2-3 layout 1 8/18/2017 10:31 pm page 2 - ciso magsandip acharyya [email protected] media...
TRANSCRIPT
2-3_Layout 1 8/18/2017 10:31 PM Page 2
2-3_Layout 1 8/18/2017 10:31 PM Page 3
CISO MAG | September - October 2017
INDEX
BUZZCyber Insurance and the Liability Paradox
UNDER THE SPOTLIGHTAn Interview with Tim Fitzgerald
VIEW POINTTo CISOs with Love: Endpoints are Dead
COVER STORYFintech: Rooted in the Past, Borrowed from the Future
IN THE HOTSEATHigh-Profile Appointments in the Cybersecurity World
TABLETALKFew Minutes with Foo Siang-Tse
EVENT FOCUSA Curtain Raiser to Global CISO Forum
INDUSTRY SPEAKSIn Discussion with Tobias Gondrom
IN THE NEWSTop Stories from the Cybersecurity World
TECHTALKAutomation and Orchestration: The BigPicture
KICKSTARTERSStartups Making Waves in theCybersecurity World
KNOWLEDGE HUBUnderstanding Trends and theCybersecurity Skills Gap
COLLABORATIONSFamous Collaborations in theCybersecurity World
12
17
22
27
30
35
38
43
49
56
62
74
06
30
22
17 38
Page 04_Layout 1 8/20/2017 11:55 PM Page 4
It may not be wrong to saythat fintech has changed theway financial services areoffered to consumers. It is aperfect option for theconsumers, businesses, andfinancial institutions who intoday’s connected, on-demand world want totransact in a convenient,timely, secured, and efficientmanner. The future may seefinancial transactions beingmade majorly throughBitcoins, Ethereums, andother futurecryptocurrencies.
Traditional banks have realized that fintech is the future; they are eitherrunning for cover or trying to stay relevant by embracing new technologysolutions. The countries are also aware of the evolving fintech landscapeand understand how crucial it is for economic growth. However, forfintech, a number of challenges lie ahead. In the cover story, we throwlight on some of these key challenges which include lack of unilateralpolices and standardizations and several cyber attack vectors.
In the Buzz section, we discuss cyber insurance, a key mitigation tool forbusinesses in an age where deepening dependence on technology isexposing them to greater cyber threats. Move on the Viewpoint sectionwhere our executive contributor Chris Roberts pens a candid open letterto CISOs, stripping away the hype surrounding endpoint protection.
For this issue, we interviewed three cybersecurity stalwarts – TimFitzgerald, CSO, Symantec; Foo Siang-Tse, Senior Managing Director,Quann; and Tobias Gondrom, CTO, Huawei. They talk about theirjourneys, evolving cybersecurity landscape, and challenges ahead, amongmany other things.
The magazine comprises a host of other informative features that lookcybersecurity from an all-encompassing perspective—regulations,workforce development, partnerships, and much more.
Tell us what you think of this issue. If you have any suggestions,comments, or queries, please reach us at [email protected].
Volume 1 | Issue 2 September - October 2017
EditorialInternational Editor Amber Pedroncelli
Senior EditorRahul Arora
Feature WriterAugustin Kurian
Content Writer Sandip Acharyya
Media and DesignMedia Director
Saba Mohammad [email protected]
Design Head and VisualizerMSH Rabbani
DesignerSurendra Bitti
ManagementExecutive Director Apoorba Kumar*
Senior Director, Compliance & GovernanceCherylann Vanderhide
Marketing & SalesGeneral ManagerMeghana Vyas
Marketing ManagerJinu Francis
Sales Manager - IndiaBasant Das
Sales Manager - North AmericaJessica Johnson
TechnologyDirector of TechnologyRaj Kumar [email protected]
EDITOR’SNOTE
* Responsible for selection of news under PRB Act. Printed & Published by Apoorba Kumar, E-Commerce Consultants Pvt. Ltd. and printed at G97 Network Pvt. Ltd., Editor: Rahul Arora. The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this publication are not necessarily those of thepublisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be appropriate for the readers’ particularcircumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored in a retrieval system, or transmitted in any form without thepermission of the publishers in writing.
Page 05_Layout 1 8/20/2017 11:58 PM Page 5
CISO MAG | September - October 2017
BUZZ
6
CYBER INSURANCEAND THE LIABILITYPARADOXAugustin Kurian
Page 06-10_Layout 1 8/20/2017 2:00 PM Page 6
Addressing thegathering of CISOsat the 3rd AnnualCISO Summit heldin Mumbai, India,in July 2017, SunilVarkey, CISO of
Wipro Technologies, pointed out,“The role of CISOs is way morecomplex because they handle adomain called cybersecurity. CISOspester the management to increasethe cybersecurity spending. Whenasked by the management if higherspending would mean theorganization would not becompromised, the CISOs oftenrespond by saying, ‘I don’t know.’”
However, complexity often derivesnew solutions and one of them iscyber insurance. Cyber insurance isnot a hot topic and has been aroundfor over a decade and a half. It wasdesigned to alleviate losses incurredfrom cyber attacks and is a key toolthat plays crucial roles. According tothe United States Department ofHomeland Security, “A robustcybersecurity insurance marketcould help reduce the number ofsuccessful cyber attacks by: (1)promoting the adoption ofpreventative measures in return formore coverage; and (2) encouragingthe implementation of best practicesby basing premiums on an insured’slevel of self-protection.”
Timetric, in its recent ‘Insight Report:Developments in Cyber insurance,'concluded that the growing numberof attacks have turned cyberinsurance into a key mitigation tool.“Although cyber insurance does notreplace the need for cybersecuritytechnology, it has the ability tocomplement cybersecurity standardsthrough mitigating cyber risk.”
According to Allianz SE,organizations are paying roughly$3.25 billion each year in annualpremiums for cyber insurance. But
that number is small considering thecyber insurance market is expectedto reach $20 billion by 2025.
WHO NEEDS CYBERINSURANCE?Everyone! Cybercriminals are notRobin Hood, they do not differentiatebetween a large company and asmall company, and they will dowhat they do best– steal. While bigcorporations fortify themselves withseveral layers of protection, smallbusinesses often underestimate thepotential impact of cyber attacks.Many small business owners believethat hackers only attack high-profileorganizations when the reality is justthe opposite. In fact, nearly 90percent of breaches occur in smallbusinesses. A bigger concern is that
CISO MAG | September - October 2017
7
BUZZ
The role of CISOs is waymore complex becausethey handle a domaincalled cybersecurity.
CISOs pester themanagement to increase
the cybersecurityspending. When askedby the management ifhigher spending wouldmean the organization
would not becompromised, the CISOsoften respond by saying,
‘I don’t know.’
“
”
Page 06-10_Layout 1 8/20/2017 2:00 PM Page 7
CISO MAG | September - October 2017
BUZZ
nearly 60 percent of small businesseswho face cyber attacks shut downwithin six months of the attack.
