enterprisesecuritymag

Attack Surface Analysis - Response to the Information Security Management

James Norberg, Security Director, Express Scripts

James Norberg, Security Director, Express Scripts

Please elaborate on the challenges that you have currently observed in the information security landscape.

Back in the days where everything was on-premise, understanding the attack surface wasn’t as big of a deal. The inability to thoroughly understand the attack surface at all times is one of the major challenges as we are moving towards the cloud. Because the attack surface is going to be incredibly dynamic; several different surfaces are being made through several cloud environments at any time in terms of containers. Any piece of code or app could run in diverse clouds every other day which creates issues on trying to understand what the total attack surface would be. The idea of the Digital Forensics and Incident Response (DFIR) hierarchy of Needs—shaped like a pyramid, has been around for a while. So knowing the pyramid means having a clear picture about the inventory and each component of it which helps in understanding the attack surface. With a highly dynamic attack surface, these two layers become extremely challenging.

"Everything that we do now is going to be based on data science as it’s going to be the new language. So through the threat hunting program with the IR people, we are trying to find that needle in a haystack "

Also, ensuring that developers are abiding by the rules, following our login and coding standards, and subscribing to login APIs is another major challenge. Our goal is to move it back left in terms of SSDLC to get all of this built-in upfront so that we know our attack surface and hit the right telemetry at the right time and continue to walk up to that DFIR hierarchy. Additionally, telemetry data is becoming extremely expensive; generally, there is a different type of cost model associated with it. We want to have good logs such as OS logs, database logs, and app server logs from all of our systems, whether they be in cloud or on-premise. But all of these different pieces of the telemetry generate a lot of noise, and that noise is going to be in the form of additional bandwidth, digital storage, additional log processing, sim license, and so on which becomes a significant investment. So taking that investment and making it more than it was meant to be is also the challenge that we are facing.

“As it stands, IoT for consumer and personal use ransomware isn’t making the headlines. This is understandable, as most IoT devices don’t typically store valuable data; it’s unlikely anyone would bother to pay the ransom.” What is your take on this statement?

When I think about IoT devices, I consider types of equipment such as home appliances, webcams, and things that are very much focused at the consumer marketplace rather than businesses marketplace. If I had to look at the consumer lines in relation with IoT then certainly it is being leveraged. But a new way of crypto mining using IoT is being used by bad actors. Talking about paying ransomware for consumer use IoT devices, I don’t see scope for it because these types of devices are for consumer use and don’t store any valuable data unless it’s a highly sophisticated trade actor who is targeting a business and not some generic malware because there is no monetary gain. If ransomware is demanded on some consumer-grade IoT all they need to do is to start again without paying the ransom.

In context to the challenges you’ve mentioned, what are the major tasks for the security managers at this point?

As the Director of the security operation center, there are a few things that our team is concerned about when it comes to ensuring that we are giving the value-add for our investments. Similar to a lot of companies, we are also going through the transformation. Our wing is in operations from last two to three years. We ensure to carry out our security operation center and all other operations in agile methodology so that if new assets come at the door, they should not cause a roadblock for us. Accordingly, we are working faster so that we could adapt quickly to the changes in the market.

Another task revolves around maximizing the investment fund for all of the telemetry spend but at the same time ensuring that security operation center, network operation center, command center, and all of the different centers are synchronized. We focus at making our monitoring feature as the differentiator for us so that our logging patterns, security, reliability, user experience, privacy operations, fraud model’s data is structured and up streamed by developers. This is done in a way that when it comes into our data stores for analysis, we can create models for all these different groups.

Lastly, if you are not a CISO thinking about the talent, then you should be. There are certainly not enough people who guarantee to have a robust program and development plan which is undeniably an important task to be done. They also have to be creative in their training programs, web programs, and building college partnerships to bring in better talent.

What is your advice for budding technologists in the Information security space?

Everything that we do now is going to be based on data science as it’s going to be the new language. So through the threat hunting program with the IR people, we are trying to find that needle in a haystack. This comes down to writing alert concept based on telemetry which is in turn based on data science. I believe this is going to be one of the biggest things they have got to do in the future. So my piece of advice would be organizations have to ensure that they bring in the component of data science in their training program.

Check this out: Top Forcepoint Consulting Services Companies

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank