Published: 02 Nov 2015
You’ve heard it from all the analysts: Stop focusing on technology and consider staffing, process, and the effectiveness of your current security portfolio.
That’s solid advice. But many CISOs can’t keep up with the endless technology updates to their own security portfolios -- as much as 50% of existing functionality actually goes unused -- let alone the constant barrage of new controls. Tempting as it is to find the panacea in innovative cybersecurity tools, most security officers approach the promised land with caution. As a result, some organizations continue to update existing security controls or primarily consider technology from vendors with large security portfolios.
How can CISOs get the information and benchmarks they need to evaluate the enterprise effectiveness of promising technology and find the best security tools beyond point solutions?
“There is too much for any one leader to take in; therefore, the first step is in focusing on key areas,” says J. Wolfgang Goerlich, a cybersecurity strategist at Creative Breakthrough Inc. (CBI) in Ferndale, Mich. A former information systems and security manager at Munder Capital Management, Goerlich recommends networking with CISOs in other organizations to gain insight into the best security tools and industry-specific trends. “Building a strong peer network within the organizations gives visibility into the line-of-business technologies,” he explains.
Enterprises should leverage the resources and interactions available through clearinghouses like the Information Sharing and Analysis Centers (ISACs) for financial services, healthcare and other industries to focus on emerging threats. “Taking into account these areas, a CISO can then pare down the list to essential technologies and get deep in the areas that directly affect their organization,” Goerlich says.
If you don’t do some level of analysis with regard to new products and technologies, you will miss out on promising cybersecurity tools -- that may help improve the way your company is solving business issues. “We cannot afford to be stagnant [or stop] learning as we face a fluid, always-changing adversary,” says David Barton, CISO for Websense Inc., an Austin provider of widely used security software, such as Web gateways, which was acquired by defense contractor Raytheon in May.
Will it work enterprise-wide?
Too often CISOs are aware of a lot of promising developments in security technology but they have a hard time getting the full picture -- especially when it comes to determining how a new security system or point solution might work with their existing technology.
“Point solution evaluation can’t really be done in a vacuum or in a lab or in some structured manner,” says Paul Calatayud, CISO at Surescripts, an Arlington, Va., provider of automated clinical messaging and information sharing services for the healthcare sector.
Open source tools: Promise or peril?
Given some of the difficulties that come with “standard” approaches to security, some CISOs are considering adopting and then adapting open source cybersecurity tools, thereby offering a more unique challenge to hackers.
However, customizing open source cybersecurity tools can be a double-edge sword, warns Pritesh Parekh, chief security officer at Zuora Inc. You get customization that is not available from the security vendors -- and that may offer some level of obfuscation for the hackers, he admits. But the maintenance and support associated with that customization can be overwhelming for security organizations that are already underfunded and understaffed.
Similarly, Paul Calatayud, CISO at Surescripts, sees a number of challenges involved with developing and customizing open source cybersecurity tools, especially at scale. Instead, he says partnering with commercial off-the-shelf technology providers is the way to go for the best security tools, primarily because of the work involved in training and maintaining the resources necessary to sustain custom technology. “In the hiring process, it would become very challenging and costly to train each new employee on the system that is custom built,” he says. In an industry where talent is the biggest gap, you need to be able to quickly on-board and then retain IT security staff.
You have to think about the threat first and foremost, according to Calatayud. “Custom systems can become a barrier to success; vendor partnerships are strategic because they are focusing every day that the systems are securely built.” -- A.E.
If you’re thinking about how to defend against certain threats, you can recreate them in a controlled environment and then evaluate or benchmark the effectiveness of your controls and procedures. “What I’ve done in the past is build a cyber-range,” Calatayud says, “which gives you the ability to test your entire set of defenses against adversarial tactics.”
When you are attacking your test environment during those cyber-range events, you are able to see how the proposed cybersecurity tools behave at an individual level, and any contributing factors, to determine whether or not they are effective. There is also added value in using this method to find the best security tools and set product-selection evaluation criteria “because you can introduce additional controls,” he explains.
While there are independent research firms that evaluate the market against the product solution set, that’s not enough finds Calatayud. “In traditional IT, there are some precedents around benchmarking services,” he says. “But I think in IT security there is an industry gap between the measure of success in IT strategies and the ability to enable productivity, performance and measurable outcomes.”