Because news coverage of attacksprimarily focuses on big corporations,small businesses are unaware of thethreat they face. “For smallbusinesses, nothing is moreimportant than protecting theirlivelihood. Cyber liability insurance isanother tool they can use to prevent
financial disaster in the event of amalicious attack,” stated NatalieCooper, editor of BankingSense.comin a report from Cyber InsuranceGuide.
THE MISMATCHWhile cyber threats have drasticallyevolved from the time cyberinsurance was first offered, the cyberinsurance market hasn't. One of the
reasons is that the cyber insurancemarket is largely based on old-fashioned ideas about informationsecurity and what kind of coverage abreached company will actuallyneed.
A study by Marsh and the UKGovernment in 2015 concluded thatcyber insurance premiums arealmost three times higher thancommercial general liability policies.
8
Page 06-10_Layout 1 8/20/2017 2:00 PM Page 8
CISO MAG | September - October 2017
BUZZ
But even here, there has been a hugegap between the damage incurredand the breadth of policy coverage.For example, in 2014, when PFChang’s, a U.S.-based diningrestaurant chain,was hacked andcredit card information of nearly60,000 customers were leaked,Chubb cyber-insurance, the insurer,only covered the cost incurred forinvestigation of the data breach, legaladvice, and the expenses fornotifying authorities and customers.
PF Chang’s policy with Chubb statedthat it would “address the fullbreadth of risks associated withdoing business in today’s technology-dependent world,” but, PF Chang’sargued, much of the cost of havingbeen breached was not, in fact,covered. Due to this discrepancy, PFChang’s sued Chubb to recover anadditional $2 million the companywas required to repay credit cardcompanies whose details were stolenin the hack and subsequently used to
make fraudulent transactions. Thesuit was rejected by the court uponhearing the argument from Chubbthat the policy signed by PF Chang’sdid not cover any external contract oragreement the company held.
Perhaps if more companies findthemselves in situations like PFChang’s did, cyber insurance policieswill be forced to evolve in accordanceto the needs of the market. As itstands now, high premiums keep
9
TAKEAWAYS FOR CISOsWork with your organization’s risk management stakeholders to understand prospective or existing insurancepolicies. Understand what is explicitly covered, what is not, and how the policy could be defended in court
Ensure that you are a part of the buying and renewal process
Be a part of the underwriting process
Communicate with insurers about prior breaches
Page 06-10_Layout 1 8/21/2017 12:01 AM Page 9
CISO MAG | September - October 2017
10
BUZZ
cyber insurance out of reach for mostmedium and small businesses, but asinsurance companies strive to beattheir competition with better, morecomprehensive policies, prices willfall too.
SOLUTION FOR THEPRESENT PERILS The PF Chang’s case is an example ofa company not fully understandingits insurance policy, or at least, notfully understanding how that policycould be defended in court and leavethem vulnerable. According to areport by JLT Re and JLT SpecialtyLimited, “Traditional P&C (propertyand casualty) products were notdesigned to protect against today’sfast-moving cyber risk landscape.And there are now growing fearsthat future losses may bring
unanticipated accumulations due topotential ‘silent’ exposures.” Silentcyber risks are things like“(re)insurers’ potential exposure tocyber losses within P&C productswhere no explicit exclusions areincluded. And even where exclusionsare included, gaps can emerge in theevent of unforeseen causes of loss. Asexposures evolve, the lack ofunderstanding around silent cyberrisks could pose a material threat to(re)insurers’ future solvency.”
While there is an increased numberof takers for cyber insurance, theunderwriters are concerned over theunquantified cyber coverage (like theincident of PF Chang’s). The reportpoints out the need for, “greatercertainty, expertise, capacity andstability from the (re)insurance
market in a complex and growingrisk area.” It also notes that the“standalone insurance market holdsthe promise of unlocking thepotential for meaningful coverage forboth insurers and buyers.” Thismeans that traditional insurancecompanies’ longstanding history inthe insurance business could actuallybe holding them back from offeringthe solutions that an industry asdynamic as information securityreally needs. The structures theyhave in place may not apply tocybersecurity because threats areoften unforeseeable, the impacts ofknown threats aren’t easy to predict,and there is so much ongoing changethat long-term policies can be out ofdate long before they expire.
Page 06-10_Layout 1 8/20/2017 2:02 PM Page 10
AD_Layout 1 8/18/2017 10:38 PM Page 2
UNDER THESPOTLIGHT
12
Page 12-16_Layout 1 8/18/2017 10:01 PM Page 12
CISO MAG | September - October 2017
13
UNDER THESPOTLIGHT
TIM FITZGERALDCSO, Symantec
As the Chief Security Officer (CSO) of Symantec, Tim Fitzgerald has beendriving innovation on several security initiatives. He oversees the GlobalSecurity Office (GSO) and is also a member of the Symantec SecurityCouncil. Tim has a compelling view of industry trends and a uniqueperspective on how to best protect, monitor, analyze, and respond tosecurity threats and issues. In a brief interaction with CISO MAG, Timtalks about his journey as a network security expert, current trends incybersecurity, IoT hacking and cloud security, and the need to have aholistic approach to security.
Augustin Kurian
Page 12-16_Layout 1 8/18/2017 10:01 PM Page 13
CISO MAG | September - October 2017
14
UNDER THESPOTLIGHT
Tell us about your journey frombeing a market analyst to acybersecurity chief. What isSymantec’s Security Council?Tell us a bit about your role atthe Council.My early career was spent more on ITcontrol, implementation, andevaluation. However, over the course,I became more concerned withhaving a job role that influences acompany directly, rather than simplyassessing and controlling what otherpeople were creating. While workingwith one of the clients, I learnedmore about network security.Gradually, I started investing more inmy education and research onnetwork security, and that led to ajob opportunity at Symantec as amanager. I was responsible forgovernance and compliance in thesecurity department; it was a hugeprospect for learning as in the earlyyears of cybersecurity, we had ahigher degree of turnover. Because ofthat, I had an opportunity to fill thegap, take on bigger roles, and try myhand at almost entire domain.
Coming to the Security Council, itserves the need for ground supportfor our security and our overallleadership in order to be successful incompleting every mission. TheSecurity Council is a governing bodythat we use to form our strategy andguide our security programs. Thefunctioning of the Security Council isnot my job singularly. It comprises aCEO, majority of our C-levelexecutives, and all the leaders at thehighest level.
Symantec is known for a holisticapproach toward security thatmerges cyber, physical, andemployee security. Tell us a bitabout it and how it helped theorganization during the 2015
Paris attack. Do you think thissort of an approach can helpother organizations combatincidents like these?We are certainly taking advantage offorming personal relationship withthe employees. I am responsible forensuring cybersecurity of thecompany as well as employeesafety—from our executive level todown to the lowest level employee inthe company. I must admit, firstwhen I had to take on thatresponsibility, I was hesitant as Ididn't know much about the space ofpersonal and physical security. But,as we got into it, I came to realizethat there is tremendous opportunityin improving the relationship withthe employees, in such a way that wecan demonstrate to our employeeshow much we care and how muchwe invest in their personal security.
