Integrated security: just joining the dots?

Integrated Security: just joining the dots?

Blog v0,2
revised at finextra request

The heaviest and most persistent cyber attacks are aimed at the financial services industry. 

After all, it looks after that most attractive commodity, our money.

I discovered recently that IBM detects an average of more than 111 million security events annually amongst its financial services clients, which it notes is a lot higher than for other industries.

That equates to 2.14m events a week, where an ‘event’ is an observable occurrence in a system or network.

Unsurprisingly, the industry is also one of the largest consumers of security systems and services with all manner of security solutions and devices deployed across its technology estate.

So why, given that investment, are estimated cyber-related losses by financial services institutions so high?  Detica, for example, estimates annual cyber-related losses of around £2.5Bn in terms of cash, IP theft and reputational fallout.

I sense that there is a gathering tsunami of industry debate on this point and wonder how much of this debate will focus on the basics (a.k.a. looking at the rear view mirror) and how much on prevention through data-based prediction (a.k.a. looking through the windscreen with X-ray specs)?

The CESG (the information arm of GCHQ) published ‘10 Steps to Cyber Security’ a couple of years ago which claims that ‘basic information risk management can stop up to 80% of the cyber attacks seen today, allowing companies to concentrate on managing the impact of the other 20%’.  Its recommendations fall into four broad categories: users, processes, governance and technology.

Now, IBM, which protects the data of a good number of the world’s enterprises, also advocates the holistic approach.  However, it mixes
in and applies a ton of research and experiential insight by, for example, pulling
together and making sense of multiple sources of data and performing predictive
analytics on structured and unstructured data.

Integrated security sounds tidy, but is it simply a question of joining the
dots?

You decide.

Here’s a tabulation of CESG’s 10 Steps to Cyber Security compared with IBM’s Cyber Security Recommendations which have grown out of its own
security practices. 

Home and mobile working / Controls on removable media 

Develop a mobile working policy; train staff in it. Apply the secure baseline
to all devices. Protect data in transit and at rest.  Produce a policy
to control all access to removable media. Limit media types and use.
Scan all media for malware before importing onto the corporate system.

Defend the workplace

Each work station, laptop or smart phone provides a potential opening for malicious attacks. The settings on each device must all be subject to
centralised management and enforcement. And the streams of data within an enterprise have to be classified and routed solely to authorised
users.

User education and awareness

Produce user security policies covering acceptable and secure use of the
organisation’s systems. Establish a staff training programme. Maintain
user awareness of the cyber risks.

Build a risk-aware culture

In using technology, everyone within a company has the potential to infect the enterprise, whether it’s from clicking a dubious attachment or
failing to install a security patch on a smart phone.  Building a
risk-aware culture involves setting out the risks and goals, and
spreading the word about them.  Communicate and educate to raise
awareness of potential cyber risks.

Incident management

Establish an incident and response and DR capability. Produce and test incident
management plans. Provide specialist training to the incident management
team. Report criminal incidents to law enforcement

Manage security incidents with greater intelligence

A company-wide effort to implement intelligent analytics and automated
response capabilities is essential. Creating an automated and unified
system will enable an enterprise to monitor its operations and respond
quickly. Build a skilled incident management and response team with
sufficient resources to conduct the forensics required. Develop a
unified incident handling policy and process.Leverage consistent tools
and security intelligence for incident management and investigative
forensics.

Information risk management regime

Establish an effective governance structure and determine your risk appetite.  Maintain the Board’s engagement with the cyber risk. Produce supporting
policiesManagement.


Zero tolerance risk management system

Management needs to push zero tolerance of careless behaviour relentlessly from the very top down, while also implementing tools to track progress.  This embraces  governance and organisational design, risk management assessment, security metrics assessment and definition to shape policy development
and conduct.

Manage user privileges

Establish account management processes and limit the number of privileged
accounts. Limit user privileges and monitor user activity. Control access to
Activity and Audit Logs.

