Should the CISO Report to the CIO?

The Chief Information Security Officer (CISO) is the organization’s senior executive in charge of the cybersecurity and the information technology risk management posture of the enterprise. He or she is a seasoned executive who must be equally adept at leading the myriad technology functions associated with protecting the enterprise’s information and data from misuse and compromise, as well as at managing the deeper business aspects of the role, such as hiring, developing, and retaining qualified and competent personnel; orchestrating Governance, Risk, and Compliance (GRC) requirements and mandates; incorporating a risk-conscious and security-aware culture in an enterprise; and preparing and defending the budget associated with protecting the enterprise’s computing infrastructure from harm.

In many organizations, and in the U.S. federal government in particular, the CISO reports to the Chief Information Officer (CIO). Much has been written over the years about the feasibility of this organizational construct. Lately, some very progressive organizations in the Fortune 500 and the Global 1000 have elevated the CISO to a reporting relationship under, variously, the Chief Risk Officer, the Chief Security Officer, the Chief Financial Officer, the General Counsel, or even the Chief Executive Officer. Where the CISO belongs organizationally in any enterprise is largely a function of the roles and responsibilities of the CISO and the manner in which those roles and responsibilities cleave into the operations and mission of the enterprise.

The role of the CISO

For the sake of simplicity, the CIO is responsible for the information technology spectrum of “power, ping and pipe,” and the CISO is responsible for the cybersecurity spectrum of “identify, protect, detect, respond, and recover.” The two responsibilities are inter-related, and in most cases are complementary, but the question boils down to which set of responsibilities should have primacy over the other, or are they co-equal? Added to this analysis is the general CIO and information technology emphasis on the “3 Fs” of features, functionality, and fast, which are anathema to cybersecurity in general. A growing consensus among information technology and C-level executives is that the CISO’s priorities should not be subsumed under the CIO’s priorities.

Viewed another way, having the CISO report to the CIO relegates cybersecurity to an IT security, or technology, function. However, if the CISO reports higher up the chain of command and has a seat at the C-level table, then cybersecurity is solidly embedded into the overall risk management of the enterprise.

Perhaps an examination of how the U.S. federal government approaches the organizational situation can provide additional perspective. The Federal Information Modernization Act (FISMA) or 2014, which replaced the Federal Information Security Management Act of 2002, is a federal law that requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information technology and systems that support the agency’s mission. FISMA designates departmental and agencies CIOs as the primary official responsible for their organizations’ IT security. Among the CIOs’ duties under FISMA is designating a senior agency information security officer. Therefore, an act of law determines the organizational placement of the CISO under the CIO in the federal government.

Let’s acknowledge a counterargument right there: if federal law were to unshackle the CISO from the CIO’s chain of command, would information security across the federal government be appreciably improved? Could it possibly be any worse than it is now?

Perhaps Congress concluded that no CISO should be allowed to give his or her unvarnished opinion of the true cybersecurity and risk management posture of the agency’s enterprise as long as the top official responsible for IT does not wish that opinion to be disclosed. Under the current structure, the CIO is free to raid the cybersecurity budget to fund any other priority, or the CIO may feel inclined to overlook a powerful peer’s security deficiencies, or the CIO may disregard security recommendations that interfere with ‘really neat’ functionality. By placing the CIO in a position of superiority over the CISO in federal agencies, the CISO is marching to the CIO’s orders and working off the CIO’s list of priorities, not to mention attempting to receive his or her performance bonus that the CIO must approve. If that’s the situation that FISMA intended, then Congress should simply have given the security job, and the corresponding accountability, to the CIO.

Risk management and the CISO

Back to the commercial world, where there is no legislative mandate, and to the original question about where the CISO should be organizationally positioned. It depends. It depends on many factors, not the least of which is the enterprise’s perspective on risk management. If overall risk management – including financial, programmatic, human, facilities, and information technology – is embedded into the very soul and culture of the organization, with risk appetite and risk tolerance decisions continuously on the radar of the senior executives and the board of directors, then the CISO cannot realistically be buried under the CIO. If, on the other hand, the organization views information technology as its lifeblood and considers the protection of those information technology resources to be the totality of its cybersecurity obligations to its stakeholders, then the CIO should have the CISO within his or her span of control. There is no one-size-fits-all answer, although the prevailing trend is to unshackle the CISO from the CIO.