Often many companies do the rightthing in that space but do not takecredit for that work. While the tragic
Paris attacks happened, my physicalsecurity team reached out andcontacted every single employee whowas either working in the region ortravelling to the region. They foundout where they were, if they or theirfamilies were in any danger. Wehelped them get them to safety, getmedical assistance, and even helpedthem know that somebody is lookingout for them. You could imagine ifyou were in Paris that day, howfrightened you would be and youwould appreciate any level ofresourcefulness even if were areassuring voice on the other end ofthe phone. So, the next time wecalled them, or the next time we askthem that, we already have a friend,an ally, somebody who knows thatyou care about them personally.
In fact, we also noticed that that theemployees whose lives we touchedthrough these gestures also had amuch lower rate of cyber securityproblems, the reason perhaps isbecause they take security more
Coming to the Security Council, it serves theneed for ground support for our security and
our overall leadership in order to besuccessful in completing every mission. TheSecurity Council is a governing body that we
use to form our strategy and guide oursecurity programs. The functioning of theSecurity Council is not my job singularly.
“
”
Page 12-16_Layout 1 8/18/2017 10:01 PM Page 14
CISO MAG | September - October 2017
15
seriously and feel more responsibletoward us. So, in a way, benefitingour employees was the mostrewarding thing that could havehappened. Many of my peers havesaid for a long time how employeesare the biggest problem in anorganization when it comes toinsider threats, and in some aspects,it is true. But, we prefer to learn andtreat them as an opportunity to turnour employees into advocates ofsecurity and another pair of eyes forus. It has been extremely powerfulfor us to leverage that humanconnection.
Tell us a bit about the evolutionof cybersecurity over the years.How integral is it fororganizations to have acybersecurity expert among thetop brass?In many ways, I have grown up in theinformation security through myown learning. I have learned frommy own mistakes, and from those ofmy peers’. When I first started intocybersecurity, the CISOs werepredominantly responsible for theimplementation of technicalcontrols. They were responsible forendpoint protection of some kind, orto make sure that the networks weresecure, majorly focusing on technicalcontrols. Gradually, the role evolvedand CISOs moved into controlling theprocesses and technologies. However,over the last three to four years, theyhave evolved dramatically.
CISOs have become threat managerswith a job to see how theyimplement controls that are known;this involves anticipating andanalyzing a plausible problem fromthe start to the end. Additionally,CISOs are now involved with overallrisk management. The role hasshifted from the CISOs being themost technical security person in the
room to being excellent riskmanagers. As a CISO, you are not justa manager, you are a negotiator, youbecome an influencer, a salesman,and a part of a much larger businessdiscussion because you know youcan speak the financial language,reputational terms, and brand terms.CISOs have now moved a little bitcloser to a larger executive sweep.Driving conversations beyond justcontrolling the implementation, wealso look at all the possible ways inwhich we might lose thatinformation or data that we considerto be valuable to us. At Symantec, wehave our threat evaluationmethodology and ethics. As aninteresting exercise, we look at not
only what Symantec has used, butwhat others might be interested ingaining from us.
Tell us a bit about the evolutionof Symantec from an antiviruscompany to a security solutionsprovider. Symantec has alwaysbeen attributed as a legacyplatform. What is your commenton that? Symantec has always focused onendpoint protection, it was never justantivirus company. Symantec hasoften been branded as a legacyantivirus provider, but Symantec hascome far in the last 10 years in termsof providing endpoint protectionagainst threats. Our capability inendpoint protection is so muchgreater and impressive that it hasinfluenced the market in many ways.While most companies wereconfused with security space,Symantec went on to become aleader with market-leading productsin every segment it played in.
Not many players in the securityspace can truly put their technologysolutions together into a meaningfulcapability but Symantec, especiallyin the last few years, has found waysto do that. We not only continue tohave market-leading products, but asa company, we always think abouthow our customers are going to usethem. All these are backed with theinputs and suggestions fromemployees on future steps andconnectivity between the solutions,that you don't find anywhere else inthe market.
What are the major challengesfor global enterprises againstcyber attacks? What is the needof the hour? Also, what are thenewer trends in cyber attacks? Every organization is different and
In many ways, I havegrown up in the
information securitythrough my own
learning. I have learnedfrom my own mistakes,and from those of my
peers’. When I firststarted into cybersecurity, the CISOs
were predominantlyresponsible for theimplementation oftechnical controls.
UNDER THESPOTLIGHT
“
”
Page 12-16_Layout 1 8/20/2017 2:07 PM Page 15
CISO MAG | September - October 2017
16
UNDER THESPOTLIGHT
the idea that we all face exact samethreat universe is not helpful. If yougo back five years, criminals ornations wanted to take somethingfrom you, but it was not very clear ofwhat they were after. You had toreview multiple companies tounderstand what were they lookingfor and what they got. That haschanged. Majority of the cyber worldhas figured out how to monetize theinformation they steal, whether itscredit card information, healthinformation, or whatever it may be.Businesses need to evaluate theirinformation and understand theirthreats, look at how theirinformation might be monetized bythe criminals, and then evaluatetheir threat support level. Secondly,recognizing nation/state actors andwhat countries might do in theinformation and protocol space isimportant. We were once concernedthat nationwide actors worked eitherfor property or profit. But now, as theU.S. elections, we are seeing
governments sponsored actors aregoing after more than just profit.From my perspective, that isfrightening. You look at some of thetactics that were used in many ofthese big attacks, they were notsuper sophisticated. We are alsoseeing the re-emergence of bighacking suites perhaps beingassociated with the NSA or othergovernment organizations.
With IoT hacking and cloudsecurity now hitting majorheadlines, can you shed somelight on these subjects?IoT in many ways is one of the nextbig frontiers in terms ofcybersecurity. Firstly, the prevalenceof IoT devices is continuouslygrowing at an exponential pace andthat has made it something to beconcerned about. While talkingabout IoT as an attack vector, if youcan take control of a whole bunch ofIoT devices, it can do a lot of harm.Similarly, DDoS attacks, which is sort
of an early foray, can create an armyof IoT devices. What’s moreconcerning is that, there are manyapps that claim to securing yourdevices, but most are far moreworried about their marketpenetration and increasing theconsumer base, with security as anafterthought. Companies must beconcerned on managing the securityof their devices in a way that they areless likely to be compromised. Thisprovides a huge opportunity forevery provider.
The shift toward cloud security in thelast two or three years has beenremarkable. But, many of thecontrols, the systems, the processesto make sure that the infrastructureis secured, doesn’t necessary apply inthe cloud environment. The securityprofessionals must understand andshould think of ways to secure cloudenvironment. Symantec has made allthe very moves in terms of beingready for the transition to cloud andis helping its customers get there.
