STE WILLIAMS

Whenever executives gather, words like “leadership” and “vision” get thrown around — a lot. Gartner Symposium/ITExpo is no exception, but at a Monday morning conference session in Orlando, Florida, a Gartner analyst added specifics to the high-level vision around security and risk management.

Tom Scholtz, distinguished vice president and analyst at Gartner, began by pointing out how security has become a board-level issue at successful companies. He then spent the next 40 minutes talking about how executives should be turning their vision into something more concrete and how to lead with that solid vision.

He began at the top and worked down through a process that, he said, makes sense in today’s highly dynamic business environment.

Why Are We Here?
Scholtz began with a typical “mission” statement for IT security: “to establish and maintain the organization, its digital platforms, people, partners, services, and things as trusted participants in the digital economy.” Turning this into strategy, he said, begins with understanding the effects of at least three critical drivers: business, technology, and environment.

The next step is to understand where security starts. At least two assessment will be necessary to get an accurate picture of the “now,” he said. For some companies, external vulnerability and technology maturity assessments will do the job. Other companies, though, may need to add regulatory compliance, risk, or other assessments to build the proper foundation for a strategy.

Four additional steps will take a company to a strategy, according to Scholtz: Find the gaps between where you are and where you need to be; prioritize changes and actions based on the specific needs of the organization; gain approval from all stakeholders and the board; and execute on the plan.

Who’s on First?
Those are standard parts of any strategy development, but Scholtz had some specific ideas to deal with the rapidly changing nature of an increasingly digital company.

One of the keys to building a solid leadership vision for security and risk management, Scholtz said, is establishing a solid governance plan. That is, figure out who is responsible for making decisions about data and who is accountable for those decisions. The answer, Scholtz said, should not be the CIO or the CISO. Rather, the business unit that has decided to collect and analyze a particular set of information should be the owner of the data, and it should also be accountable for its security, he said.

“Too many organizations say the CIO or CISO is accountable, but a key characterization of digitalization is that many changes are being driven by the business,” Scholtz said. “We want the business to be innovative, but we also want the business to understand that if something goes wrong, they will be accountable.”

Principle Ingredients
Another key Scholtz stressed was basing decisions on the proper foundation. Too many businesses build implementation plans on processes, he said. A better answer it to base them on principles, and the reason has everything to do with flexibility.

One of the primary principles Scholtz recommended is a shift from protecting infrastructure to protecting business outcomes. A focus on business outcomes, he says, allows for consistency through times of shifting technology. Business outcomes also scale much more successfully than do technology protections, especially if an organization goes through times of rapid growth.

Another principle is that the security group should see themselves as enablers rather than protectors. If the business unit is going to be accountable for its data, then security’s job is to enable the unit to make decisions that keep it secure. In most organizations, that enabling will also involve implementing pieces of security infrastructure, but the key to this principle is the accountability and cooperation of the business unit in security operations.

Enabling is important in a third principle, too: Security should become people-centric. Scholtz mentioned the traditional view of a “dumb” user as the weakest link in a security system and a factor to be minimized as much as possible.

“Increasingly, the ‘dumb users’ aren’t so dumb — they’re the ones driving innovation. We can’t just lock them down,” Scholtz explained.

Instead, he suggested, the current generation of technology-savvy users should be given (and be assumed to have) a certain level of knowledge about their systems and security.

“We must give them the knowledge that corresponds to the level of knowledge required to safely operate an automobile,” Scholtz said, referring to the combination of “book learning” and practical experience that has to be demonstrated before someone is given a driver’s license.

All of the plans and strategies that make up security leadership should be revised every year, rather than the three- to five-year cycle long considered sufficient, he added. And they should be reviewed quarterly to make sure business conditions haven’t left them behind.

The keys to successful security leadership, Scholtz said, is remaining flexible, understanding the importance of context for decisions, and focusing on broad principles rather than prescriptive policies.

Related Content:

• Surviving Alert Fatigue: 7 Tools and Techniques
• How to Think Like a Hacker
• Common Pitfalls of Security Monitoring
• 5 Disruptive Trends Transforming Cybersecurity

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/turning-vision-to-reality-a-new-road-map-for-security-leadership/b/d-id/1336133?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s an all-too-common problem for today’s security teams: Alerts stream from a range of tools (sometimes misconfigured) and flood operations centers, forcing analysts to analyze and prioritize which ones deserve attention. Suffice to say, major problems arise when critical alerts slip through the cracks and lead to a security incident.

