In a transformation where the digital world is taking over the physical world, almost every entity is going through some degree of digitization. In doing so, companies need to have resilient security measures in place to embrace new technologies that advance their business, without sacrificing the security and credibility of their services. CSO Managing Editor Ryan Francis recently spoke with Anthony Grieco, senior director and trust strategy officer at Cisco’s Security and Trust Organization, about how organizations can securely incorporate new technologies as they embrace digitally-enabled business model.
What technologies are being enabled (e.g., IoT, cloud, etc.)?
All technologies are being digitized. It’s bringing profound changes for businesses and countries. Massive quantities of data are being generated at a staggering pace, and an incredible number of devices are being added every day. We’re dealing with more complexity as well. Connected devices are creating 277 times more data than people are creating. There will be tremendous opportunities with this massive digital transformation. There also will be challenges that didn’t exist two decades ago – security being primary.
How should they be correctly integrated?
In this new digital era, data is one of the most critical assets that any organization has, and we need to start thinking of it relative to its importance to our future. As technology connects everything, the amount of data generated is growing exponentially – and it’s only going to increase. With the growth of digitization, professional attackers are also seeing the monetary opportunity to exploit the digital expansion.
As we think about this new world, and the interwoven systems that are being created, a new level of trust is required. We must trust the systems that manage and process the data, the people and partners who access the data, the systems and controls and the fundamental technologies and processes that protect the data. Cybersecurity is essential to digital success. Companies and countries will be enabled by technology, and they’ll need to embed security in everything.
What have been the issues in the past in doing so?
The sophistication of the technology and tactics used by online criminals – and their nonstop attempts to breach network security and steal data – have outstripped the ability of IT and security professionals to address threats. Organizations face the issue of lack of talent, which means that more and more of them need to outsource their security services to managed security providers.
According to Cisco’s 2016 Annual Security Report (ASR), businesses are struggling to keep pace with the rapid advancements of cyber attackers. Only 45 percent of businesses reported that they are confident in their ability to determine the scope of an attack and remediate the damage. In 2014, 64 percent said their security infrastructure was up to date and constantly upgraded; in 2015, that number decreased to 59 percent.
There are several reasons for this problem. First is the increasing complexity of the security landscape – a typical enterprise has 30 to 40 different security vendor products in its network. Second is the changing nature of cyber-attacks. Attacks are being generated not just by individual hackers, but by well-funded organizations (rogue groups as well as government-backed). The commercialization of hacking is resulting in exploits that are more frequent, better financed, more sophisticated and more damaging.
Third is the Internet of Things. While IoT has created a wealth of new opportunities, with more and new device types connecting to the extended network, it’s also given cyber criminals new and unforeseen ways to gain access to systems and information. Lastly, there is a need to protect all aspects of IT - not just addressing how we engineer the network infrastructure, but also being able to monitor, identify, isolate and proactively mitigate threats.
Is it a shadow IT thing?
Shadow IT and technology shifts like mobility and BYOD are the new normal and have resulted in more points of access for malware, resulting in a larger attack surface. Organizations need to view this concept in a much broader sense, including the products and services they are deploying in the market. Once a product or service deploys, it is difficult to know exactly how they are being used – this can create shadow technology and potentially increase threats.
In order to be more effective against the broad range of security threats, the industry must focus on foundational security being present in critical systems. For example, products and services are designed and built with a trustworthy technology and processes such as secure development lifecycle. Secure capabilities are built-in so you can verify the integrity of your software and hardware. Policies and processes ensure the value chain ecosystem is secure from design, development, sourcing, build, operation and end of life.
By ensuring that trustworthiness is built into the technology, processes and policies involved in your IT systems, you can reduce risk and the attack surface while enabling more effective overall security.
What are the biggest security threats facing enterprises?
The threat landscape is growing and changing quickly. As businesses transform into digital organizations, the threat landscape can change dramatically. For example, as companies gather, analyze and transmit massive amounts of IoT data, their risk exposure spreads across new devices, sensors, networks and other vectors. The technology is evolving so quickly that these devices can have multiple vulnerabilities. Likewise, the rapid integration of cloud computing and mobile computing solutions create new challenges as the valuable data and services depend on a broader ecosystem of providers, devices and technology.
Finally, technology use is moving out of the enterprise “back office” and into every aspect of the products and services enterprises offer. This increased dependency creates a larger surface for destructive attacks that look to destroy the enterprise as a primary goal. Enterprises must worry about their resilience in the face of cyber-attack. How quickly can they identify, contain, remediate and return to operations when impacted by an attack.
What is the best way to relieve those threats?