Page 12-16_Layout 1 8/20/2017 2:07 PM Page 16
CISO MAG | September - October 2017
VIEWPOINT
Chris Roberts, Chief Security Architect, Acalvio Technologies
Open letter, let’s see. I likethe CISO opening, it’struthful and it’s part ofthe spark for this. I’vebeen vocal about
endpoint being the mythical silverbullet for a while. Too many
companies still rely upon it as the be-all/end-all for security and theytypically can’t implement it allcorrectly, or monitor it. More andmore organizations are selling theutopia of “secure endpoint and allwill be forgiven.” This is a challenge
to that thinking AND hopefullysomewhat of a mindset change forpeople. We might as well start withthe worst-case scenario and go fromthere, but I encourage you to read tothe end as there IS hope! So, withoutfurther ado, here are my initial
17
TO CISO WITH LOVE:ENDPOINTS ARE DEAD
s
Page 17-20_Layout 1 8/21/2017 12:03 AM Page 17
CISO MAG | September - October 2017
18
VIEWPOINT
feelings about endpoint protection inblunt bullet points:
• Nothing to gain?
• A waste of time and resources?
• Snake oil in a slickmarketingcampaign?
• All flash and no go?
It’s arguable that the endpoint hasalready been compromised. Devicesare still one of the core points ofaccess into most organizations,therefore, don't bother with endpointsecurity, give up, go home and have agood cup of tea. That's what I reallywant to say BUT there must be somehope, some ray of light, otherwisewhy would we still have a vibrantand active commercial sector doingall they can to stave of what seems tobe the inevitable onslaught of attackslaunched at the very systems westrive to protect?
So, lets take a step back and look atwhat is working, what's not, andwhat we can do for the future. Afterall, there is little we can do to securethe actual user who still, after 25years of InfoSec, wants to click onanything that comes into vision or ishappy to jot down their passwordson post-it notes and leave them allover the office like confetti.
As an attacker, my goal is quitesimple: get you or your computer todo something against your/its will,against (hopefully) company policyand against your best interest. To dothis, I need to facilitate a behaviorchange or get lucky and hit thesystems that are not patched orprotected (too often this is the case,but for this exercise we'll take theutopian view that you have ALL yourprotection active).
Now, before we go on, lets take a
quick look at what you and yourendpoint have to have to beprotected in today's world:
• Antivirus
• Antimalware or whatever that'scalled these days
• Heuristic detection capabilities
• HIDS (Host Intrusion Detection)
• Network behavior analytics
• UBA (User Behavior Analytics)
• OS patches
• Application patches
• Web browser patches
• We browser all protected too,meaning no flash, popups, redirects,Java, etc. Basically plain, vanilla textand nothing else!
• Web browser outbound analysis,DNS validation, and ensuring you
Page 17-20_Layout 1 8/20/2017 2:10 PM Page 18
CISO MAG | September - October 2017
VIEWPOINT
ARE going to the right cloud
• Application containerization
• Encryption
• Email filtering
• Email anti-malware, anti-anything-useful removal of all attachmentsenabled
• NOT admin on your local machine
• You, yes, you the squishy bag offlesh– you'd better have done yourregular (monthly?) security trainingand know NOT to click sh*t, openattachments, give out yourpasswords,or anything else.
So, a nice tidy list, easy to implementAND keep up-to-date daily (hourlywould be preferable, but we don'twant to completely saturate thenetwork with updates).
And we didn't even get to the goodstuff – the technology that is startingto make a difference, like theintelligent systems that are nowbeing deployed within enterprises tofacilitate the deceptive technologies,the preventative and proactivesystems that monitor and watchtraffic, logs, systems for behavioralanomalies and/or the loggingsystems surrounding them.
So, now we have all of this in place:we have the reactive, the proactive,and the preventative systems firedup, ready to protect us –andhopefully an army of staff behind thescenes watching, monitoring,managing, and generally causing anuisance to the business bydemanding security be considered atevery corner. They'll be standing byeagerly watching all the logs ALL thetime for that one time the bad guytries to get lucky.
Hopefully this sounds familiar to youall. Hopefully this situation is howyou are operating, how you areprotecting your users – you have not
only their work systems wrapped upin an InfoSec condom but also alltheir portable devices, their phones,watches, wearables, home systems,kids’ systems, doorbells, Nests, andanything else that might somehowbreak into them to get to you. Afterall, you are the CISO and you haveyour hands firmly around all of this –right?
Ok, now reality has set in, you’vegrabbed yourself a good glass ofsomething Scottish and peaty, andrealized that this task is somethingmore than slamming anotherproduct into the stack. It’s more thanrelying upon the latest vendorpresentation and if you have yourwits about you, it’s going to have apositive impact on that maturitymodel the last penetration testhelped put together so you canfinally track changes, risks, andreport up to the board how you arebeing successful. You have looked atthe statistics and realized that
endpoint protection can be a usefultool in the defense-in-depth model aslong as it’s implemented with othercontrols and procedures. Lets take alook at some of those:
1. Users will still click sh*t even withprotection in place. Protection doesits best to mitigate, therefore, let’strain the users more effectively andcombine some user grey matter withwhatever brand of machine learningemployed by the endpoint.
2. Users will be users – some won’tlisten and will do their best to avoidthe protections we put in place.Therefore, both evaluate what isnecessary and required against agood risk model to ensure both thebusiness and users can actually beproductive and you can protect allthe necessary assets. On top of this,add in a set of tasks to ensureexceptions are handled correctly anddocumented accordingly, and whenthe user doesn’t listen for the third
19
Page 17-20_Layout 1 8/18/2017 10:02 PM Page 19
CISO MAG | September - October 2017
20
VIEWPOINT
time, you have disciplinary processesin place to deal with themaccordingly.
3. Not all endpoint users are to betreated equally. Therefore, removeeveryone’s ability to administer theirown systems and provide therequired support structure andpolices to deal with the specialsnowflakes that need and can justifythe elevated privileges.
4. Endpoint can’t work effectively in avacuum. Therefore, support it with awell-architected log managementsystem that is also bolstered by moreproactive, predictive, andpreventative measures. Look beyondthe traditional IDS/IPS stack towardsthe deceptive and other technologiesthat exist to complement theendpoints and other securitysystems. Chose wisely and don’t befooled by the thousands of vendorsthat can solve all your problems.
5. Be aware that the attackersfocused on your environment alreadyhave the upper hand; they have thetime and resources to research notonly you and your enterprise but alsoyour people and technologies. Theless you put out there about what isprotecting you, the less you let your
vendors and partners talk about howthey’ve protected you in a publicforum, the better chance you have ofslowing them down. You won’t stopthem, but you will buy yourselfvaluable time. Combine this with aninternal training focused on data,intelligence gathering, and othersocial engineering tactics that theusers can use both in the workenvironment and at home, and you’llhave added another layer to what istraditionally the weakest link – us,the humans, the employees, thepeople at the keyboards.
