Cyber tactics: risk, and how to manage it.
What then, of tactics? The consensus among those who spoke at the Summit was that tactics in cyberspace had to be informed by sound, disciplined risk management. This seems as true of offense as it does of defense, especially given the "inherently dual-use" nature of cyber tools several panelists alluded to.
Frameworks and the CISO's role.
A panel chaired by Greg Touhill (now of Cyxtera) took up the challenges of implementing the cybersecurity Executive Order. The panelists were experienced and senior CISOs: Essye Miller (US Department of Defense), Jack Donnelly (US Department of the Treasury), Christopher Wlaschin (US Department of Health and Human Services), Jeffrey Eisensmith (US Department of Homeland Security), and one from industry, Dr. Michael Papay (Northrop Grumman).
The CISOs all alluded to the importance of having the ear of an organization's senior leadership. They thought the Executive Order's emphasis on the NIST Framework a positive, and they especially thought its concentration on risk management and information sharing especially positive steps likely to have a good effect. As Donnellly put it, "The Executive Order got right to the point." It demanded risks be identified and addressed.
There was strong consensus on the importance of well-planned (and well-exercised) incident response. They also thought that such response capability depended on effective information sharing. Speaking from an industry perspective, Papay said he'd found it easy to make the business case at Northrop Grumman. The company wants good incident response, the ability to respond within minutes, and this clearly requires swift information sharing, wherever possible automated.
Implications of clouds, cybercrime and the IoT.
In his presentation, FireEye's Charles Carmakal described the implications of the rapidly increasing interconnections of industrial control systems (ICS). ICS operators are famously change-averse, but they understand the importance of evolving. They're learning the lessons of sharing their learning, exercising their defenses and response plans, regularly testing, and recognizing that they're up against an adversary that, unlike a natural disaster, adapts to their defenses.
Ron Zalkind (Cisco) predicted that cloud-native attacks would soon become more prominent in the risk environment. Organizations need, he argued, new ways of gaining information. Attacks come from the web to an attack surface on the web, and so it makes sense to look closely at your apps. A lot of them ask for a lot of access, and a lot of them have no real business purpose. Pokémon-Go is a good example—it wants a lot of access, and Cisco's found that more than 40% of their customers had Pokémon-Go in their business environments, happily resident with all the permissions it asked for.
Recognizing and going after cybercriminals' safe havens has become increasingly important. Australian Ambassador for Cyber Affairs Tobia Feakin thought this especially important in the Asia-Pacific region, which he characterized as disproportionately affected by such safe havens. (His Government's Cyber Cooperation Program seeks to foster better awareness, capacity, law and law enforcement in that region.)
Industry thoughts on risk management.
We were able to speak with Northrop-Grumman's Mike Papay after his panel concluded. He observed that adversaries have been interested in intellectual property theft and in hindering or even shutting down operations. The latter has recently grown more prevalent. So the goal of an attack tends to be either monetization or disruption. He thinks we're seeing more cooperation with criminals by hostile governments, but in the end it doesn't matter what the attack's source is. "Wherever they're coming from, you've got to handle it." Attribution he believes is the government's job.
Papay comes from a background in satellite and missile systems, where risk management is a disciplined process. In cybersecurity he thinks the process is still more ad hoc, but that is should proceed along the same lines. He views the NIST Framework as embodying the best approach to risk management; the defensive controls it suggests are valuable.
Asked about the effects of NISPOM security regulations for Federal contractors handling sensitive information, he thought that regulation also contributed to risk management. Because it basically enjoins sound concepts of operation, Northrop-Grumman has found it relatively easy to implement.
He thought the next "ah-hah" moment in public-private partnership would come when we realized that a commitment to information-sharing would enable automated information-sharing, and that this would in turn reduce staffing pressure. Artificial intelligence and machine learning are of course essential to bringing this to reality. He thought the risk of a compromised data supply chain manageable. "We have a lot of data. There will always be outliers. That's why we have data scientists." The data scientist's role will be to weed out malicious data.
Industry thoughts on compliance and risk management.
So no one thought that mere checklist compliance was anything close to sufficient for security. This is an uncontroversial view, but many speakers and panelists were concerned to emphasize that compliance can lull an enterprise into a false sense of security. There's also the danger that competing regulatory regimes will so focus an organization on complex compliance that it will lose its ability to effectively manage risk.
These views emerged during a panel on the NIST Framework (which the panel emphatically viewed from a risk management perspective, and not as a compliance checklist). That panel was moderated by Bay Dynamics' Steven Grossman. We caught up with him after the panel and asked him to elaborate.
Any framework, Grossman argued, was only as good as the people implementing it. Compliance frameworks can be a great guide, "but if they take on a life of their own, you'll inevitably find yourself exposed."
He suggested an approach to risk management that combined behavioral analytics with other risk analytics, and he urged that organizations prioritize their security measures based on insight into the risks that can be reduced. Security firms should work to give clients visibility into their enterprise and the value of their assets, and to help them with continuous monitoring ("We love that concept").