In the end, it boils down to how an organization approaches its risk management diligence. In most cases where organizations place the CISO in a subordinate role to the CIO, the result is over-leveraging towards cost management as opposed to risk management. In those organizations where the CISO is elevated to a C-level position at least co-equal with the CIO, then risk is more likely to be embedded in the culture of the organization.

Source: cisco.com

Continue reading

2021 Security Outcomes Study: Timely Incident Response as a Business Enabler

Cybersecurity has a set of starting signals as well, but they differ in one aspect. In the event of a cybersecurity event, the team responsible for incident response is not the initial actor. Incident response is based on the same readiness as a world-class performer; however, incident responders only start (metaphorically) after the rest of the horses have left the gate. Absent the catalyst, an active responder would be entirely out of place. This makes the cybersecurity professional the second player in a nail-biting competition.

Cybersecurity as a first responder

One could posit that a cybersecurity incident responder is no different than any other first responder, such as a law-enforcement officer, or a firefighter. This is true, but only in a limited sense. As with all things in the virtual realm, the unseen can be much harder to respond to than a physical event. For example, a firefighter has a much easier time locating a fire than a security analyst has of locating the source of a breach. Indicators of compromise can sometimes be quite ephemeral.

Similar to other first responders, a cybersecurity incident responder must be ready at all times to jump into action at the earliest sign of a problem. The key to a successful, versus a failed incident response, is timeliness.

Timely incident response as a business enabler

Cisco’s Security Outcomes Study addresses the topic of timely incident response. By interviewing 4,800 security professionals, the importance of timely incident response became a clear gauge, not only of security success, but also business enablement. In fact, timely incident response ranked higher than vulnerability remediation deadlines.

The report emphasizes this finding, by stating succinctly:

It may seem odd at first to see incident response (IR) listed as a top business enabler. But IR isn’t just about putting out fires and cleaning up the mess. It’s ultimately about handling unexpected events with minimal impact to the business.

If you work in an environment where everything comes to a halt at the announcement of a vulnerability, and the subsequent deployment of the corrective patch, this finding is transformative. It contemplates the idea that disrupting the business operations to apply patches should perhaps take a secondary role to the ability to respond to an active exploit. This is important, as security is often seen as something that hinders the flow of business, rather than an enabling force. However, incident response, and specifically timely incident response, does not just become a new title that can be slapped onto the front door of the Security Operations Center. Incident response is a discipline, with specific phases, and approaches.

The six stages of incident response

In incident response parlance, there are six classic stages: prepare, identify, contain, eradicate, recover, and lessons learned. (It is fair to note that there are variations on this, but the general rules are all aligned along the same track.)

Which phase would you consider the most important? Consolidation to the most important is probably not the point, as that logic creates a whirlpool of conflicting interests that may be distracting towards the full goal. For instance, while preparation is a primary concern, one can never prepare for everything. The identification phase includes scoping, which is often not performed to the fullest extent that it should be, which introduces quite a number of problems, and the intentions are never realized. This becomes an exercise in circular logic, which is merely a time waster.

When you consider why a musical, or athletic performance is so transfixing, or why we all stop to watch first responders in action, it may be because we are mesmerized by the effortlessness through which these people carry out their tasks. That is the result of constant training. The most important part of incident response is reducing the dwell-time of attackers through early detection, and that, like all other aspects of the kill chain comes through practice.