The inevitability of cyber-attacks, coupled with the continuing growth in criminal sophistication, pushes organizations toward cyber resilience. Cyber resilience is the ability to prepare for and adapt to changing threat conditions while withstanding and rapidly recovering from attacks to infrastructure availability. It provides context for implementing a risk-management strategy. Cyber resilience measures can help them powerfully resist, react to, and recover from potentially catastrophic cybersecurity events within a well-defined and well-deployed risk management plan.
What security measures need to be in place to embrace new technologies?
The very networks and technological advances that organizations depend on for their businesses to run efficiently expose them to attacks. That is why organizations are exploring a shift from merely focusing on cybersecurity controls—which protect computers, networks, programs and data—to cyber resilient architectures to protect their organizations and products. If an attack penetrates a cyber-resilient system within an organization, that system is able to continue to conduct mission-critical processing in a manner that preserves the confidentiality, integrity and availability of the data.
In other words, the compromised system will resist failure, and if the attack forces the system to fail, it will fail gracefully. With visibility across the network, the system can sense if it has been compromised and respond quickly. A compromised system that fails can recover to an operational state.
What are the best ways to best protect their assets and remain resilient in any environment?
A complete digital transformation requires a road map – not only of the technical investments that will advance business performance, but of the tools, policies and processes that will protect your investments. These capabilities will not entirely eliminate cyber risk; but they create awareness to the risks and will build a formidable defensive posture to significantly reduce the impact of threats. Cisco recently published a white paper on this topic, titled “Cyber Resilience: Safeguarding the Digital Organization.” In the paper, we outline a multidisciplinary capabilities framework that should serve as the foundation of your cyber resilience program. I highly recommend it to any enterprise.
What should be the process of evaluating cloud apps before deployed into an enterprise network?
Information security and access security are the two biggest challenges around cloud services because it is often difficult to know and prevent individual users from enabling them. For this reason, it can be difficult to know how many cloud services your employees are actually using. At Cisco, IT had assumed that there were about a hundred cloud services in use. In fact, an audit revealed several times more than that were actually used by Cisco employees.
To combat this issue, it’s important that one governing body owns and maintains a global policy that outlines the requirements for using any third-party cloud-based service provider. At Cisco, we established a global governance process of cloud service providers, a cross-functional organization made up of IT risk management, global procurement Services and infosec. IT teams partner with business stakeholders to find approved cloud service capabilities whenever they are required. Infosec helps protect information and brand by setting data security standards, conducting security risk assessments and establishing remediation plans when necessary. IT ensures architectural alignment exists while global procurement services helps mitigate contractual risk and protects Cisco’s legal interests around terms and conditions and potential future intellectual property rights.
In the Cisco ASR 2017, it states: “In fact, we have identified adware infections in 75 percent of the companies we recently investigated as part of our research into the adware problem.” What are your thoughts on that?
The fact that there is such a high prevalence of infections from adware speaks to potentially larger, more systemic issues. Adware can be introduced by users clicking on links they shouldn’t, installing software from potentially questionable sources or installing browser plugins that contain the adware. All of these behaviors represent points of risk because the line between adware and malware is simply the intent of the software. It’s important we look to minimize the likelihood and risks of these through both technology and training.
What are your thoughts on the level of spam cited in the Cisco report?
Spam is often originated and spread by large, thriving botnets of compromised devices and 8 percent of that spam contains a malicious payload. To that end, we saw an increase in the use of email as an attack vector, most likely playing the numbers game, leveraging social engineering and loading emails with malicious attachments. The use of snowshoe and hailstorm tactics, from a timing and volume perspective, just serves to increase the yield for their efforts. It is advised that security practitioners pay closer attention to the email vector than in years past and take steps to mitigate against email attacks.
In Cisco’s report, more than two-thirds of security professionals perceive their security tools as very effective or extremely effective. In 2016, 35 percent of security professionals said that budget was their biggest obstacle to adopting advanced security processes and technology.” What would you say to those security professionals?
Understanding that there will always be budget and talent constraints, businesses must focus on relentless improvement measured via efficacy, cost and well-managed risk. Security must be an organizational priority – with commitments to training, evaluating the effectiveness of cybersecurity investments, and institutionalizing best practices and safeguards to minimize risk against current and emerging threats.
Cybersecurity must be part of everyone’s job. While previously considered to be “something the information security team does,” companies need to focus on making it part of everyone’s job. For example, at Cisco we’ve used several successful education initiatives that have woven cybersecurity into the fabric of our company. Practices such as our Security Ninja Program are helping our employees understand the role they play in the overall security of our products and our customers’ data.