TechRepublic recently had a conversation with SANS Institute
Director of Security Trends John
Pescatore about best cybersecurity practices, current trends in IT
security, and his organization’s focus on building the skill levels of security “doers”—the IT operations personnel in the trenches keeping their enterprises
and agencies secure. He says that security has a responsibility to handle the
biggest, most pressing issues before moving up the “food chain” to obtain more
money and resources from top management.
- “20 Critical Security Controls” is a main SANS
Top five security controls are about solving IT
Security has to first fix what’s obvious and use
the resources it is given
No correlation between how secure a company is
and money spent on security
SANS community is 200K and tends to be security
There are three typical “flavors” of CISOs
“The Internet of Things”–multiple networked
devices creates new security challenges
Personnel using MyFi adapters at work is on the
In IT—”Homogeneity is a thing of the past”
With heterogeneity, first focus on securing
resources, applications and data
TechRepublic: Could you provide an introduction to the SANS
John Pescatore: SANS
is a security training organization, so it’s focused on increasing the skill
level of people in cybersecurity. It’s been around for 20 years, and I joined
in January, after 13 years at Gartner, leading the security practice there, and
having worked in the security vendor industry and for the government in the
Secret Service side of security.
In my role as Director of Security Trends, really what I do
with SANS is work with a lot of different areas on conferences, with the
information reach-out to our SANS community, SANS has a community of 200,000
people who have either attended their training courses or another online
training with SANS, that give us a lot of feedback. And we provide them a lot
So a lot of it is saying, hey we’ve been training people,
what are some of the key security issues that are going to hit next year or the
year after, so that we can update our courses. It really got started with Allen
Paller, the founder, who realized that if we help the security community it
gets bigger, and if it gets bigger it needs more training.
In this discussion, one key effort that SANS has jumped on
is the government program, started in 2008, called 20 Critical Security Controls.
It came out of the government, and SANS said that’s a good thing. The idea was
to say, let’s go and ask people about the security controls that make it harder
for attackers to succeed.
You know in security you could look at ISO 27001 and find
lists of thousands of security controls, payment card industry standards or
whatever. The idea was, let’s go to the people doing penetration testing,
acting like attackers, testing people’s systems and saying, what are the things
that stop you? If companies are doing something right in security and it stops
you, what are those things. Let’s get people to try and focus on doing those
things first. And that became what’s known as the “20 Critical Security
TechRepublic: How do we enable IT decision makers to
implement cybersecurity best practices?
John Pescatore: When you look at those critical security
controls, the top four or five are really about making up for deficiencies in
IT operations, configuration control, patching, inventories. And it turns out,
the reality is the first function of security is to find and shield vulnerabilities
in business processes and IT processes.
Note to reader. The top five critical security controls
- Inventory of Authorized and Unauthorized Devices;
Inventory of Authorized and Unauthorized Software;
Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations and Servers;
Continuous Vulnerability Assessment and Remediation;
So we can hope they’ll get better, the mistakes made in
business processes and IT processes. We can try and help them get better. In
security we don’t own those processes, right? The IT group owns patching and
configuration management. The business group owns lots of the business
The first part is that security has to have less focus on
convincing IT management and business management to do things, and more, first
focus first on shielding them. Because that’s inevitable—people make mistakes.
There are deficiencies in all processes. That’s why we have guard rails on
highways. That’s why there are interlocks, so you have to have your foot on the
brake, before you go into park.
The first focus of security, everybody likes to talk about, is
to convince management. No, really first you’ve got to focus on what’s obvious
and the resources that were given to you to shield things. And then from there
start moving up the food chain, and start dealing with some other issues where
if you do get some management buy-in, you can make the first job shielding a
lot easier and eliminate further risks.
What I like to point out is, look, if your roof has leaks,
you fix the leaks in the roof before you remodel the house, right? And when you
look at most of these breaches you see in security, you can trace them back to
the first four or five critical security controls.
So, that to me is very key, that security first focus on the
main security controls. The security department is typically given five percent
of the budget, let’s focus on using that money right first, before we start
convincing them we need other things, and do our job. That’s really where I
think the focus needs to be.