The best security tools are more difficult to quantify because performance is conditional based on what kinds of threats you can create and what environment is influencing the control. “It is about understanding the adversary and the fact that it is not usually a simple packet, it is a series of events occurring -- commonly known as a kill chain,” he says. The kill chain is dynamic and pivots by nature. Therefore, it becomes truly challenging to benchmark cybersecurity tools because the scenarios being created are specific to the organization. Calatayud says he encourages people to create labs, evaluate technology internally and make sure there is “synergy with industry trends.”
Where are they putting their money?
Threat pictures -- and corporate budgets -- are always evolving. And that leads to some vigorous head scratching about where to make the best security tools investment.
Many companies are investing in cybersecurity tools that are proactive rather than reactive, according to Bill Sweeney, financial services evangelist at BAE Systems Applied Intelligence. The recognition that your organization will be attacked and that some attacks will be successful has resulted in cybersecurity tools that monitor behavior on devices and networks rather than solely relying on signatures. “These big data solutions fall into different categories -- the pure tools-based approaches, where the vendor is largely selling software, and the experienced practitioner approach, where the analytics are based on real-world tested results,” he says. The latter bring more “intellectual property about threats and experience on how to respond,” according to Sweeney, while the former run the risk of being displaced as the underlying technology and analytics become more commoditized. Instead of merely blocking attacks, companies are showing increased interest in threat intelligence and cybersecurity tools for exchanging and sharing threat information.
Cloud, application security and endpoint malware protection are other hot investment areas. “Since most companies have adopted cloud-based solutions, application security has become one of the top priorities,” says Pritesh Parekh, chief security officer at Zuora Inc. That’s because so many recent hacks in the industry started with weak endpoint security -- so malware protection is a “huge” investment in an effort to have stronger endpoint protection. -- A.E.
CISOs who work with security companies rather than tool vendors have a head start on the problem of “keeping up,” according to Bill Sweeney, a financial services evangelist at BAE Systems Applied Intelligence in New York. Sweeney, who previously served as chief information officer of compliance and legal technology for Citigroup, says most security companies are tool agnostic and many use the leading edge cybersecurity tools in areas such as endpoint protection, firewall, or SIEM. “It’s knowing how to integrate and operate those solutions effectively that matters, rather than a pure bake-off of any of the top five tool vendors,” he says.
In addition to the technology reports Gartner Inc., Forrester Research and other analyst firms sell, larger security vendors often publish best practices on enterprise-level systems and their effectiveness. This type of information is not sufficient by itself, but it’s a good start, notes Pritesh Parekh, chief security officer at Zuora Inc., a Foster City, Calif., company that provides subscription-management software as a service, such as billing and commerce, to companies with a subscription-based business model. “The best approach is to talk to peer CISOs in your industry and get direct feedback on such solutions,” he says.
Relationships within your own company are also paramount. “It’s important to have close partnership with other stakeholders in the organization throughout your solution selection and deployment process,” he adds.
Security posture at a glance
And, in order to make the correct choice on products it’s imperative that you and your security teams understand your own technology stack and overall architecture. The technology you currently have can also be the key to discerning real needs and developing a framework for considering the best security tools. Security dashboards or the reports created from individual cybersecurity tools -- or a consolidated custom dashboard -- represent the best source for identifying security control gaps and potential needs. In many cases, a complementary technology can help justify the investment. For example, deploying a Web application firewall in blocking mode and testing out its effectiveness with a security scanning tool can quantify the value of an investment in WAF.
And what happens if, after all that, you make an investment that turns out to be a bad choice? “It’s like any other technology solution -- it’s important to understand the business impact, root cause analysis and lessons learned, and then use that for future decisions,” says Parekh.
It is also important to look at how you are developing your security strategy and whether or not you are developing it based on customer feedback, regulation, laws or risk. “There is often a big missed opportunity that can be attributed to a reactive strategy versus a proactive strategy,” Calatayud says.
About the author:
Alan R. Earls is a freelance journalist based near Boston. He focuses on business and technology, particularly storage, security and the Internet of Things.
Six key factors to consider for evaluating network security virtualization tools
Can open source security be maintained?
Seven questions to ask beforebuying SIEM