Revisiting those opening statements,let’s add a little more context:
• Nothing to gain?
Relying on basic antivirus and somebasic Web browsing heuristics is notgoing to protect you. If you are goingto look at endpoint, then you need tofocus on it, work through what youneed for your enterprise, andapproach it as carefully as you woulda major overhaul of an ERP or otherenterprise level system. It’s complexand requires both technical andhuman resources to be completelyeffective. Treat it with the necessaryrespect and you will have builtyourself another effective layer ofdefense – treat it as a quick softwarepurchase and you will find yourselfliving a lie, believing you areprotected when you are not.
• A waste of time and resources?
No, but as with any product that isgoing to be integrated into anenvironment, careful planning andimplementation will be key. Simplybuying the software or solution andnot also getting the professionalservices and training for your teams,or ensuring adequate coverage forthe solution is going to end in failureand another product gathering duston the shelf of useless ideas andwasted money.
• Snake oil in a well wrappedmarketing campaign?
Yes, there are a number of vendorswho wrap their solution in artificialintelligence, threat analytics, andother verbiage designed to enticeand blind you to the simple fact thatthey’ve spent more on the marketingthan the actual product. Some ofthese vendors are well knownnames, so do your due diligence,trust the team you employ to dissectthe entire thing, and involve the endusers in the selection process. Worstcase call me – I’ll help!
• All flash and no go?
When they’ve spent more developingthe GUI than the engine behind thetools, when the CLI has morehorsepower than the flashy graphics,and the executive report has morecolors to choose from than the latestcar brochure, back away slowly andlook for a vendor that allows you totalk with the geeks, where they areproud of what they have built, andthey are willing to go geek-to-geekwith your team at any point. Chosesomeone who actually is willing towork with you and not simplyintegrate you into this quarter’s salesnumbers.
Hopefully, this has been helpful,insightful, and a little provocative. Asa researcher and security architect,I’m in a unique position to be able toboth assess what’s out there, break it,and implement it. In my experience,there ARE good tools out there thechallenge sometimes is lookingthrough the FUD to see the diamonds(sometimes still in the rough).
Good luck and thanks for reading tothe end.
The opinions expressed within this article are thepersonal opinions of the author. The facts andopinions appearing in the article do not reflect theviews of CISO MAG and CISO MAG does not assumeany responsibility or liability for the same.
Page 17-20_Layout 1 8/20/2017 2:12 PM Page 20
AD_Layout 1 8/18/2017 10:42 PM Page 2
CISO MAG | September - October 2017
COVERSTORY
22
FINTECH: ROOTED IN THE PAST,BORROWED FROM THE FUTUREAugustin Kurian
Page 22-26_Layout 1 8/20/2017 2:14 PM Page 22
CISO MAG | September - October 2017
COVERSTORY
23
New innovations infinancial technologytend to be discussedas if the financialindustry is only now
being impacted by technologicalinnovation. The fact is that banksand technology have alwayscomplemented each other.Technology making financialinnovation possible can perhapsbest be seen by looking at the 1950swhen Diner’s Club introduced thefirst credit cards. By the 1960s,Chemical Bank of the United Statesinstalled ATMs aimed at replacingbranches and tellers whichdispensed cash when users inserteda specially coded card. The 1970sbrought electronic stocks and by the1980s, banks started usingsophisticated computers to monitorfinancial data. The nineties andnaughts brought internet and e-commerce to the fore and the WallStreet replaced telephone stockbrokering with online stockbrokerage websites.
Cut to the present and fintech, anew abbreviation simply meaningfinancial technology, found its wayinto the Oxford Dictionary as a termoriginated in the early 21st century.Fintech aims to leverage moderntechnology to craft innovativefinancial services that bringconsumers and businesses closer.The fintech industry is one of thefastest growing segments toemerge out of cyber space – theglobal investment in Fintech sectorskyrocketed from $928 million in2008 to $12.7 billion by 2016.
Fintech innovations like mobilewallets, payment apps, robo-advisors, etc all are largelyenhancements to existing bankingservices, but with the direction theindustry is going, the future couldsee fintech replacing banking
Page 22-26_Layout 1 8/18/2017 10:04 PM Page 23
CISO MAG | September - October 2017
COVERSTORY
services or even competing withbanks outright. This is the disruptivenature of startup technologies atwork.
Haskell Garfinkel and DeanNicolacakis, PwC’s US FintechPractice co-leads, have this to sayabout the emerging industry: “Wethink about all the players in a largerfintech ecosystem, which we refer toas the As, Bs, Cs, and Ds. As are large,well-established financialinstitutions; Bs are big techcompanies; Cs are companies thatprovide infrastructure or technology
that facilitates financial servicetransactions; Ds are disruptors, fast-moving companies, often startups,focused on a particular innovativetechnology or process.”
The evangelists of fintech have beenpredicting the demise of banks in theface of Fintech’s explosivepenetration. However, a banklessreality may be further away thansome think, according to Garkinkel:“Fintech isn’t static. When we talkabout the As, Bs, Cs, and Ds, we thinkof them as sectors in motion, allmoving toward each other over time.
For example, financial institutionsare becoming more technologyfocused. At the same time, big techcompanies are offering peer-to-peerpayment solutions over socialnetworks and email. Meanwhile,disruptors are providing financialservices that, until recently, youcould get only from banks orfinancial advisors,”adds HaskellGarfinkel.
However, given the complexity offinancial technology, one of theinevitable challenges is with regardto cybersecurity. It is highly likely
24
Page 22-26_Layout 1 8/18/2017 10:04 PM Page 24
CISO MAG | September - October 2017
25
COVERSTORY
that there will be vulnerabilities, andthose will be exploited.
KEY CHALLENGES The first step towards securing anyindustry must begin with afundamental acknowledgment of theimportance of security. Instead ofthinking of how to aggressively getto the market quickly (a scenarioprevalent among startups),companies must first focus ofsecuring their product. However,securing architecture cannot be aone-step process. There should becontinuous testing and dedicatedquality assurance teams to createless breakable and secure codes.
Blockchain is often seen as an addedadvantage and a natural fit forfintech. However, there has not beena mass exodus of the generalpopulation migrating from physicalto digital currency. But, if such anexodus does occur, blockchain andcryptocurrency could lead to thedemise of banks and othermiddlemen that fail to adapt to thenew reality. Of course, evenblockchain is not hack proof. Forexample, digital currencies likebitcoin are vulnerable to hackersstealing end-users’ wallets andbitcoin exchange private keys,mining DDoS bitcoins, or evenexploiting code flaws. Added to this,bitcoin is famous among the hackercommunity and is the currency ofransomware. It is often impossible totrace or recover data and financiallosses from attacks that have beentriggered from blockchain-basedsystems.
Another key challenge is protectingthe identity of end users, which oftenis the most complex part of theequation. Once a hacker reaches auser’s bitcoin wallet, the outcomecan be as catastrophic as bankruptcy.