TechRepublic: So the IT department or security personnel
really need to get up to speed and be proactive about cybersecurity, before
they start the process of engaging upper management about bigger budgets and
John Pescatore: I was at Gartner for years, working with and
talking to companies. There is not a correlation between how much is spent on
security and how secure a company is. Out there, some of the companies spending
the smallest percentage of their budgets on security have incidents. Others
spend way more and have more incidents.
It’s sort of nuts, when you think about it. Can you imagine
a guy with a smart idea in a business unit who wants to go to management and
say, you got to give me a lot of money to do something . And they say, OK, what
have you done so far?
A venture capitalist looks at the team of people before he
gives them money. And the scary side is, look, I’ve given you five percent of the
budget. Focus that spending on the parts that prevent these attacks,
demonstrate how to prevent these attacks. We saw that our competitors got hit,
we did not.
The reality is, is many cases you are going to need to do
new things, and do new initiatives and get new funding to get to some these
higher level issues. But first fix the leaks in the roof! If management’s
attention is on you because it’s constantly raining and the living room is
always getting wet, and that’s why they’re giving you attention,
that’s not a way to justify getting more money.
A business unit losing money is getting lots
of attention from upper management—it’s not getting more resources. So
security, too often, is saying look at us, we’re doing horribly, you need to
give us more money. What kind of argument is that? Of course the CEOs and CFOs
don’t listen to that argument.
TechRepublic: You mentioned the SANS is around 200,000
strong. Could you give a few stats and descriptors of who is in the community?
John Pescatore: The SANS community tends to be the security
doers. There are certainly some CISOs in there. For instance I often do
breakfast roundtable meetings and invite CISOs and architects, anyone with
management in their title. And SANS has a line of security management courses.
The bulk of the community are people running firewalls, running penetration
tests, doing forensics, doing incident response, securing applications. So it
tends to be the operational people.
The way I like to describe this, to me, when you look at a
CISO, there are three typical flavors.
If you look at a lot of really big banks, you see a lot of
the “risk, upwards-facing” CISOs. They are really dealing with corporate risk
at a very high level—fraud and risk and so on. The opposite end of the spectrum
is the “security operations” CISO, who is either himself at a small company or
is on a team, running firewalls and doing the operations side of security. Then
the third type is the one that is balanced across the two. And our SANS
audience is sort the of the latter two—sort of the operations and balanced-type
CISOs and the people who work for them.
TechRepublic: In your conversations with enterprises and
security personnel, what are you talking about in terms of the current issues
they should be looking at?
John Pescatore: For the past couple years, the
consumerization of IT has been a huge area. It captures both mobility and use
of the cloud. That’s not a new one. One area—everybody started to call this the
“internet of things”–this issue that it’s not just healthcare or manufacturing
that now has very funky devices connecting to the internet and handling
I mentioned that we have this roundtable breakfasts. We had
a couple on healthcare issues. A major issue in healthcare is MRI machines and
insulin pumps that have embedded operating systems that run applications and
have very sensitive data. Patching those embedded operating systems is even
harder than or patching Oracle or similar systems. So more or more of these
non-PCs and non-servers are being targeted and increasingly will be targeted.
We are actually having a conference on October 22 called Securing the Internet of Things.
There are some point issues. For example, I don’t know if
you’ve ever turned on your laptop or smart phone and searched for Wi-Fi and
noticed how many of these MyFi adapters you’re seeing? I started to see this in
Asia 12 years ago because they were early users. We are starting to see this in
the US. Employees are saying, hey if I bring this into work, when I put my
laptop into the docking station, then I can around all that annoying security
and things they have at work. That’s a new hole that we haven’t had to worry
The second level of that is when we start to see database
admins or server admins or webmasters start to do that in the data center. They
say, if I leave this here in the data center, it would be much easier for me to
remotely manage the machine I am running. So this MyFi cellular device is just
an enormous opening.
The next big area that comes out of consumerization is that
homogeneity is a thing of the past. Most of what IY has done managing security
for the past couple years is “forced” homogeneity. Everybody will use Windows
PCs with “this” configuration. We will use standard things, and… that’s going
away, that’s gone.