“One of the biggest drivers of alert fatigue is the fact that people are unsure or unconfident about the configuration that they have or the assets they have,” says Dr. Richard Gold, head of security engineering at Digital Shadows. “What happens is you end up with a lot of alerts because people don’t understand the nature of the problem, and they don’t have time to.”

Dr. Anton Chuvakin, head of solution strategy at Chronicle Security, takes it a step further: Many businesses are overwhelmed by alerts because they have never needed to handle them.

“I think a lot of organizations, until very recently, still weren’t truly accepting of the fact they have to detect attacks and respond to incidents,” he explains. Now, those that never had a security operations center or security team are adopting threat detection and are underprepared.

The proliferation of security tools is also contributing to the alert fatigue challenge, Chuvakin notes. “Today we have a dramatically wider scope of where we are looking for threats,” he continues. “We have more stuff to monitor, and that leads alerts to increase as well.” The most obvious risk of alert overload, of course, is companies could miss the most damaging attacks.

Security staff tasked with processing an unmanageable number of alerts will ultimately suffer from burnout and poor morale, security experts agree. What’s more, overwhelmed employees may also be likely to simply shut off their tools.

It isn’t the technology’s fault, notes Chris Morales, head of security analytics at Vectra. “We don’t have a detection problem – we have a prioritization problem,” he explains. Any given person in a commercial security environment is tasked with multiple jobs: parsing data, writing scripts, knowing the ins and outs of cloud – and managing arrange of tech in their environment.

“The amount of data being pushed through corporate networks today is unlike anything we could have imagined 10 years ago,” says Richard Henderson, head of global threat intelligence at LastLine. Organizations are struggling, and the onslaught of alerts is putting them at risk.

Here, security experts share their thoughts on the drivers and effects of alert fatigue, as well as the tools and techniques businesses can use to mitigate the problem. Which strategies have you used to combat alert overload? Which are effective? Feel free to share in the Comments section, below.

(Image: VadimGuzhva – stock.adobe.com)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/surviving-security-alert-fatigue-7-tools-and-techniques/b/d-id/1336128?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Bug bounty program provider Bugcrowd today added a new service in which selected white-hat hackers help root out an organization’s exposed and vulnerable network devices on the Internet.

The new Attack Surface Management (ASM) service also analyzes the risks these devices pose and provides remediation recommendations for the findings.

Mapping and amassing a full inventory of devices on a network sounds like an obvious practice, but most organizations struggle to get a handle on what’s living on their network — a problem exacerbated by the explosion of mobile and Internet of Things devices in the typical enterprise — and how attackers could abuse them if they’re vulnerable or misconfigured.

Casey Ellis, founder, chairman, and CTO of Bugcrowd, says ASM differs from traditional asset discovery tools in that it focuses on the Internet view of the devices rather than on an internal network view. “We’re at a point right now where pretty much everyone is part of the way in migration to the cloud, which means you can’t really find” everything, he notes. “We’re doing it for them.”

Bugcrowd, which launched in 2012 as a crowdsourcing model for finding vulnerabilities in software, offers bug bounty, vulnerability disclosure programs, and penetration testing. The company relies on vetted independent security researchers to discover security weaknesses.

“This [new ASM offering] doubles down that we’re not just focused on bug bounties and vulnerability disclosure. … There are more things we can do with the crowd. This cements us bringing this crowdsourced security approach” more widely, he notes.

ASM’s rollout comes on the heels of Metasploit creator and renowned security expert HD Moore’s recent rollout of his new IT asset discovery tool, Rumble Network Discovery, which detects an organization’s devices and their status on a network without requiring administrative access to reach them.

While Discovery maps out devices from the inside of an organization’s network, Bugcrowd’s ASM detects asset exposure on the public Internet. “The thing HD is solving first is the idea of an internal view of a corporate network, something [he’s] beginning to address from the inside-out. We’re taking it from the outside-in,” Ellis says.

ASM will essentially provide a benchmark of network assets and can be set to detect devices on a continuous basis, he says. New devices are often placed on the Internet outside the purview of the security team, he notes, and that makes it difficult to keep tabs on them.

Moore, founder and CEO of Critical Research Corp., says Bugcrowd’s new service should augment the bug bounty program as well. “Many bounty programs are limited by unrealistically small scopes because the folks running the program aren’t aware of how much stuff they have exposed to the Internet,” he says. “This should be a good thing for Bugcrowd, as it gives the crowd more things to look at, and great for their customers, as they get visibility into their overall exposure, and not just what they happen to know about.”