Incident response is part of a complete security strategy

Timely incident response as a business enabler is surprising, and even more telling is that, among the respondents of the Security Outcomes Study, incident response also ranked highly on the list of components that contribute to a host of other progressive security initiatives, including:

◉ Overall security program success

◉ Creating a strong security culture

◉ Managing top risks

◉ Regulatory compliance

◉ Security cost-effectiveness

Security, and all of IT is often considered a cost center, meaning that it does not generate revenues. However, if we look at cybersecurity as a cost-avoidance strategy, timely incident response takes on an entirely new level of importance. One of the best metrics to demonstrate that money is well-spent in an organization is through the reduction of wasted effort that is wasted. The Security Outcomes Study indicates that there is a high correlation between a successful security program via minimizing wasted effort and timely incident response.

Security readiness is achieved through planning, practice, and continuous improvement. One of the newest components of a solid security program is incident response. It is important to note that disaster recovery is part of a response effort. However, as threats advance, incident response is rising as a leader towards a more complete security strategy.

Sadly, not all organizations are fully invested in the idea of the value of incident response. Nearly 40% of our interviewees designated that their organization did not embrace the importance of timely incident response. Given the other indicators in the report, we can only hope that this trend diminishes over time.

Incident response is not an easy task to accomplish. Imagine if you were able reduce incident response time by up to 85% with a coordinated defense to fully expose, contain, and resolve threats and vulnerabilities. Cisco Secure Endpoint simplifies investigation allowing you to get to the root cause of the incident fast, accelerating remediation.

And what’s more, the threat response feature of Cisco SecureX leverages an integrated security architecture that automates integrations across Cisco Security products to simplify threat investigations and responses. Saving you time and effort by speeding up investigations significantly and allowing you to take corrective action immediately.

Source: cisco.com

Continue reading

How to Defend Against Command-and-Control attacks: Don’t let your network turn into a Zombie

Your network is increasingly targeted by cybercriminals. One of the most clever and damaging way they strike is through command and control attacks – a technique often executed over DNS. A command-and-control (also referred to as C&C or C2) server is an endpoint compromised and controlled by an attacker. Devices on your network can be commandeered by a cybercriminal to become a command center or a bonet (a term coined by a combination of the words “robot” and “network”) with the intention of obtaining full network control. Establishing C&C communications via a Trojan horse is an important step for them to move laterally inside your network, infecting machines with the intent to exfiltrate data.

Going After the Command-and-Control Servers

What does your new investigation workflow look like? Today we take a closer look at how a C&C server attack can gain a foothold into your network, and how Cisco can identify, detect and block this type of threat using an integrated approach to security.

Imagine a security analyst whose enterprise has invested in network traffic analysis. Let’s call him Sam. He works for large financial services organization with over 10,000 employees and more than 80,000 user accounts. It’s 6:00 PM on a Friday evening and Sam is getting ready to catch the latest Zombie apocalypse movie with his buddies. A notification pops up on his Cisco Umbrella console telling him that Umbrella has blocked malware from communicating with a C&C channel.

Sam investigates this threat using the Cisco Security

Sam is tired. He spends copious amounts of time running down rabbit holes every time his SIEM registers an alert as suspicious. He is ready for a faster, more effective way to block threats and protect his environment. He is excited to see if Cisco Umbrella, a secure internet gateway, will make his life easier. Cisco Umbrella offers both real-time threat Intelligence, as well as the capabilities to mitigate attacks across an organization in a split second. It acts as the first line of defense against internet-borne threats like C&C communications attempting to exfiltrate data. Sam knows a DNS block on the Umbrella can simply be a symptom of persistent malware on your endpoints. He investigates further.

Sam identifies the malicious domain that is the epicenter of a C&C activity using Umbrella. Umbrella automatically proxies, decrypts, and inspects all subsequent requests with AMP for Endpoint to make a determination about the threat. Sam can also choose to block newly seen domains outright on the console. Now, while Sam knows that not all newly seen domains are bad, he knows this could be part of an emerging malware campaign or associated with another threat. In this case, Sam sees that Umbrella is working and has successfully blocked the threat.

Figure1: Identify the C&C Domain in Umbrella

But Sam is curious. He wants to know more. Sam decides to analyze the malicious code and try to identify samples in Threat Grid, Cisco’s dynamic file analysis solution that referenced this domain. Umbrella Investigate shows him samples in Threat Grid that referenced this domain. He drills down deeper.

