There is a level of frustration across the world as organisations spend ever increasing amounts of money on information security technology, yet still get breached, according to a prominent security speaker.
The SANS Institute’s Dr Eric Cole claimed that organisations need to build capabilities and be prepared for the inevitable information security breach even though they are spending on security, and that there is a need for better security metrics in the boardroom.
“The likelihood is that you will be compromised – even with this vast amount of spending and layers of systems. Now we need to focus more on finding the attackers lurking on hijacked systems and minimising the frequency and impact of each incident,” he said.
“If you compare [your environment] it to the scope, scale and technical capability of the adversary, it is in fact a net loss of capability and we need a change of mind-set on how we deal with the reality of cyber crime. [Building IT infrastructure defensively] should include limiting individual user access, increasing auditing capabilities and regularly ‘going hunting’ for compromised systems and bad user behaviour.”
In his view, the danger of complacency can be as risky as incompetence. “When a large organisation says to me that they have never had an information security breach, an alarm bell instantly rings,” says Cole. “The modern and often state-sponsored attacker wants to get in and stay in and if successful then no alarm bell sounds even as on-going frauds are perpetrated and sensitive data stolen.”
“The Advanced Persistent Threat (APT) message is not just a case of FUD, and the smarter organisations start with the assumption that it is currently going on and they look for the signs instead of just assuming invulnerability – which nobody is. A quick look at Wikileaks.org will show just the visible tip of a very large iceberg.”
He said that while over a dozen large organisations that have quietly fired their CISO, but this shows that the board knows what failure looks like, but it still has a hard job measuring success when it comes to information security. “The main issue is that there is no 99.999 per cent uptime equivalent for information security, which means that the modern CISO needs to be able to provide metrics and potentially educate the board as to what they are doing to mitigate risk and more importantly, find compromised systems and vulnerabilities and close these gaps.”