Moore notes that there are several other vendors currently monitoring the external attack surface, including Censys.io, Asset Note, Expanse.co, RiskRecon, and BitDiscovery. “In the case of Asset Note, the team started the company as the result of doing bug bounty work and realizing how big the gap was between perceived and actual exposure for most organizations,” he says. “Visibility is a big deal for security and it’s great to see another company making Internet-wide asset discovery part of their platform.”

Profiles and Context
Ellis notes that many organizations today merely consult DNS records for tracking any external weaknesses of their devices. But those lists only contain the systems they know about, he says.

Bugcrowd’s new asset discovery service stops short of exploiting any vulnerable devices it discovers, he says. It’s more about profiling the assets and providing context on how risky it is and what would happen if it were attacked.

ASM’s findings can be used in Bugcrowd’s bug bounty and penetration testing programs for more targeted testing, the company says.

Related Content:

• Crowdsourced vs. Traditional Pen Testing
• Higher Education: 15 Books to Help Cybersecurity Pros Be Better 
• Metasploit Creator HD Moore’s Latest Hack: IT Assets
• 10 Ways to Keep a Rogue RasPi From Wrecking Your Network

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/risk/bugcrowd-enters-the-it-asset-discovery-business/d/d-id/1336135?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

I’ve been fond of the idiom “too many cooks in the kitchen” for quite a while now. The Free Dictionary defines the idiom as “Too many people are trying to control, influence, or work on something, with the quality of the final product suffering as a result.” In some sense, this phrase goes hand in hand with another favorite of mine: “A camel is a horse designed by a committee.”

Those of us who are familiar with these sayings are aware of the lesson they aim to teach us. Sometimes, we need to lead. Other times, we need to follow. And still other times, we need to move out of the way of those already engaged in an activity. Knowing when which type of behavior is required is difficult. Here are five ways they apply to security:

Maturation rate: The goal of any security organization should be to continuously mature. For more mature security organizations, this means keeping pace with changing risks and threats and not being lulled into a sense of complacency. For those organizations that are less mature, it provides an opportunity to take a step back, thoroughly assess gaps in the organization’s security posture, and work to address those gaps. In both of these cases, leadership, informed from a variety of sources, needs to set a strategic direction. Responsibility for implementing the different elements of the strategy needs to be delegated to the management within the security organization, and individual team members need to be given clear direction regarding what to execute, along with the requisite resources.

This may sound straightforward, but, perhaps surprisingly, many organizations struggle with this. Lack of clear direction from leadership creates a cacophony of voices weighing in on and trying to affect strategy and vision. Lack of training, skills, or proficiency within the management ranks causes a failure to properly implement the strategy, leading various individual team members to attempt to take charge from the bottom up. Lack of guidance causes team members to overstep bounds or to perform redundant or overlapping activities. Any or all of these indicate that there are too many cooks in the kitchen, and this has the effect of slowing down the maturation rate.

Policy: Formal security policies are and have always been an important part of a mature security program. While setting and enforcing policies is important, so is drafting them properly. When drafting policies, it’s important to solicit and incorporate feedback from a variety of sources both inside and outside of the organization. Equally as important, however, is maintaining strong leadership throughout this process. While the feedback and guidance we receive from others is valuable, we cannot allow it to drive the process. That will only stall us — preventing us from progressing as we need to. Take input for what it is — data, not leadership.

Process: Setting up practical, efficient, and productive processes is one of the best ways a security organization can mature. As you might expect, this is easier said than done. While attaining the right processes is in itself a process, there are a few tips that can help make the journey smoother. When designing a process, it helps to have in mind the initial conditions, as well as the desired end state. It is also useful to gain executive, management, and stakeholder buy-in. Lastly, industry best practices, third-party guidance, and expert advice can also come in handy. When leveraged properly, all of these inputs can greatly improve processes. On the other hand, when the inputs begin to drive process, rather than the organization’s vision and strategy, the result is rarely the practical, efficient, and productive process we seek.

Technology: As time marches on, technology changes, often for the better. As such, it makes complete sense to consider new and improved technologies as they prove fit for our respective security programs. The trick with technology is to procure it to address process inefficiencies, programmatic gaps, regulatory requirements, and business needs. The chorus of voices suggesting every which technology under the sun can’t be allowed to drown out the matrixed operational needs of the security organization. Giving in to the noise can steer the security team off course and slow or even harm the maturity of the organization. There is a balance here between soliciting feedback around technology and managing technology procurement in line with the organization’s strategic direction.