In consumerization, the user gets to use many devices, and
in a multiple world, it’s not going to be 90 percent anybody. It’s going to be
30 percent, 30 percent and 30 percent. Whether it’s 30 percent Android, 30
percent iOS, 30 percent Blackberry at one point, or maybe Windows Phone grows,
or Facebook phone, whatever. It’s going to be a homogeneous world on that end.
With cloud services and software it’s assumed, you’re
guaranteed heterogeneity, because Amazon does things differently from
Salesforce, who does things differently from Microsoft Azure. So the key is
learning how to manage and secure heterogeneity, not hoping to force things
back to homogeneity.
So I see a lot of security responses to things like BYOD or
securing the cloud, it’s sort of like we are going to force the mainframe back.
If you can make the user use a dumb terminal through virtualization… well,
that’s not coming back.
A big change with heterogeneity, what it really means is,
we’ve talked about for a long time—let’s focus on securing the resource, the
device of the server, or focus on securing the application or the data. And
that’s really going to be to securing the threats over the next couple of
years. First focus on the application.
And the thing I like to point out, if you look at the mobile
world, like the iPhone in particular, what do you see? You an apps store. You
see a big whitelist, where they are focusing more on securing the particular
application, people can’t just load any application onto an iPhone.
If you have Google Play running on Android, you can’t just
load any apps. So there are already some things in place that are more focused
for securing the application. Securing data, however, is a real hard problem,
it’s going to take years to get more effective at. But it’s very key to how we
think about, how we’re going to deal with security in a heterogeneous, consumer-driven
world, where the choices change every year. You can’t say, we’re going to use
Windows and let it depreciate over five years—those days are gone.
TechRepublic: Could you outline some of the major
initiatives of SANS at the enterprise level?
John Pescatore: I guess the way I would put it, the number
one effort is increasing the skills of the security people out there right now.
That’s our number one focus. But, some of the key initiatives that we’re
focused on to make a difference go back into the critical controls that I
Application security: how we help make applications more
secure is a very key thing. Some of the companies like Cigital, if you’ve ever
seen their Building
Security in Maturity model. Whitehat
Security has done some great things. That’s one area.
The other area ties very much to the critical controls. For
lack of a better term let’s call it continuous monitoring. That’s what the NIST
and the federal government standards have cranked up. The credit card industry
says you have to scan for vulnerabilities four times a year. Well, that’s why
so many companies are PCI
compliant but they continue to get broken into, because
vulnerabilities change much more rapidly than four times a year! So, how can we
do things like vulnerability assessment and patching—how can we do that faster?
So for example, the federal government, right before the
shutdown awarded a continuous monitoring contract called Continuous Diagnostics and Mitigation. In
November, we have a
free webinar to publicize that because we think it’s going to be a
great vehicle as government agencies move from once-a-year security assessment
to more continuous monitoring and spill over into private industry as well.
The idea that once a month Windows patches come out, other
firms’ patches come out every day, so companies scanning once per quarter is
nuts. People make mistakes on a daily basis, so finding the mistakes we can
shield them from, that will make the industry better.
We also see some “big-bang-for-the-bucks” things that we are
trying help people do. We look at what sort of mentors, what sort of
measurement should you be making. When you are doing continuous monitoring, how
do you know you’re getting better? How do you show management that you’re
getting better, or worse? As I mentioned earlier, there are the three flavors
of CISOs. Same thing with metrics. There’s no shortage of the real high, risk
measurements. We have some on the security, operational side, how many PCs were
patched, how many virus things were up to date. It’s that balanced level in the
middle, you’ll see us doing some interesting things there.
And in a couple of vertical industries, I mentioned the “internet of things,” but we’re seeing a lot more focus on industrial control
systems security, and on healthcare. And those both areas we think the bad guys
have increasingly targeted, and those two industries have some unique
challenges securing their systems. That’s the strange nature of these systems;
they’re not just Windows PCs or Linux servers. A lot of oddball devices, a lot
of strange organizations, a lot of different types of networks connecting them
together. So you will see a lot in 2014 around industrial control systems and
TechRepublic readers can visit the SANS site for upcoming