The threat of cybersecurity breaches is a top concern among CISOs and technology professionals across industries. As hackers become more advanced, IT execs struggle to identify the best methods for monitoring, identifying, and defending against security risks.
Information security and risk management are a core focus at Interop Las Vegas, taking place this week at the Mandalay Bay convention center. Industry experts are sharing their experiences, challenges, and best practices in developing a strong cybersecurity strategy.
In terms of identifying risk, plenty of content has centered on the idea of using existing tools to monitor security risk as opposed to investing in the many new systems on the market.
During an InfoSec session on Wednesday, Michele Chubirka, senior security architect at Postmodern Security, drew attention to the common notion that information security careers might seem like they are more focused on managing tools than defeating hackers. Modern commercial security tools are good, she noted, but nobody has the budget for them, and many security execs have to fight with other IT segments to obtain all the funding they need.
[Who's watching you? The NSA, Surveillance, And What CIOs Need To Know]
What plenty of executives don't realize, said Chubirka, is that existing monitoring systems and network devices also have security capabilities. "You probably already have more than you need" in terms of adequate technology, according to Chubrika. It's not about having the best tools, but rather it's about having the ones that get the job done. Expensive tools aren't necessarily a quick fix.
"A good security person is looking for anomalies," Chubirka said. "That's where monitoring tools are really effective."
The right tools will be able identify abnormalities and detect malicious activity; some already have canned compliance and security reports. She cited examples of systems, including MRTG, Solarwinds Orion, Nagios, Netdisco, and Wireless Management Systems (WMS). "These aren't dedicated security tools," she said. "We're just using them in that way."
Chubirka also noted that a web browser can be a security tool. Firefox and Chrome have free add-ons for applications that help with security inspections and testing. HttpFox and live HTTP headers, for example, act as analyzers; Groundspeed helps with penetrating applications.
Risk can also be found in third-party providers, explained IP Architects president John Pironti at another Infosec session on Wednesday. Working with third-party vendors, service providers, and partners are a normal and growing part of businesses, and they are an increasing concern among information risk and security professionals.
Security is primarily about people, processes, and procedure, said Pironti. About one-quarter of the security equation is about technology. However, executives spend plenty of time protecting technology while neglecting business process and data. As a result, the barriers to entry have dropped for adversaries who have money and capabilities available to them.
Pironti advised security professionals to pay attention to the often-ignored area of supply-chain security, as the least-perceived risks can be the weakest links. "I don't think Target thought their HVAC vendor was their highest-risk network," he said, emphasizing this point.
Hackers are much more complex than they used to be, and it's important for security professionals to adopt reliable methods for tracking and evaluating progress in countering them. In another InfoSec session on Wednesday, Mike Zachman, deputy CISO at Caterpillar, said he does this at his organization with a capability maturity model.
Caterpillar's model compares the various components of the company's information security with those of competitors across the industry. Execs can assess the maturity of Caterpillar's program and capabilities to determine a desired future state and identify where improvements can be made. Results are reflected in a single graph, eliminating pages of data and improving readability for professionals across the organization.
What are your InfoSec best practices? Does the guidance above line up with your views on how to protect your organization? Tell us about it in the comments section below.