Business: The job of the security organization is to reduce and mitigate risk in order to facilitate the business operating as securely as possible within the bounds of accepted risk. There will always be business functions that necessitate accepting a certain amount of risk. That being said, there are often creative ways to reduce and mitigate some or all of that risk without adversely affecting the business. The security organization needs to work with the business, but it also needs to be firm. It can’t be the Department of No, but it can’t be a pushover either. Walking this fine line means understanding, listening to input from, and accepting feedback from the business. It does not mean, however, allowing the business to take the wheel and steer security. A good security team helps the business help itself to operate more securely — soliciting input while adhering to its strategy, vision, goals, and priorities.

Related Content:

• 7 Stats That Show What It Takes to Run a Modern SOC
• Taking a Fresh Look at Security Ops: 10 Tips
• Security the Infinite Capacity to Rationalize

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Turning Vision to Reality: A New Road Map for Security Leadership.”

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for … View Full Bio

Article source: https://www.darkreading.com/operations/keeping-too-many-cooks-out-of-the-security-kitchen-/a/d-id/1336101?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security researchers have detected a leak in an Elasticsearch database belonging to Autoclerk, a reservations management system recently acquired by Best Western Hotels and Resorts Group.

The 179GB database was linked to multiple online travel and hospitality platforms. This leak exposed personal data and travel arrangements of thousands of hotel guests and members of the US government, military, and Department of Homeland Security (DHS), vpnMentor reports. A team led by Noam Roten and Ran Locar call it a “massive breach” of government security.

It was difficult to pinpoint the database’s owner due to the sheer amount of data exposed and number of external origin points, the team says in a writeup of their discovery. Autoclerk is a reservations system for hotels, accommodation providers, travel agencies, and other companies. It includes server- and cloud-based property management systems, an online booking engine, central reservations systems, and hotel property management systems. The database vpnMentor discovered was connected to several hotel and travel platforms mostly based in the US.

Much of the data came from these external property management systems, booking engines, and data services in the tourism and hospitality industries including HAPI Cloud, OpenTravel, myHMS, CleanMeNext, and Synxis. They used the database owner’s platform to interact.

This leak compromised travelers all over the world. Autoclerk’s database held hundreds of thousands of booking reservations, which contained data including full names, birth dates, home addresses, phone numbers, dates and costs of travel, and masked credit card details. Guests who had checked into a hotel had the check-in time and room number exposed.

One of the compromised platforms was a contractor for the US government, military, and DHS that manages travel for government and military personnel. The leak exposed personally identifiable information of employees and travel plans, including logs for US army generals going to Moscow, Tel Aviv, and other places, along with email addresses and phone numbers.

Read more details in vpnMentor’s post here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/autoclerk-database-spills-179gb-of-customer-us-government-data/d/d-id/1336143?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

NordVPN, a popular consumer VPN provider, has provided details on an intrusion that affected one of its 3,000 servers. According to the company, the March 2018 cyberattack did not expose any user credentials or history to outsiders.

In a NordVPN blog post, blog editor Daniel Markuson wrote that the breach was due to the actions of a third-party provider. He explained that the breach occurred in “…an insecure remote management system account that the datacenter had added without our knowledge. The datacenter deleted the user accounts that the intruder had exploited rather than notify us.” NordVPN has since terminated its contract with the provider.

NordVPN was not alone in being hit by the attack; VPN providers TorGuard and VikingVPN were also affected. All three have said that no user data or credentials were exposed by the events.

For more, read here and here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/nordvpn-breached-via-data-center-providers-error/d/d-id/1336144?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Amber Wolff, campaign specialist at McAfee, also contributed to this article.

The 20th century was uniquely fascinated with the idea of artificial intelligence (AI). From friendly and helpful humanoid machines — think Rosie the Robot maid or C-3PO — to monolithic and menacing machines like HAL 9000 and the infrastructure of the Matrix, AI was a standard fixture in science fiction. Today, as we’ve entered the AI era in earnest, it’s become clear that our visions of AI were far more fantasy than prophecy. But what we did get right was AI’s potential to revolutionize the world around us — in the service of both good actors and bad.

Artificial intelligence has revolutionized just about every industry in which it’s been adopted, including healthcare, the stock markets, and, increasingly, cybersecurity, where it’s being used to both supplement human labor and strengthen defenses. Because of recent developments in machine learning, the tedious work that was once done by humans — sifting through seemingly endless amounts of data looking for threat indicators and anomalies — can now be automated. Modern AI’s ability to “understand” threats, risks, and relationships gives it the ability to filter out a substantial amount of the noise burdening cybersecurity departments and surface only the indicators most likely to be legitimate.

