Managing the inevitable: what happens when security is breached
Threats are getting more serious, but defences are evolving too.
A longstanding trope favoured by both media and vendors when talking about security is "things that keep you awake at night".
The nature of these "things" changes over time, of course. Ten years ago hacktivists, script kiddies, spammers and crackers were the cause of much CIO insomnia, whereas these days it's more likely to be state-sponsored actors, ransomware, supply chain attacks and organised crime.
Really, it's a wonder the poor CIO has managed to get any sleep at all during the last decade. New vulnerabilities are constantly revealing themselves and there's a steady procession of new threats marching over the horizon. The message down the years could not be more clear: don't become an IT leader if you value a good night's sleep.
We often hear that things are getting worse and there is plenty of fuel for that particular fire. Compare these two visualisations below of major data breaches from Information is Beautiful. (The larger the circle, the greater the volume of data compromised, the redder the circle the more sensitive the affected data).
Source: Information is Beautiful
In the earlier period, we have the release of US Embassy cables on Wikileaks in 2010 as among the most serious, with the Heartland credit card scam in 2009 among the biggest, affecting 130 million records.
Source: Information is Beautiful
The year 2019 saw 420 million Facebook records breached, and the 2018 compromise of 383 million records at Marriot Hotels eventually resulted in a £100 million fine under GDPR. Meanwhile, biometrics data and passwords were found unencrypted on a web-accessible database belonging to Suprema, a contractor to police and defence interests, among others.
Seriously, sales of Temazepam must be through the roof.
Looking at these visualisations, things certainly seem to be getting worse, but is that really true? Certainly, there are more and bigger breaches, but then there's a lot more data out there. Overall data volumes are estimated to be expanding at a compound annual growth rate of 28 per cent per year, and a proportion of that will be personal or sensitive data; and as more of life moves online, we'd naturally expect to find more crime there too.
Which is not to make light of the issue in any way. There's no doubt that the threats are ramping up. There was much less talk of state-sponsored actors 10 years ago, for example; online crime has become globalized and professional, while attacks are automated and simultaneously more brutal and more subtle.
On the other hand, IT security has become professionalised over the last decade, too, with the creation of the CISO role as well as other more specialised security functions. More companies have invested in SOCs and SIEMs, and we're seeing the emergence of AI techniques for anomaly detection and, increasingly, proactively taking out threats.
There's more intelligence sharing between businesses and governments, too, and more awareness of the importance of patching vulnerabilities quickly and proactively managing risk. Plus, there's a burgeoning cyber insurance industry that can potentially take the sting out of a serious attack.
Bad breaches make good headlines. When things go wrong we hear about it, whereas we don't tend to learn about all the times that defences have proved effective.
Two developments that have helped organisations keep abreast of the threat landscape are security information and event management solutions (SIEMs) and security operations centres (SOCs).
SIEM software was not really a thing in 2009. Instead, there were separate solutions for managing events and intelligence. SOCs certainly did exist, but they tended to be confined to a few rarified sectors where security was of paramount concern.
SIEMs can be very helpful in providing a detailed view of activity on the network bringing together as they do log data and up-to-date intelligence such as vulnerability reports from multiple sources, but they can really ramp up the demands on the IT department.
SIEM solutions tend to chuck out vast quantities of data, which must be analysed and calibrated so that IT teams downstream are not overwhelmed with tickets, the vast majority of which will often turn out to be false positives, at least in the early days.
"Really, if you're going to get a SIEM you need a SOC," said one CISO, speaking of the vast streams of data and logfiles that SIEMs produce.
However, in the course of our research among 150 large organisations (500 employees to more than 100,000), we found that many lacked dedicated security professionals, let alone a SOC, and that where such teams exist they are often small and overworked with more generalist IT professionals expected to take up the slack.
And SIEMs are not the only tool that need to be managed by the security team. Far from it. Our survey found SIEM software in use in about a fifth of the large organisations but there were plenty of other tools producing logs too including for DDoS mitigation, endpoint and messaging security and network and web security.