Figure 2: Sightings in Threat Grid that referenced this domain

Using the Threat Grid console, Sam quickly realizes the file is malicious. He sees two internal targets that can be potentially compromised with this attack. If successful, this infected server could connect to another server, ready to receive commands and do the botnet owner’s bidding by compromising systems and exfiltrating your data.

Figure 3: The Aha! moment: The Malicious Verdict

Sam is close to the Aha moment! He drills down to understand the behavioral indicators in Threat Grid. He gets every scrap of detail about this threat artifact. And sure enough, there’s our C&C connection. Victory!

Figure 4: Discovery: There’s our C&C connection.

But Sam wants more. Threat Grid also shows him the internal target that might need further analysis. It analyzes the files and suspicious behavior across his environment to deliver context-rich malware analytics and threat intelligence. Now that he is armed with insights into what the file is doing, he is ready to explore how this threat has impacted the network. Sam kick starts a threat investigation for observed internal targets in Cisco Threat Response using the Browser Plugin. The Plugin enables Sam to research any observable (e.g. Domain, IP-address, File-Hash, URL, etc.), on any HTML-based webpage, in Chrome. Interested in what Sam is doing? 

Sam now knows which systems inside our network have seen the malicious file. This information is provided by AMP for Endpoint, our cloud-delivered endpoint protection, detection and response solution, that helps you simplify this investigations with a broader context from endpoint, web, email, and network data.

Figure 5: The Pivot to Threat Response

Figure 6: Getting the Full Picture – the Relations Graph in Threat Response

Upon investigation, Sam confirms that the malware is already correctly identified and blocked. With Cisco Threat Response, Sam can now achieve faster detections, simpler investigations, and immediate responses.

Figure 7: Malware Identified and Blocked

For all the Sam’s of the world, this analysis can be at your fingertips too. With Threat Grid, you can easily construct a query using the Orbital Advanced Search feature, a new advanced capability in Cisco AMP for Endpoints based on the behavior observed when the sample executed. This feature accelerates your hunt for threats and enables you to shrink the lifecycle of an incident– mitigating any or further damaging cost of the breach to your business.

Figure 8: Orbital Advanced Search Query in Threat Grid

This Orbital query enables you to gain deeper visibility so you may discern whether this is an isolated incident in your network, or there are other devices that may have seen this in your network. Additionally, Threat Grid can shine a light on other techniques like code injection that attackers might be using based on key behavioral indicators of malware. Security teams can save time by quickly prioritizing attacks with the biggest potential impact. In our investigation, we have discovered important details about this attack, as well as the malicious, forged documents that the attackers are using.

Figure 9: Orbital Query, Figure 10: Potential Code Injection Detected

Cisco Advanced Malware Protection (AMP) for Endpoints Prevents Fileless Attacks

AMP for Endpoints’ Exploit Prevention engine prevents all variants of fileless malware without needing any prior knowledge of the attacks. There are thousands of threats attempting to embed malicious code that can take over your workflows. Sam makes sure that the Exploit Prevention engine is enabled in AMP to catch any such activity.

Sounds too good to be true. No way?

Figure 11: File is quarantined

AMP’s Exploit Prevention Engine remaps the runtime environment and its components (such as libraries and DLL entry and exit points) and places a decoy or a facade of these resources in their original locations. It then only let’s legitimate applications know their newly randomized address spaces. The end result is that legitimate processes continue to run seamlessly without experiencing any performance penalty, but anything else that attempts to execute in-memory can’t find its target, and therefore, cannot execute. Exploit Prevention’s remapping of the runtime environment effectively protects you against all variants of in-memory attacks, whether they are pre-existing or undiscovered zero-days deterministically. With that done, Sam is on his way to the movies.

Cisco’s Security Platform

Can you imagine flying an Airbus A380 without an air traffic controller? Cisco’s vision for a security platform is built from a simple idea that security solutions should act as a team, learning from each other, listening and responding as a coordinated unit. Our platform, Cisco SecureX,connects the breadth of Cisco’s integrated security portfolio and your entire security infrastructure for a consistent experience that unifies visibility, enables automation, and strengthens your security across your network, endpoints, cloud, and applications.