The benefits of this are twofold: Threats no longer slip through the cracks because of fatigue or boredom, and cybersecurity professionals are freed to do more mission-critical tasks, such as remediation. AI can also be used to increase visibility across the network. It can scan for phishing by simulating clicks on email links and analyzing word choice and grammar. It can monitor network communications for attempted installation of malware, command and control communications, and the presence of suspicious packets. And it’s helped transform virus detection from a solely signature-based system — which was complicated by issues with reaction time, efficiency, and storage requirements — to the era of behavioral analysis, which can detect signatureless malware, zero-day exploits, and previously unidentified threats.

But while the possibilities with AI seem endless, the idea that they could eliminate the role of humans in cybersecurity departments is about as farfetched as the idea of a phalanx of Baymaxes replacing the country’s doctors. While the end goal of AI is to simulate human functions such as problem-solving, learning, planning, and intuition, there will always be things that AI cannot handle (yet), as well as things AI should not handle. The first category includes things like creativity, which cannot be effectively taught or programmed, and thus will require the guiding hand of a human. Expecting AI to effectively and reliably determine the context of an attack may also be an insurmountable ask, at least in the short term, as is the idea that AI could create new solutions to security problems. In other words, while AI can certainly add speed and accuracy to tasks traditionally handled by humans, it is very poor at expanding the scope of such tasks.

There are also the tasks that humans currently excel at that AI could potentially perform someday. But these tasks are ones that humans will always have a sizable edge in, or are things AI shouldn’t be trusted with. This list includes compliance, independently forming policy, analyzing risks, or responding to cyberattacks. These are areas where we will always need people to serve as a check on AI systems’ judgment, check its work, and help guide its training.

There’s another reason humans will always have a place in the SOC: to stay ahead of cybercriminals who have begun using AI for their own nefarious ends. Unfortunately, any AI technology that can be used to help can also be used to harm, and over time AI will be every bit as big a boon for cybercriminals as it is for legitimate businesses.

Brute-force attacks, once on the wane due to more sophisticated password requirements, have received a giant boost in the form of AI. The technology combines databases of previously leaked passwords with publicly available social media information. So instead of trying to guess every conceivable password starting with, say, 111111, only educated guesses are made, with a startling degree of success.

In a similar way, AI can be used for spearphishing attacks. Right now, spearphishing typically must be done manually, limiting its practicality. But with a combination of data gathering and machine learning technologies, social media and other public sources can be used to “teach” the AI to write in the style of someone the target trusts, making it much more likely that the target will perform an action that allows the attacker to access sensitive data or install malicious software. Because the amount of work required for spearphishing will drop significantly at the same time the potential for payoff skyrockets, we’ll no doubt see many more such attacks.

Perhaps the biggest threat, however, is that hackers will use their AI to turn cybersecurity teams’ AI against them. One way this can be done is by foiling existing machine learning models, a process that’s become known as “adversarial machine learning.” The “learning” part of machine learning refers to the ability of the system to observe patterns in data and make assumptions about what that data means. But by inserting false data into the system, the patterns that algorithms base their decisions on can be disrupted — convincing the target AI that malicious processes are meaningless everyday occurrences, and can be safely disregarded. Some of the processes and signals that bad actors place into AI-based systems have no effect on the system itself — they merely retrain the AI to see these actions as normal. Once that’s accomplished, those exact processes can be used to carry out an attack that has little chance of being caught.

Given all the ways AI can be used against us, it may be tempting for some to want to give up on AI altogether. But regardless of your feelings about it, there’s no going back. As cybercriminals develop more sophisticated and more dangerous ways to utilize AI, it’s become impossible for humans alone to keep up. The only solution, then, is to lean in, working to develop and deploy new advancements in AI before criminals do, while at the same time resisting the urge to become complacent. After all, the idea that there’s no rest for the wicked seems to apply double to cyberattackers, and even today’s most clever advancements are unlikely to stem tomorrow’s threats.

The future of cybersecurity will be fraught with threats we cannot even conceive of today. But with vigilance and hard work, the combination of man and machine can do what neither can do alone — form a complementary team capable of upholding order and fighting the forces of evil.

Maybe our AI isn’t so different from the movies, after all.

Related Content:

• 10 Steps to Assess SOC Maturity in SMBs
• AIOps: The State of Full Packet Capture Enters the Age of Practicality
• Overburdened SOC Analysts Shift Priorities

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Turning Vision to Reality: A New Road Map for Security Leadership.”

Dr. Celeste Fralick has nearly 40 years of data science, statistical, and architectural experience in eight different market segments. Currently, the chief data scientist and senior principal engineer for McAfee, Dr. Fralick has developed many AI models to detect ransomware … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/the-ai-(r)evolution-why-humans-will-always-have-a-place-in-the-soc-/a/d-id/1336102?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple