IT security: Fix the leaky roof before remodeling the house

IT security folks have a responsibility to handle the biggest, most pressing issues before moving up the "food chain" to obtain more money and resources from top management.

TechRepublic recently had a conversation with SANS Institute Director of Security Trends John Pescatore about best cybersecurity practices, current trends in IT security, and his organization's focus on building the skill levels of security "doers"—the IT operations personnel in the trenches keeping their enterprises and agencies secure. He says that security has a responsibility to handle the biggest, most pressing issues before moving up the “food chain” to obtain more money and resources from top management.

Key takeaways:

  • "20 Critical Security Controls" is a main SANS initiative
  • Top five security controls are about solving IT operations deficiencies
  • Security has to first fix what's obvious and use the resources it is given
  • No correlation between how secure a company is and money spent on security
  • SANS community is 200K and tends to be security “doers”
  • There are three typical "flavors" of CISOs
  • "The Internet of Things"--multiple networked devices creates new security challenges
  • Personnel using MyFi adapters at work is on the security radar
  • In IT—"Homogeneity is a thing of the past"
  • With heterogeneity, first focus on securing resources, applications and data

TechRepublic: Could you provide an introduction to the SANS Institute?

John Pescatore: SANS is a security training organization, so it's focused on increasing the skill level of people in cybersecurity. It's been around for 20 years, and I joined in January, after 13 years at Gartner, leading the security practice there, and having worked in the security vendor industry and for the government in the Secret Service side of security.

In my role as Director of Security Trends, really what I do with SANS is work with a lot of different areas on conferences, with the information reach-out to our SANS community, SANS has a community of 200,000 people who have either attended their training courses or another online training with SANS, that give us a lot of feedback. And we provide them a lot of information.

So a lot of it is saying, hey we've been training people, what are some of the key security issues that are going to hit next year or the year after, so that we can update our courses. It really got started with Allen Paller, the founder, who realized that if we help the security community it gets bigger, and if it gets bigger it needs more training.

In this discussion, one key effort that SANS has jumped on is the government program, started in 2008, called 20 Critical Security Controls. It came out of the government, and SANS said that's a good thing. The idea was to say, let's go and ask people about the security controls that make it harder for attackers to succeed.

You know in security you could look at ISO 27001 and find lists of thousands of security controls, payment card industry standards or whatever. The idea was, let's go to the people doing penetration testing, acting like attackers, testing people's systems and saying, what are the things that stop you? If companies are doing something right in security and it stops you, what are those things. Let's get people to try and focus on doing those things first. And that became what's known as the “20 Critical Security Controls.”

TechRepublic: How do we enable IT decision makers to implement cybersecurity best practices?

John Pescatore: When you look at those critical security controls, the top four or five are really about making up for deficiencies in IT operations, configuration control, patching, inventories. And it turns out, the reality is the first function of security is to find and shield vulnerabilities in business processes and IT processes.

Note to reader. The top five critical security controls are:

  1. Inventory of Authorized and Unauthorized Devices;
  2. Inventory of Authorized and Unauthorized Software;
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers;
  4. Continuous Vulnerability Assessment and Remediation;
  5. Malware Defenses

So we can hope they'll get better, the mistakes made in business processes and IT processes. We can try and help them get better. In security we don't own those processes, right? The IT group owns patching and configuration management. The business group owns lots of the business processes.

The first part is that security has to have less focus on convincing IT management and business management to do things, and more, first focus first on shielding them. Because that's inevitable—people make mistakes. There are deficiencies in all processes. That's why we have guard rails on highways. That's why there are interlocks, so you have to have your foot on the brake, before you go into park.

The first focus of security, everybody likes to talk about, is to convince management. No, really first you've got to focus on what's obvious and the resources that were given to you to shield things. And then from there start moving up the food chain, and start dealing with some other issues where if you do get some management buy-in, you can make the first job shielding a lot easier and eliminate further risks.

What I like to point out is, look, if your roof has leaks, you fix the leaks in the roof before you remodel the house, right? And when you look at most of these breaches you see in security, you can trace them back to the first four or five critical security controls.

So, that to me is very key, that security first focus on the main security controls. The security department is typically given five percent of the budget, let's focus on using that money right first, before we start convincing them we need other things, and do our job. That's really where I think the focus needs to be.

TechRepublic: So the IT department or security personnel really need to get up to speed and be proactive about cybersecurity, before they start the process of engaging upper management about bigger budgets and more tools.

John Pescatore: I was at Gartner for years, working with and talking to companies. There is not a correlation between how much is spent on security and how secure a company is. Out there, some of the companies spending the smallest percentage of their budgets on security have incidents. Others spend way more and have more incidents.

It's sort of nuts, when you think about it. Can you imagine a guy with a smart idea in a business unit who wants to go to management and say, you got to give me a lot of money to do something . And they say, OK, what have you done so far?

A venture capitalist looks at the team of people before he gives them money. And the scary side is, look, I've given you five percent of the budget. Focus that spending on the parts that prevent these attacks, demonstrate how to prevent these attacks. We saw that our competitors got hit, we did not.

The reality is, is many cases you are going to need to do new things, and do new initiatives and get new funding to get to some these higher level issues. But first fix the leaks in the roof! If management's attention is on you because it's constantly raining and the living room is always getting wet, and that's why they're giving you attention, that's not a way to justify getting more money.

A business unit losing money is getting lots of attention from upper management—it's not getting more resources. So security, too often, is saying look at us, we're doing horribly, you need to give us more money. What kind of argument is that? Of course the CEOs and CFOs don't listen to that argument.

TechRepublic: You mentioned the SANS is around 200,000 strong. Could you give a few stats and descriptors of who is in the community?

John Pescatore: The SANS community tends to be the security doers. There are certainly some CISOs in there. For instance I often do breakfast roundtable meetings and invite CISOs and architects, anyone with management in their title. And SANS has a line of security management courses. The bulk of the community are people running firewalls, running penetration tests, doing forensics, doing incident response, securing applications. So it tends to be the operational people.

The way I like to describe this, to me, when you look at a CISO, there are three typical flavors.

If you look at a lot of really big banks, you see a lot of the "risk, upwards-facing" CISOs. They are really dealing with corporate risk at a very high level—fraud and risk and so on. The opposite end of the spectrum is the "security operations" CISO, who is either himself at a small company or is on a team, running firewalls and doing the operations side of security. Then the third type is the one that is balanced across the two. And our SANS audience is sort the of the latter two—sort of the operations and balanced-type CISOs and the people who work for them.

TechRepublic: In your conversations with enterprises and security personnel, what are you talking about in terms of the current issues they should be looking at?

John Pescatore: For the past couple years, the consumerization of IT has been a huge area. It captures both mobility and use of the cloud. That's not a new one. One area—everybody started to call this the “internet of things”--this issue that it's not just healthcare or manufacturing that now has very funky devices connecting to the internet and handling sensitive information.

I mentioned that we have this roundtable breakfasts. We had a couple on healthcare issues. A major issue in healthcare is MRI machines and insulin pumps that have embedded operating systems that run applications and have very sensitive data. Patching those embedded operating systems is even harder than or patching Oracle or similar systems. So more or more of these non-PCs and non-servers are being targeted and increasingly will be targeted. We are actually having a conference on October 22 called Securing the Internet of Things.

There are some point issues. For example, I don't know if you've ever turned on your laptop or smart phone and searched for Wi-Fi and noticed how many of these MyFi adapters you're seeing? I started to see this in Asia 12 years ago because they were early users. We are starting to see this in the US. Employees are saying, hey if I bring this into work, when I put my laptop into the docking station, then I can around all that annoying security and things they have at work. That's a new hole that we haven't had to worry about.

The second level of that is when we start to see database admins or server admins or webmasters start to do that in the data center. They say, if I leave this here in the data center, it would be much easier for me to remotely manage the machine I am running. So this MyFi cellular device is just an enormous opening.

