – means that some amount of system integration is required.
This, as anyone who has managed a growing IT system will know, is no easy task.
Craig of Sophos said that playing well with other vendors was essential: Sophos may want to sell a solution the next time a contract is up for renewal, but in the meantime it has to interoperate with its competitors just as it does with its own products.
“Our firewall, encryption, access points, endpoints they all talk to one another. Once the attacker gets in, he can’t move around and get to another machine.
“One example would be, with the big ransomware threat we developed Intercept X. We could have made it [solely] a competitor to other systems, but we developed it to sit on top of everyone’s anti-ransomware and provide AI,” he said.
“What we’ve also done is opened all of the APIs to our Sophos Central product. We’ve always integrated with Splunk and so on, but we allow third party products to work with it,” he said.
Integration also happens at the level of the deployment itself.
“We work very closely with managed service providers and that allows them to integrate everything,” he said.
The managed service providers themselves are there to do precisely this job, of course.
Pat Larkin, chief executive of Ward Solutions, said that alongside having the staff, software and hardware, managed service providers work to ensure that everything plays well together to give total coverage.
“The old model worked on the basis of ‘if I make my network bulletproof no-one will get in’. That was up until five years ago, but the sheer volume of threats put paid to that.”
Today, Ward Solutions has a vendor independent consultancy but as a service provider works with vendors such as IBM, Fortinet, McAfee, Microsoft and Check Point.
It is the job of businesses like his to make sure they all work together, he said.
“There was, at one time, a thought process that we should all have the most heterogenous systems possible. Realistically, that is a procurement nightmare, so being heterogenous for the sake of being heterogenous is not really possible.
“However, different vendors have different strengths: in detection IBM is your best of breed, in firewalls Check Point and Fortinet and so on,” he said.
Colin Reid, commercial director, of the Dublin-based Threatscape said that a new methodology is one way of approaching the issues of interoperability: SOAR, or security orchestration, automation and response.
“A big problem is [that] you have multiple vendors and multiple security solutions, and it sounds like a no-brainier that you need to get then talking to one another, but they don’t always do so. That’s where SOAR comes in,” he said.
SOAR is defined as a stack of software that uses AI and ML to collect data about potential attacks and respond to low level threats without requiring human intervention.
“The whole AI and ML discussions have been going on for the last two to three years. Sure, there’s a lot of snake oil out there, but there is need for it,” he said.
“When you consider that there are two to three million [cyber security job] vacancies [globally] it’s clear there’s absolutely a need for some amount of automation.
“I spoke to one organisation, in movies-on-demand, and they spent about six weeks setting it up and building the workflows. They had a major problem with phishing attacks. I was taking to the CTO and he reckoned it just took one month for the payback on the investment,” said Reid.
The concept of investment comes into everything, but perhaps it, with its implication of a positive financial payback, is the wrong metaphor.
Datapac’s Karen O’Connor said that while security is a cost centre, it should still be understood as contributing to business value.
And, indeed, security is a cost centre – but then again, so are most of the things a business does.
“In the end it does come down to the negative side: you’re looking at the [much greater] cost of not doing it,” she said.