What is your risk appetite and what are your critical systems, as if you don’t know you need to work in a zero-trust model.
Speaking with Raimund Genes, CTO of Trend Micro, who had spoken on a panel at a conference in London on the concept of users and actions, he recommended businesses invest in solutions like biometrics and two-factor authentication (2FA), but there was an issue that to log into a company externally you have levels of security to go through, but why was that often not there for internal security.
“We have certain systems in place and our own breach detection, but I would design with zero-trust in mind,” he said. “I would use the same security on the intranet as external, and I would use network sniffers as you will have breaches within.”
He related a situation at a university in Malaysia where they had finished a test, and he showed Genes the results that he had malware and he was so shocked that he didn’t have a clean environment, and Genes said that nobody has a clean environment, especially with students bringing things in.
He said: “You cannot expect a clean environment and it was mentioned that it is about risk management, and how do you do it properly? You can identify mission critical systems where you should know what runs on them, so why do you do anti-malware and black listing on these systems? You should know what is running on it before you do patch management and quality assurance, so why don’t you move from black to whitelisting and allow everything you know, and everything else is blocked. It solves a lot of problems?”
He explained that this is a process for a company internally, as they need to have a proper change management process. “They have better performance as anti-malware needs more memory as scan for all the bad stuff, and with whitelisting you only compare a few thousand applications rather than everything,” he said.
“This is why I say ‘what is your risk appetite and what are your critical systems?’ For this I would do a proper vulnerability shield against vulnerabilities known and unknown. If a new vulnerability is disclosed and a patch is available, the average company needs six months until all the systems are patched and that is a window of opportunity for the attacker. Put a shell around it with vulnerability shielding, it can protect you.”
He said that on critical systems, you may say “report every change”, and if your administration team can ask who authorised the change and say “did we expect that this change would happen”, at least you spotted it.
I asked him if the zero-trust model can be extended to the supply chain and third party, and he said they should be as untrusted as everything else as you might need to monitor for traffic coming in from external partners, and you may have to enforce authentication on to them as well so you know who is connecting.
“But you still cannot trust their environment being clean,” he said. “How would you enforce it? That is a problem as very often we do something to sign some papers from a legal point of view, your supplier does everything possible to protect themselves against malware, so how can you trust it? Do you trust the supplier with your crown jewels because they signed a paper, unfortunately some companies do because from a legal point of view they are ok.”
Often it is human nature to help people, and Genes said that is why Kevin Mitnick was so successful – he was a perfect social engineer and ultimately people are trusting and want to help, so telling people “don’t trust your co-workers anymore because we are in a zero-trust environment” doesn’t work.
He said: “I am not saying don’t trust people to talk to them, but for computer security you have to design it like you are in a zero-trust environment. You could say that you don’t care about the security of the secretary’s PC but if something leaks it could be critical for that company.”
I asked him if this was something that he had seen elsewhere, and he said it is something that companies are testing it for certain departments and particularly for research departments, it is a rethinking.
He said: “Is it good for employee motivation? Maybe not, but you need to find the balance because IT being a department of yes and designing and selling it.”
He concluded by praising Salesforce for employing a chief trust officer just to make sure that all company data is safe, who has a team of 30 people just to ensure that Salesforce is trustworthy and well protected.
“I was impressed as they know what is critical, and his job is not taking care of computers doing the right thing or are infected, but they know the mission critical data,” he said. “You will start to see more chief trust officers.”
Raimund Genes, CTO of Trend Micro, was talking to Dan Raywood