COMPLIANCE ANDREGULATIONSThe security risks of fintech are nowbeing recognized by organizationswith special attention towardapplication vulnerabilities. Severalstandardization and regulatorymeasures have also been mandatedwhile several others are in thepipeline. The existing measuresinclude Basel II, Federal FinancialInstitutions Examination Council(FFIEC) Uniform Rating System forInformation Technology (URSIT),Gramm-Leach-Bliley Act, Fair CreditReporting Act (FCRA), Federal TradeCommission Act (FTC Act), amongseveral others.
Basel II focused on, “The risk of lossresulting from inadequate or failedinternal processes, people andsystems or from external events."Basel II helps organizations evaluateand mitigate operational risk losses.FFIEC established URSIT as a ratingsystem. “The primary purpose of thisrating system is to evaluate the
examined institution's overall riskexposure and risk managementperformance and determine thedegree of supervisory attentionnecessary to ensure that weaknessesare addressed and risks are properlymanaged,” states FFIECon its website.
FS-ISAC in its 2015 report pointed outthe implementation of open sourcemanagement policy to boost Fintechcybersecurity. It also recommendedcreation of open source Bill ofMaterials (BOM) to identify opensource components.
The existing regulations also includeopen source vulnerability scanningand review, incorporating riskassessments into supply chains,audits on internal controls, cyber riskgovernance, cyber risk management,internal and external dependencymanagement, examination of ITassets, among several othermeasures standard to othertechnology in the industry.Upcoming regulations like theEuropean Union (EU) General DataProtection Regulation (GDPR)
Page 22-26_Layout 1 8/20/2017 2:15 PM Page 25
CISO MAG | September - October 2017
26
mandates all companies mustprotect personal data (includingfinancial information) of citizens. Thegoverning bodies will verify theprotection measures adopted.
At present, fintech is one of the mostregulated industries in the world. Butthe key challenge is the presence oftoo many governing bodies but nouniversal standards – a singularregulatory policy or framework forthe industry is lacking.
Fortunately, fintech is on the righttrack, with enough attention onensuring secured architecture.Cybersecurity is being incorporated
into new layers in mergers andacquisition processes even in thefintech industry. Standardizationsare also playing a crucial role. TheNational Economic Council in astatement of principals haveprovided “a framework forstakeholders in the Fintechecosystem to assess their role incontributing to the policy objectives.These principles represent practicaland actionable propositions to helpthe fintech ecosystem contribute to awell-functioning and inclusivefinancial system and to the economyas a whole.”
Fintech is revolutionizing thefinancial services industry and iscontributing to its growth. All itneeds is optimum utilization withenough attention to security.
COVERSTORY
Key takeaways for CISOs• Identify blockchain attack vectors
• Safeguard user identity
• Limit access to consumer data
• Have role-specific security training
• Embed security testing and conduct
penetration test after every major
change
Page 22-26_Layout 1 8/18/2017 10:04 PM Page 26
CISO MAG | September - October 2017
27
In a business landscape characterized by dynamic trends and events,change is the only constant. Many organizations often bring about achange in their leadership to achieve the desired results from a newdirection, to create and disseminate a vision, or just to breathe new lifeinto the corporate structure. The field of information security is nodifferent. In this segment, we look at some new appointments in theinformation security domain.
In July 2017, Ken Gonzalezjoined Trident CapitalCybersecurity (TCC) as aManaging Director. Gonzalez,who previously worked as a
Senior Vice President of CorporateDevelopment and Global Alliances atFireEye, joins TCC with the primaryfocus of securing the Internet ofThings (IoT), next generation identityplatforms, behavioral data analytics,privacy, and secure payments andfraud prevention. Gonzalez joinsfellow managing directors AlbertoYépez, Don Dixon, and SeanCunningham.
Prior to FireEye, Gonzalez was withAvast Software as the Chief StrategyOfficer, where he was responsible forcorporate strategy, businessdevelopment, inbound licensing, andM&A. Gonzalez has also had a tenurewith at McAfee as Senior VicePresident of Corporate Development.At McAfee, he oversaw licensing,acquisitions, and partnerships.
He graduated from Harvard BusinessSchool and the United States MilitaryAcademy at West Point, and served inthe U.S. Army as infantry officer withthe 82nd Airborne Division and the75th Ranger Regiment.
Commenting on his appointment, hesaid, “I chose Trident Capital
Cybersecurity because of its stellarcyber investment record, itsunderstanding of technology andbecause it is renowned for itsconnections in the cyber ecosystem.The firm also pays close attention tohelping entrepreneurs build theircompanies and is active on theirboards. That’s important to me.”
KEN GONZALEZ JOINSTRIDENT CAPITALCYBERSECURITY ASMANAGING DIRECTOR
CISO MAG staff
IN THE HOTSEAT
Page 27-29_Layout 1 8/21/2017 12:04 AM Page 27
CISO MAG | September - October 2017
28
IN THE HOTSEAT
The CommunicationsMinistry of Ghana recentlyappointed Albert Antwi-Boasiako as the NationalCyber Security Advisor. He
is responsible for implementing theNational Cyber Security Policy andStrategy (NCSPS), and building asecure information securitymanagement architecture that willbridge the gap betweencybersecurity services andgovernment functions.
He will also assist the governmentwith implementing policies aimed ataddressing the country’scybersecurity challenges. “Thetechnology environment of todayrequires the urgent implementationof important cybersecurity activitiesand programs to address Ghana’scyber security challenges and Mr.AntwiBoasiko is expected to assistthe ministry to implement the policyin this regard,” read a statement fromthe Communications Ministry.
Boasiako is the principal consultantof cybersecurity firm E-Crime Bureauas well as a cybersecurity expertwith the Interpol Global CybercrimeExpert Group (IGCEG). He has workedon several cybersecurity incidents inAccra, Ghana. A PhD Research Fellowwith the University of Pretoria, SouthAfrica, Boasiako is also an expertwith the Council of Europe’s GlobalAction on Cybercrime Extended(GLACY+) Project.
GHANA COMMUNICATIONS MINISTRY APPOINTS ANTWI-BOASIAKOAS CYBER SECURITY ADVISOR
VERVE INDUSTRIAL PROTECTION APPOINTS BILL EASTON AS CTO
Prominentcybersecuritysoftware architectBill Eastonrecently joined
Verve Industrial Protection,a provider of industrialcontrols engineering andmanaged asset protectionservices, as the ChiefTechnical Officer. Easton isknown for innovativelyintegrating different typesof endpoint protection tocreate a simple securityprocess for the end users.
Easton, who was previouslywith RES software, isinvolved in expandingVerve Security Center (VSC),a threat managementsoftware used to evaluatethe cybersecurity stance ofthe end user byconsolidating antivirus,application whitelisting,change and configuration
management, securityinformation and eventmanagement (SIEM), patchmanagement, vulnerabilityassessments, intrusiondetection, backupmanagement, compliance,workflow, and documentmanagement into a singleconsole.
