BOSTON -- Coordination. Cooperation. Collaboration.
Prominent figures in the cybersecurity industry gathered and spoke around the theme of fostering information sharing between the public and private sector.
"To fight a network of bad guys, you need to use a network of good guys," said Michael Chertoff, former secretary of the U.S. Department of Homeland Security and executive chairman and co-founder of the Chertoff Group, during a his keynote presentation. However, he said meaningful cybersecurity information sharing is often easier said than done, and the bad guys are inevitably going to make their mark.
"You are not going to eliminate the risk of attacks, you are going to manage the risk," said Chertoff, focusing greatly on the importance of both risk and consequence management. Chertoff noted the importance of knowing what threats present the most risk to an organization, performing consequence management and implementing the technical component, namely combining continuous monitoring and real-time alerts with self-healing systems and the ability to implement algorithms and mitigation measures in real time.
Preparing for risks, however, was not the entire answer. Chertoff said organizations working on their own -- and especially those that take a prevention-only approach -- are destined for failure. He also highlighted the ineffectiveness of an "M&M" approach -- where organizations are hardened on the outside but greatly vulnerable on the inside -- saying that malicious insiders and the compromise of privileged user credentials were top threats to mitigate. He cited BYOD and the Internet of Things among the top rising threats organizations face.
Yet, Chertoff noted, even the best fall down sometimes -- citing the JP Morgan breach, the breach at the White House, retail breaches and the Russian intrusions on the electrical grid and other elements of U.S. power systems.
The key to preventing these high-profile incidents, Chertoff said, is for organizations with shared risks to work together, improving security and risk management through teamwork. Though both government agencies and private enterprises have traditionally been reticent to share cybersecurity information, Chertoff said the practices of using and sharing knowledge of past, current and future risks would only grow in importance in years to come.
Being ready for the next big threat
During a session discussing the importance of planning for the next high-profile enterprise security incident, panelists stressed the importance of being ahead of the curve and learning from the past.
Panelist Andy Ellis, chief security officer of Akamai Technologies Inc., based in Cambridge, Mass., said that while rapid response and patching are critical security measures, it was the proactive "preparing for the unknown" that was needed in today's day and age.
For example, Ellis said learning from the Heartbleed OpenSSL flaw that occurred this year was crucial, and if enterprises don't have a plan for "TLS everywhere" within the next four years, they are destined to be victimized by adversaries.
Katie Moussouris, chief policy officer at San Francisco-based HackerOne and a former longtime security strategist at Microsoft, advocated for the importance of hiring gray-hat hackers as part of an enterprise security team.
These "canaries in the tunnels" are an "untapped herd of resources out there in the wild" according to Moussouris. Yet she noted that under the U.S. Computer Fraud and Abuse Act, technically these do-good hackers are acting illegally, which is why she said there should be some middle ground to allow organizations to incentivize friendly hackers to not stay silent but rather join the defense team. She recalled her seven years at Microsoft, citing the company's addition of hackers from Poland -- specifically the hacker group LSD, or the Last Stage of Delirium -- and their role in the discovery of Blaster.
Moussouris and panelist Udi Mokady, founder, president and CEO of Israel-based CyberArk, also touted the importance of product integration and multivendor coordination experiments. Mokady said a modern security approach would help, recommending that vendors should tell customers not to throw away their investments but rather show them how new technologies can integrate with existing ones to improve security.
Calling on her seven years at Microsoft, Moussouris said that coordination and collaboration offered positive effects, as exemplified by the recent POODLE vulnerability disclosure.
Chris Perretta, executive vice president and chief information officer at State Street Corp., based in Boston, touched on one of the many security gaps in an enterprise: the supply chain.
"A supply chain that is insecure is a burden to everyone," he said. Having trust in that chain and ecosystem, he noted, is critical to security success. He also said knowing what your "crown jewels" are and the activities you will have to do to protect them is vital to avoiding a high-profile security incident.
Panelists emphasized the importance of learning from the past to prepare for the future. As Ellis noted, Akamai was much more prepared to handle the Shellshock vulnerability after having recently dealt with Heartbleed's cleanup. There will always be another vulnerability, he said, but being prepared for it can mean the difference between a vulnerability being a minor inconvenience or a high-profile disaster.
"What did we do because we weren't prepared (last time)?" Ellis asked attendees. "Be ready next time."
Check out SearchSecurity's coverage of the 2013 ACSC conference.