The next big area that comes out of consumerization is that homogeneity is a thing of the past. Most of what IY has done managing security for the past couple years is "forced" homogeneity. Everybody will use Windows PCs with "this" configuration. We will use standard things, and... that's going away, that's gone.

In consumerization, the user gets to use many devices, and in a multiple world, it's not going to be 90 percent anybody. It's going to be 30 percent, 30 percent and 30 percent. Whether it's 30 percent Android, 30 percent iOS, 30 percent Blackberry at one point, or maybe Windows Phone grows, or Facebook phone, whatever. It's going to be a homogeneous world on that end.

With cloud services and software it's assumed, you're guaranteed heterogeneity, because Amazon does things differently from Salesforce, who does things differently from Microsoft Azure. So the key is learning how to manage and secure heterogeneity, not hoping to force things back to homogeneity.

So I see a lot of security responses to things like BYOD or securing the cloud, it's sort of like we are going to force the mainframe back. If you can make the user use a dumb terminal through virtualization... well, that's not coming back.

A big change with heterogeneity, what it really means is, we've talked about for a long time—let's focus on securing the resource, the device of the server, or focus on securing the application or the data. And that's really going to be to securing the threats over the next couple of years. First focus on the application.

And the thing I like to point out, if you look at the mobile world, like the iPhone in particular, what do you see? You an apps store. You see a big whitelist, where they are focusing more on securing the particular application, people can't just load any application onto an iPhone.

If you have Google Play running on Android, you can't just load any apps. So there are already some things in place that are more focused for securing the application. Securing data, however, is a real hard problem, it's going to take years to get more effective at. But it's very key to how we think about, how we're going to deal with security in a heterogeneous, consumer-driven world, where the choices change every year. You can't say, we're going to use Windows and let it depreciate over five years—those days are gone.

TechRepublic: Could you outline some of the major initiatives of SANS at the enterprise level?

John Pescatore: I guess the way I would put it, the number one effort is increasing the skills of the security people out there right now. That's our number one focus. But, some of the key initiatives that we're focused on to make a difference go back into the critical controls that I mentioned.

Application security: how we help make applications more secure is a very key thing. Some of the companies like Cigital, if you've ever seen their Building Security in Maturity model. Whitehat Security has done some great things. That's one area.

The other area ties very much to the critical controls. For lack of a better term let's call it continuous monitoring. That's what the NIST and the federal government standards have cranked up. The credit card industry says you have to scan for vulnerabilities four times a year. Well, that's why so many companies are PCI compliant but they continue to get broken into, because vulnerabilities change much more rapidly than four times a year! So, how can we do things like vulnerability assessment and patching—how can we do that faster?

So for example, the federal government, right before the shutdown awarded a continuous monitoring contract called Continuous Diagnostics and Mitigation. In November, we have a free webinar to publicize that because we think it's going to be a great vehicle as government agencies move from once-a-year security assessment to more continuous monitoring and spill over into private industry as well.

The idea that once a month Windows patches come out, other firms' patches come out every day, so companies scanning once per quarter is nuts. People make mistakes on a daily basis, so finding the mistakes we can shield them from, that will make the industry better.

We also see some “big-bang-for-the-bucks” things that we are trying help people do. We look at what sort of mentors, what sort of measurement should you be making. When you are doing continuous monitoring, how do you know you're getting better? How do you show management that you're getting better, or worse? As I mentioned earlier, there are the three flavors of CISOs. Same thing with metrics. There's no shortage of the real high, risk measurements. We have some on the security, operational side, how many PCs were patched, how many virus things were up to date. It's that balanced level in the middle, you'll see us doing some interesting things there.

And in a couple of vertical industries, I mentioned the "internet of things," but we're seeing a lot more focus on industrial control systems security, and on healthcare. And those both areas we think the bad guys have increasingly targeted, and those two industries have some unique challenges securing their systems. That's the strange nature of these systems; they're not just Windows PCs or Linux servers. A lot of oddball devices, a lot of strange organizations, a lot of different types of networks connecting them together. So you will see a lot in 2014 around industrial control systems and healthcare systems.

TechRepublic readers can visit the SANS site for upcoming training events.