“We need a complete mindset change”
Failure to keep your business assets secure can be extremely costly and embarrassing, not to mention a complete PR disaster.
Ahead of the world’s largest gathering of security professionals, the RSA Conference in San Francisco, Hewlett Packard Enterprise have debuted HPE SecureData for Hadoop and IoT, designed to easily secure sensitive information that is generated and transmitted across IoT environments. The launch is the industry’s first-to-market Apache™ NiFi™ integration with NIST standardised and FIPS compliant format-preserving encryption technology to protect IoT data at rest, in transit and in use.
We recently spoke to HPE’s Chief Cyber & Security Strategist Tim Grieveson to ask him about the new threat from IoT devices and how organisations can bake cyber-resilience into their people, processes and technology.
What’s the security risk from IoT?
As a security professional, I like to think of the internet of things as the internet of theft. As everything becomes connected it’s really good for the consumer, it allows them to gain access to everything everywhere and anywhere. It’s also great for the bad guys though, as it gives them access to those devices and a much better level of attack surface. As we know, Gartner and IDC predict more than 26 billion connected devices by 2020. The challenge most connected devices face is that security is always an afterthought, it’s never baked in and designed into the actual technology. We’re very good a getting things to market faster, quicker and cheaper. But often we forget about building the security in. We need to have a complete mindset change and build security into the design phase of the device.
Customers assume that things are secure. So for example, I use a lot of apps on my cell phone. One of those apps allows me to travel with a well-known airline. I use that to book my travel, manage my tickets and I make the assumption that its secure. But is it? Because actually, you’re accessing various different cloud services.
Another example is a time I’ve sat on a train before where a lady was booking her holiday on her mobile during her train journey. There were about 40-50 people on the train, she very kindly told us all when she was going away, she very kindly told us all her credit card details, she very kindly gave us all of her personal information. Being a security person I wrote it all down on a post-it and handed across the desk to her, at which point the colour drained from her face. She was horrified. So in addition to baked in security into devices, I think we also need to get the awareness right.
What issues does IoT throw up for business users accessing corporate networks?
The consumerization of IT or bring-your-own-disaster as I like to call it, absolutely gives access to lots of information that might be very confidential in the business, but the perimeter has dissolved. Historically you could build a big wall around your data and protect it. Now you can access it on your mobile phone or laptop – and not necessarily company provided equipment. So now you have to think more about the data, less about the end-point device. As we in HPE like to say, it’s really about protecting the interactions between the user data and the app.
We’re seeing the bad guys really adopt and build their business on the dark web. Their services have become a commodity.
I think the bad guys are changing their mode of production. They used to be about disruption and creating havoc within a business. They’ve really become professional now, we need to see them as a competitor in the market. They’re maximising profit, minimising risk. They’re building an operations team, they’re building technical development teams making sure the code they develop is top notch and vulnerabilities in their technologies are not exposing them. Security people are great at talking in security babble but the board don’t often understand that. We need to talk about business outcomes. Understanding your adversary makes it easier to defend yourself.
So how do businesses defend themselves as they connect more and more assets?
Businesses should make the assumption that they are about to or have already been hacked. Investing in technologies that allow you to find adversaries faster is key. We know that on average its about 143 days that a bad guy is inside the organisation. That’s much better than last year which was 243 days but that’s still a long time for them to be digging around before you even know about it. So investing in security intelligence technologies, and that could be internally but also bringing external threat analytics in.
If you work to the assumption you’re about to be breached, protect your most critical assets, so encrypt them. Consider putting format-preserving encryption in so you can encrypt the data but still use it in analytical terms. It’s not just about technology, it’s about people, process and technology combined, so invest in all three of those areas.
So working to the assumption every business is about to be hacked, what can they do to plan?
I typically talk to CISOs, CIOs and security professionals and often ask ‘do you have a DR plan? They say yes and bring out their disaster recovery strategy which is usually about getting the business up and running as fast as possible. When you start to talk about cyber resilience they often bring out the same plan – they’re very different things. Cyber resilience is how to survive during the incident – who do you communicate to, what do you say internally and externally, how do you manage that particular breach. Think of them as the fire brigade, you wouldn’t expect them to turn up and the scene then run around screaming ‘theres a fire’. They practice, they understand what they’re doing, everybody knows their role in that situation before the breach occurs.
Organisations can be pretty poor about communication. It’s better for the CEO to be able to say “we’ve had a breach, we know what’s been stolen, its encrypted and we have a cyber resilience plan”. Working with partners and testing your plan really makes it much stronger.
What about the insider threat?
My view is businesses need to go a stage further and bring in predictive analytics. Are you looking at what your internal users are doing? It may or may not be malicious but with user behavioural analytics you can profile different types of user and then monitor what the norm looks like. That way if something is out of the normal, it will alert you to it quicker. Remember its all about reducing the time to find the bad guy.
Another area that’s really interesting is DNS Inspection. It looks at how you can focus on the things that are important, so for example malware. The challenge with it is that it’s ever-evolving. What DNS does is instead of using a rules-based approach, it uses algorithms so it looks for characteristics. We built it internally in Hewlett Packard Enterprise for our own cyber defence centre. We found that if you get a million notifications you can’t possibly look at them all, whereas DNS Inspection allows you to focus on the unknown unknowns and therefore you’re looking at a much smaller set of data.
GDPR obligations are creeping closer, what are your thoughts as a security professional?
Some vendors are using it to create fear and tout their wares. I believe we should see it as a great opportunity to review our complete security posture and use it as a way to differentiate our business. So good records management, a good understanding of the assets you’ve got to protect, how can you enable your business to grow in a safe and secure manner? I think it’s better to bake it in than deal with the aftermath.
So in a nutshell what’s your advice to CISOs?
Firstly, technology isn’t the only solution. Often CISOs say to me they can’t get the right skills, it’s too expensive etc. Partnering with us to augment our staff and our expertise allows them to draw on the right resources when they need them – at the critical time. The second thing is encrypt the crown jewels, work our what they are, then protect them. The third thing I suggest is that they seek context – actionable business intelligence. There’s no point having logs built in that can’t be attributed to a business need, so security by design. The fourth thing is practice cyber resilience, before the breach.
Don’t miss these HPE Presentations at RSA this week
- Tuesday, 2/14 1:00pm – 10 Board Principles for Cyber Resilience
- Tuesday, 2/14 4:00pm – 2017 Disruptive Cyber Security Predictions
- Wednesday, 2/15 4:30pm – Security as an enabler of Digital Transformation
- Wednesday, 2/16 1:00pm – HPE Cyber Reference Architecture