Track who's who

Companies that mismanage the identity lifecycle are operating in the dark and could be vulnerable to intrusions. You can address this risk by
implementing meticulous systems to identify people, manage their
permissions, and revoke those permissions as soon as they depart. This
involves developing an optimised identity and access management
strategy; implementing standard, policy-based control mechanisms and
more intelligent monitoring; centralising and automating separation of
duties management and adopting a desktop and web single-sign-on
solution.

Monitoring / Malware protection 

Establish a monitoring strategy and produce supporting poliicies. Continuously
monitor all ICT systems and networks.  Analyse logs for unusual activity
that could indicate an attack.  Produce relevant policy and establish
anti-malware defences that are applicable and relevant to all business
areas. Scan for malware across the organisation.

Control Network access

Security intelligence and analytics tools can actively monitor and correlate data activity across multiple security technologies, offering you the visibility and insight into what’s going on in your environment—to help you spot and investigate the kind of suspicious activity that could indicate an attack is underway. They help reduce complexity by communicating with one common language across multi-vendor environments,while taking the strain off your IT department and potentially delivering both time and cost savings.Companies that
channel registered data through monitored access points will have a far easier time spotting and isolating malware.

Security by design

One of the biggest vulnerabilities in information systems comes from
implementing services first, and then adding security on afterwards. The
only solution is to build in security from the beginning, and to carry
out regular tests to track compliance.

Secure configuration 

Apply security patches and ensure that the secure configuration of all ICT systems is maintained. Create a systems inventory and define a baseline build for all ICT devices.

Keep it clean

Managing updates on a hodgepodge of software can be next to impossible. In a secure system, administrators can keep track of every program that’s running, be confident that it’s current, and have a system in place to install updates and patches as they’re released.  With a hygienic, security-rich system, administrators can keep track of every program that is running, be confident that it is current and can have a comprehensive system in place to install updates and patches as they are released.  This involves registering all IT infrastructure components in a centralised inventory and aggressively retiring legacy components; integrating compliance data for end-to-end visibility; automating patch management, encouraging a culture of diligence to ensure the infrastructure will protect against current threats and identying
opportunities to outsource routine monitoring.

Protect the company jewels

Each enterprise should carry out an inventory of its critical assets—whether it’s scientific or technical data, confidential documents or clients’ private information—and ensure it gets special treatment. Each priority item should be guarded, tracked, and encrypted as if the company’s survival hinged on it.

Patrol the neighbourhood

An enterprise’s culture of security must extend beyond company walls, and establish best practices among its contractors and suppliers. This is a similar process to the drive for quality control a generation ago.

Security in the cloud

If an enterprise is migrating certain IT services to a cloud environment,
it will be in close quarters with lots of others — possibly including
scam artists. So it’s important to have the tools and procedures to
isolate yourself from the others, and to monitor possible threats.

I’m struck by some of the claims and proposals here: 

- Culture as a countervailing source of protection.

- Automated incident response leveraging security intelligence.

- Outsourcing monitoring as a managed service.

- Security metrics assessment and definition.

- Centralising and automating separation of duties.

- Building in security to information systems by design not as an afterthought.

- Integrating compliance data for end to end visibility.

- Influencing the security of the business ecosystem.

- Securing cloud-based services.

What does this all add up to, in practice, to a harried Chief Information Security Officer?

My thoughts:

First, doing more of what you have done before is no longer sufficient nor necessarily better.

Second, sharper, joined-up thinking is going to achieve better outcomes.

Third, integrated security is more subtle and complex than any of us might care to admit and unites the interests of everyone, that is everyone, around the Board Room table; CFO, COO, CRO, CHRO and LoB Directors.

There has to be a readiness to look dispassionately at the whole security performance of the enterprise to discern what needs to be created from scratch, what undone and reconceieved from the ground up, what automated and / or outsourced, integrated and rationalised, enhanced or simply maintained.

Then acting on it.