Around one fifth said they had a SOC, although definitions varied. Indeed, we found quite a variety of SOCs in the large businesses we researched. There was inevitably a certain amount of rebadging and upgrading of network operations centres (NOCs), which look after performance issues, to SOCs.
Suffice to say, finding the right skills to populate a SOC is a tough call for most organisations. Experienced operatives are hard to find and expensive. Moreover, a deal of fine tuning will be required to reduce false positives and false negatives to a manageable level. Which has led many of our respondents to look at offloading some or all of this function to a partner.
"We work with IBM and Cisco because we are not a security specialist, we are a manufacturing company" said a CIO in a large manufacturing company.
And because, like IT leaders, automated bots never sleep, operations need to be ready to respond at any time.
"Threats are coming in all hours of the day and all hours of the night, so we have now gone 24/7 but still some of these threats are way beyond our capabilities," said another CIO.
So, SOCs would seem to be an ideal candidate for outsourcing, or for a hybrid approach with the core team in house augmented by outside suppliers. But not everyone was happy with this idea. Some of the CIOs and CISOs we spoke to said they are very cautious about outsourcing security. How do you know what's happening to the data they are analysing? You may trust your partner but what about their subcontractors? How do you know you're getting value for money?
"A similar organisation to us outsourced their SOC fully with a SIEM but they've just brought it back in-house again," said one IT leader. "They found they were just not getting the value for money. They were just getting loads and loads of alerts sent to them, so they brought it back in."
The consensus of opinion was outsource what you can't do yourself to a trusted partner, but it goes without saying that due diligence is imperative. Be selective, investigate options fully, test assumptions rigorously and choose carefully.
It's widely accepted now that the attacker is probably already on the network. Therefore perimeter-based defences must be augmented with containment measures and a strength-in-depth approach, in accordance with a risk-based strategy.
In many companies that can afford one, the SOC will coordinate the primary response to any attack or loss of data, but in the age of GDPR all organisations need to have a holistic strategy, because the window for responding is getting narrower all the time. GDPR requires breaches likely to have an adverse effect on individuals to be reported within 72 hours. Within this 72-hour window, a long list of activities needs to initiated including an assessment of what has been affected, whether the threat has been neutralised, what vulnerabilities still remain, how the information should be reported, what passwords should be changed, and so on.
Most organisations will use some sort of templated approach that covers how the response team will be activated, identification of designated point people for internal and external communications, criteria for the involvement of other bodies such as law enforcement or regulators, planned responses to customers and partners and handling media and social channels. It's important that this template does not become a dead document and that its provisions are reviewed and practiced regularly.
It's also vital that everyone understands how their actions can affect the outcomes, said one CIO.
"We ensure we lay the foundations from the bottom up, because everybody has to be aware that security is the whole issue and everybody from ground level to the CEO needs to aware it can damage the credibility and affect the culpability of the company."
With time of the essence, technologists eyes' tend to turn to automation.
Indeed, automated systems are making a big play in IT security. 60 per cent of respondents said their security processes were partially or completely automated, while AI is increasingly used to coordinate the different moving parts.
However, 16 per cent said security always needs manual intervention, and 51 per cent said event investigation and remediation are only somewhat automated in their firms.
This would seem to be a realistic assessment. After all, automated systems are only as good as the data they are fed and coverage is likely to be only partial. Thinking about the bigger picture, it's much more about the people than infrastructure. In the aftermath of a security event the company is likely to be a hive of human activity.
There's no such thing as complete security. There will always be novel threats and new vulnerabilities, but through a combination of strength-in-depth defences, hiring the right skills, intelligent partnerships and a well-practiced emergency plan hopefully the well-prepared CIO can sleep a little better at night.
This is an edited version of a keynote delivered by John Leonard at Computing's Cyber Security Live 2019 event
Author spotlight
John Leonard
More from John Leonard
Ofcom fines TikTok £1.9m for failure to provide child safety information