Try AMP for Endpoint

You could test out AMP for Endpoints and decide whether it’s right for you in under an hour. Don’t let C&C servers sit dormant in your environment and turn your computers become someone else’s malicious botnet!

Continue reading

The Importance of an Information Security Strategy in Mergers and Acquisitions

Organizations have many options when it comes to growing. Many grow by hiring additional staff when it comes time to expand. Others grow through mergers and acquisitions with related companies, or companies that represent an entryway into a desired new vertical or territory. Organizations that engage in M&A should include an information security strategy as part of the process.

Headlines in 2018 include several data breaches where the acquired company led to an incident for the acquirer. A large travel site reported a data breach of information on 880,000 payment cards  in March of 2018. The attack was believed to compromise systems months earlier. The investigation determined that the incident was potentially linked to legacy IT systems from an acquired company. Failure to update or integrate these systems left the parent company potentially vulnerable.

A Baltimore-based apparel manufacturer reported a data breach affecting customers who leverage the company’s sports tracking app. 150 million customer records associated with the app were compromised. The app creator was acquired by the parent company in 2015. Compromised data includes usernames, passwords and email addresses.

Companies with an acquisition strategy need to include information security in the M&A process. Many security tools can be leveraged to provide visibility into an organization’s network, users and information. These visibility tools should be used to determine the accessibility of information to both appropriate personnel and unauthorized parties. Understanding the vulnerabilities, network segmentation, access to assets and information, and asset lifecycle management are important negotiation metrics.

The acquiring company should be able to run visibility or vulnerability assessments of the target company as part of the negotiation. Vulnerability scanners help gather risk data. NetFlow and network traffic metadata tools provide visibility into the scope and nature of an organization’s traffic. This can help an organization identify and inventory assets. Visibility into web traffic, DNS queries, and applications in use all contribute to a view of an organization.

Vulnerable software report from AMP for Endpoints

These tools can help to establish where the target company is in terms of risk mitigation and security posture. It can tell the acquiring company how many man hours will need to go to get the target company to the appropriate levels of risk. An intelligent organization’s leadership understands that security is essential to all parts of the network. Proactive planning for growth and development must also be part of that security strategy.

Incident Response teams often use security tools to provide visibility into an organization following a data breach. These same tools can provide visibility into a target company’s information systems and networks. Use of these tools in advance of an acquisition can provide insight into the projects, security awareness training and even culture change necessary to understand the role of security in modern IT. Implementation of non-disclosure agreements can protect both the acquiring company and the target from leaks due to any gaps in the organization’s security posture.

Legacy systems have led to organizations appearing in the headlines. The brand damage, class action lawsuit payouts, data breach notifications and payment for services such as identity theft are all avoidable. Introducing and executing on a strong information security strategy as part of the M&A process is one way for organizations to minimize risk exposure and to understand the challenges and steps to achieving their desired security posture.

Leaders in organizations are accountable for the risk and exposure of users, information and networks. Visibility into these facets of an organization are key to ongoing security and to informed expansion, including mergers and acquisitions. The call to action for these organizational leaders focuses on that visibility. Research visibility, traffic profiling, application discovery and vulnerability tools. Speak with the organization’s trusted advisors, both internal and external, about the tools available and their recommendations. Regularly speak with the organization’s business leaders about emerging markets and potential mergers. Create and maintain an open dialogue about the potential risks and exposures that come with M&A. Many business leaders understand the importance of security in day-to-day operations. Including potential future business expansion in that conversation will help to craft a strategic information security policy.

Continue reading

Better design for simpler, more effective security

Few will contest the notion that security is complex.

Evolving threats.  Clever, motivated attackers.   And all too often, vendor-inflicted complexity of managing security from the mismatched consoles from dozens of vendors.

In this case, not only must users jump between consoles but the actions that become familiar in one console are not at all helpful or relevant in another.  Each new console amounts to a new security management process – adding to greater complexity.

Continue reading