On his appointment, Eastonsaid, “I am thrilled to jointhe Verve team. Thecomplexity of cybersecurity,especially in the ICSenvironment, requires thatproviders find a way tosimplify solutions. TheVerve platform is one-of-a-kind. The ability to bringtogether the full view ofthreats into an orchestratedplatform is key to ensuringprotection. I am excited tohelp continue to expandVerve’s leadership.”
Page 27-29_Layout 1 8/18/2017 10:06 PM Page 28
CISO MAG | September - October 2017
29
IN THE HOTSEAT
WILLIAM DIXON JOINS KROLL AS ASSOCIATE MANAGING DIRECTOR
William (Bill) Dixonhas joined Kroll asan AssociateManagingDirector where he
will oversee the company’s CyberSecurity and Investigationspractices. Dixon is a veteran ininformation security and his careerspans over 16 years during whichhe’s worked with establishedorganizations as well as startups.
Prior to Kroll, Dixon was the VicePresident of Cyber Resilience withStroz Friedberg. Besides handlingthe responsibilities of clientexecutive leadership managementfor existing and new clients, he alsomanaged four sub-service
categories of the practice: riskassessment, penetration testing,security strategy, and incidentresponse. Before joining Stroz,Dixon served with Accenture asSecurity Consultant Senior Managerand IBM as Security Services SalesLeader.
Dixon has entrepreneurshipexperience as well. He wasassociated with HALOCK SecurityLab, where he oversaw solutiondesign, business development, andmarketing as Senior Client SecurityAdvisor. He also co-foundedContinuum Worldwide Corporation,where he worked as ConsultingDirector of Enterprise SecuritySolutions.
CybersecurityfirmDesertStormappointed BobThibodeaux as
the Chief InformationSecurity Officer (CISO) ina bid to expand thecompany’s team ofsecurity experts, knownas Guardian. Thibodeauxwill oversee incidentresponse processes, riskmanagement, andpenetration testing forcommunity banks andcredit unions across theU.S. He will also manageany security concerns ofDefenseStorm and itscustomers, and facilitateaction plans to counterthem.
Thibodeaux has over 20years of experience in thefield and has previouslyworked withorganizations like F5Networks and The SeattleTimes.While at F5Networks, he worked as asenior security engineer,and handled tasks relatedto the development andmanagement of thesecurity network. At TheSeattle Times, he workedas the senior networkengineer for InterNAPNetwork Services.Thibodeaux hascompleted his C-level ITexecutive businesstraining at the MIT SloanSchool of Management.
BOB THIBODEAUX HIRED AS CHIEF INFORMATION SECURITYOFFICER OF DEFENSESTORM
Page 27-29_Layout 1 8/18/2017 10:06 PM Page 29
CISO MAG | September - October 2017
TABLETALK
Foo Siang-Tse is an influencer in the cybersecurity industry in theAsia-Pacific region. He has been credited with establishing Quann
as Asia’s leading cybersecurity services provider. Driving thegrowth and development of all aspects of Quann’s business,
Siang-Tse has been instrumental in introducing new products andservices, establishing partnerships, and opening new markets forQuann. In a brief interaction with CISO MAG, Siang-Tse discussescybersecurity for organizations, the need for regulations, and
major threat vectors.
FEW MINUTES WITH FOO SIANG-TSE, SENIOR
MANAGINGDIRECTOR, QUANN
30
Augustin Kurian
Page 30-34_Layout 1 8/21/2017 12:05 AM Page 30
CISO MAG | September - October 2017
TABLETALK
31
Page 30-34_Layout 1 8/18/2017 10:07 PM Page 31
CISO MAG | September - October 2017
32
TABLETALK
What, according to you, are the key threatvectors? When coming towards handlingthreats, do you think organizations havetheir priorities misplaced? The traditional approach tocybersecurity addressed externalattacks. Nowadays, internal andexternal vectors have become moreor less equivalent. We need to focuson cyber engineering as well assafeguarding our forts. We also needto recognize the weakest link in thecybersecurity, which most often ispeople in an organization. This iswhere the greatest vulnerabilities lie.On whether the organizations havetheir priorities misplaced, I reallydon’t think that is much of an issue.The reality is cybersecurity is not justtechnology – it is a much morecomplex subject. Our decision-making should reflect ourunderstanding of cybersecurity,which, unfortunately, is still lackingin many countries and organizations.Organizations must frame theircybersecurity policies whileaddressing business risks. They
should also optimize their(cybersecurity policies’) feasibilityfrom a governance and complianceperspective.
Should businesses have a holistic approachtoward security by merging cyber andphysical? How does Quann differentiatecybersecurity from physical security? Whatare the benefits of merging the two? I think, fundamentally, the principlesof security are more or less the samewhether we talk about cybersecurityor physical security. We areaddressing a perpetrator trying topenetrate an organization throughwhatever means. The key differencebetween cybersecurity and physicalsecurity is the means in which theattacks are perpetrated. So no matterhow complex it may sound, thereshould always be attention to risk.Cybersecurity must have the sameamount of attention as physicalsecurity, given that organizations aremuch more interconnected than everbefore. There is also a need toprioritize cybersecurity, which is stilllacking.
It is important that security isviewed holistically. We arewitnessing a convergence of threatsfrom various vectors. There must bebetter visibility across all domainswhether it’s physical security,cybersecurity, or operationaltechnology. This can enableenterprises to fend off attacksappropriately. If there is a moreconverged approach, you will be ableto look at threats from a holisticperspective because threats, or ratherperpetrators, do not differentiatebetween cybersecurity and physicalsecurity. They are basically lookingfor the most vulnerable part of theorganization. You are only as strongas your weakest link. Organizationsreally need to raise the bar to ensurethat they are safe from all kinds ofthreats.
In one of your interviews, you mentionedthat the most vulnerable person in acompany is the CEO. How shouldorganizations handle insider threats? It is not just the CEOs, but allemployees. But here, the employees
Page 30-34_Layout 1 8/20/2017 2:19 PM Page 32
CISO MAG | September - October 2017
33
TABLETALK
who are not involved directly in theIT part of an organization needspecial attention. Typically, non-ITprofessionals may underestimate thepotential damage cyber threats cancause. Unfortunately, there reallyisn’t a solution to this; there reallyisn’t a magical technology or productthat can solve this problem. All youcan do is build awareness within theorganization, have training programsso that the employees are familiarwith threat vectors and hackingtactics, so that they are on guard allthe time. If there is properawareness, then the employees willnot respond to emails fromunidentified sources and can alsospot strange inconsistencies in thenetwork. The second most importantthing is to have a proper governancepolicy within organizations. Allemployees must possess basicknowledge of cybersecurity. The rolesof every employee must besegregated and differentiated fromothers, and access to critical datamust be given only to a few.
