Before launching into their Fireside Chat during the 2016 Chief Information Security Officer Leadership Forum held in Chicago on June 22, Kwong announced that he and Milroy would be talking about what works and what doesn't when it comes to information security.
Regarding insider threats, Kwong noted that there’s no concept of the trusted-actor threat. “We still need to build that, and this needs to be created for each organization based on its assets and risks. However, if you try to address insider threat using your own inside IS, you won’t succeed.”
There’s no concept of the trusted actor threat. “We still need to build that, and this needs to be created for each organization based on its assets and risks."
User behavior analytics can help with insider threats, noted Kwong. These use near-real-time security monitoring built on a baseline of normalcy. “UBA brings in HR data. Combining the real threat that HR sees in the organization with your IS logs provides a lot of valuable data,” said Kwong. “UBA continues where SIEM left off,” he continued. “We felt SIEM would provide us with an additional 'something' beyond log management, but it didn’t quite come through."
“Here’s why you’re going to fail at all of this,” Milroy announced. “SIEM is crap. It’s only as good as what you put into it.” Milroy then explained that his role in this discussion was to present all the negatives, so he continued, “Another way failure happens is that context isn’t added. You don’t customize for your environment. When you fail, keep in mind that you’re going to do so against an advanced adversary. You won’t fail against a teenager with a bitcoin wallet. Baselining takes time, as in weeks and months. If your environment is constantly changing, your baseline is constantly changing.”
"Baselining takes time, as in weeks and months. If your environment is constantly changing, your baseline is constantly changing.”
“Let’s talk about cloud security risk,” said Kwong. “Our business leaders are always asking us if our websites will be safe in the Cloud. Is the Cloud risky or does it contribute to risk mitigation? In thinking about cloud security, here are some points to consider: Cloud security providers have more money and staff than most companies. They have a vested interest in security as part of their business model. The public cloud is inherently a more secure platform because it was built from scratch and has no legacy technology, which is our biggest vulnerability. Physical location of your data is less important than the means of accessing it. Access control, access control, access control is where it’s at.”
Security in the Internet of Things is another challenge, said Kwong. “Gartner says there will be 26 billion devices by 2020. IoT is more than just the device. It’s the processes that underlie that device,” he emphasized.
Milroy noted how fails occur in IoT, beginning with the ease of hackability, data leakage, and little control over patching.
Kwong pointed out that there’s been disappointment with data-loss prevention. “DLP is a process, not a technology. Business partner involvement is key, and it’s necessary to have a plan in place for data exposure. Tying DLP with UBA maximizes return, and context awareness is critical to success.”
Milroy added that DLP is about preventing inadvertent data loss, not theft of data. “This misunderstanding is the biggest fail with DLP.”
"DLP is about preventing inadvertent data loss, not theft of data. This misunderstanding is the biggest fail with DLP.”
Kwong proposed that advanced persistent threats may be more “business as usual” than a game changer. “People don’t give up,” observed Kwong. “It’s only a matter of time until they get into your system. The cat-and-mouse game is trying all your windows, doors, and locks until a vulnerability is found.” The APT process comprises reconnaissance, incursion, discovery, capture, and exfiltration.
Kwong pointed out that the key to addressing APT is being aware of the warning signs—increased log-ins, especially at odd times; widespread, back-door Trojans; large, unexpected flows of data; unexpected data bundles (primed for export); and pass-the-hash attacks.
Defeating APT, said Kwong, involves using behavioral analysis/detection tools, sharing information within the security group, understanding the kill chain, looking for IoC, testing the network, and training people to be APT hunters.
At the end of the discussion, Milroy announced the main takeaway: “The biggest fail of all in security is not sufficiently training people.”
ABOUT FRED KWONG:
Dr. Fred Kwong has been in the information technology field for the past 15 years, working in education, financial, telecommunication, and insurance sectors. Fred currently works at a Delta Dental Plan Associates where he serves as the Chief Information Security Officer. In this role, Fred acts as a thought leader for the Delta Dental member organizations and focuses on driving risk-based security within the organization.
Before joining Delta Dental Plan Associates, Fred’s work included the creation of security and privacy policies, standards, and procedures. He helped build risk-based security programs and has driven security strategy within organizations.
With an extensive background in IT technologies, Fred continues to challenge the status quo by providing guidance in security and network architecture, creating holistic designs that align with today's threat vectors for organizations. Fred has a passion for combining IT skills with organization development values. His broad range of IT skills has allowed him to view IT from many different paradigms and present them to the business partners in an easy-to-understand language.
Fred serves as an adjunct professor at Benedictine and Roosevelt University, teaching courses in international business, organization behavior, project management, and information systems. He holds a Ph.D. from Benedictine University and earned his master’s degree in business administration from Roosevelt University.
Fred is a Certified Project Management Professional (PMP), a Certified Information Systems Manager (CISM), a Certified Information Systems Auditor (CISA), a Certified Information Systems Security Professional (CISSP), and a PCI Professional (PCIP).
ABOUT DEREK MILROY:
Derek Milroy is a corporate security professional who has been implementing strategy and solutions in various environments, as both an internal employee and as a consultant, for the past ten plus years. He is currently a Security Architect focusing on ensuring that all solutions provided by his team have the proper process in place and are regularly reviewed and optimized. His main areas of focus include Windows Hardening, Vulnerability Management (including Emerging Threat/Vulnerability Research and Analysis), Log Management/SIEM, and Incident Response. Secondary areas of responsibility include Intrusion Detection and Prevention, Web Application Firewall, File Integrity Monitoring, and Data Loss Prevention. Derek is also a recovering QSA and has experience performing FISMA and ISO assessments.