Quann has the largest bank of malicioussoftware that has been collected in over 15years. Can you briefly tell us how malicioussoftware has evolved over that period? To correct your statement, we do nothave the largest bank in the world,but we do have a large bank. In thebeginning, there was somethingcalled the Brain virus in boot sector,which was among the first malware.If you recall, in those days hardwareplayed a crucial role. By the time theinternet became more prevalent,malware evolved. They needed to bedownloaded and installed asprograms and were in mostly in .exeformats. Malware gradually gainedthe ability to infect content throughmacros. Basically, even a flashdocument or pdf was sufficient toallow malware to propagate. Whatwe have also witnessed in recentyears is how worms are evolving. Inthe past, malware was containablebut now malware can propagate onits own laterally, almost like a livingorganism. So when each affectedcomputer becomes a launch pad to
infect other computers, it isworrying. It is no longer static buthighly dynamic. Malware is nowstealing credit card information andcritical personal information. We arealso seeing the use of artificialintelligence (AI) in various sectors.We are not far from the time whenAI-infused malware evades themeasures the enterprises put toguard themselves.
How secure is Quann with a bank ofmalicious software? Don’t you think a leakor security breach would be catastrophic? How we treat banks is nowheredifferent from how enterprises treattheir critical data. Our access is notsingular, we really have multipleapproaches to ensure that the bank iskept separate and under wraps. Wehave several isolation measuresinstalled to ensure that the bank isnot even remotely connected toanything that could be compromised.And on top of that, we have all sortsof security measures which ensureonly the right person can access the
Page 30-34_Layout 1 8/18/2017 10:08 PM Page 33
CISO MAG | September - October 2017
34
TABLETALK
TABLETALK
bank. Unfortunately, I cannot tell youmore about these, but we can assureyou that the bank is safe and secure.
The industry currently faces a massive skillgap when it comes to experts incybersecurity. How should this skill gap befilled? The demand for cybersecurityexperts is at an all-time high. There isa huge mismatch between thedemands of cybersecurity expertsand the supply. The demand hasbeen growing exponentially becausethe threats are growingexponentially, and that is the reasonthere is a shortage of workforce.Singapore has done somethingwonderful to increase the currentworkforce by promotingcybersecurity knowledge at variouslevels of education, and has beenencouraging students to take up thisindustry. To me, that is one aspect –the second is recognizing that forenterprises, it is really challenging torecruit a new person from themarket. One approach that can serveas a solution is to engage an externalsecurity service provider to helpenterprises. This will help thecompanies manage their securitywithout having to recruit employeesto manage sophisticated software.This is one way to combat the urgentneed.
Can you also comment on the relevance ofcertifications for network security expertsand the importance of cybersecurity literacyamong the current breed? Certifications are important in thatthey provide external validation ofthe capabilities of individuals. And, itcertainly is very important to knowwhether a person understandssecurity and technology, as well ashas the necessary skillset to take onthe challenges in the industry. Whilesaying that, I would add that there ismuch more to cybersecurity thancertifications. I feel individuals gainthe best experience in cybersecurity
while working on difficult andcomplex problems. These help themhone their necessary skills to dealwith cybersecurity risks. These arenot the skills that one will learn fromthe books but is an art as it isextremely dynamic.
What are the future plans of Quann withregard to expanding its security operationscenter (SOC) footprint? Like all businesses, we are looking toexpand, we are looking to grow. Andin this particular industry ofmanaging cybersecurity, the mostimportant aspect is coverage. Thestrength of a company is in its abilityto cover a wide range of customerbases, verticals, and machines.Having broader coverage meansbetter visibility and anticipatingthreats before they come. For us, thekey area is the SOCs. We are lookingfor better market penetration and itis pretty exciting.
Quann has SOCs both in Singapore andIndia. While Singapore topped the Global
Cybersecurity Index in 2017, India wasranked 23rd. What cybersecurity strategiescan countries like India learn fromSingapore? Also, do you think growingeconomies need stringent regulations toencourage better existing cybersecuritypolicies? I think every country has differentsorts of threats and different ways toapproach threat vectors. I don’t thinkwe need to analyze countries on that.The typical ingredients for ensuringthat countries or enterprises arecyber secured are the support of thegovernment, a robust regulatoryframework, skilled professionals, anda free ecosystem of cybersecurityproviders.
For enterprises, the focus must be onsecurity, convenience, and cost. Theymust understand that cybersecurityis important for both individuals andenterprises. And, regulations be mustbe such that everyone is able toadopt them, be it organizations,enterprises, or individuals.
Page 30-34_Layout 1 8/20/2017 2:19 PM Page 34
CISO MAG | September - October 2017
35
THE ART OF CYBERWAR:THE CISO AS GENERALEC-Council Foundation’s Global CISO Forum (GCF) is an invite-only, closed-door event gathering the highest-level executives from across industriesand countries to discuss the most pressing issues in information security.Now in its seventh year, the 2017 Global CISO Forum promises to be thebest yet with an exciting mix of industries, formats, and interactivepresentations.
GLOBAL CISO FORUM
EVENTFOCUS
Amber Pedroncelli
Page 35-36_Layout 1 8/20/2017 2:20 PM Page 35
CISO MAG | September - October 2017
36
EVENTFOCUS
The theme for GCF 2017is “The Art ofCyberwar: The CISO asGeneral.” Theconference will be anopportunity for thespeakers and audience
to explore the ways their leadershipimpacts their teams,organizations,and careers. Keynote presentations,panel discussions, and roundtablesessions will cover topics from ISframeworks, policy management,aligning a security program to thegoals of the organization, amongmany others.
The 2017 GCF, EC-Council’s largestexecutive event of the year, promisesto be the most relevant event forexecutives of the year. The event wasconstructed by the GCF speakercommittee with an eye towardensuring every executive whoattends the event will come awaybetter able to perform the duties ofan information security leader.
The speaker committee chose from aformidable stack of speakersubmissions to craft this year’sagenda. Starting with the realizationthat most CISOs are interested in theshow and keynotes of the first half ofthe first day of Hacker Halted, the EC-Council event the GCF runsalongside, the two conferences willbe joined to hear the openingkeynote, debate, and second keynote.The first keynote will be, as traditiondictates, delivered by EC-Council CEOJay Bavisi – historically one of thehighest rated presenters of theconference year after year.
The debate following Bavisi’s addresswill address the topic “Hackers, TheMedia, Truth, Trust, and AlternativeFacts” and will be moderated byindustry veteran Winn Schwartau,Founder of The Security AwarenessCompany. Schwartau hand-pickedhis debate panel, inviting Dr. PH (c)Gregory Carpenter, Owner at GCE,LLC; Michael J. Masucci, HollywoodProducer; and Mark Rasch,
CyberAttorney (former DoJ) toaddress some of the most pressingissues facing not just the industry,but the world at large.
Following the 90-minute debate,Chris Roberts, Chief SecurityArchitect at Alcalvio, will present hiskeynote entitled, provocatively,“Leave your zero days at the door,leave your latest hacks behind, ANDbring your playbook for the blueteam.”
And with that, the CISOs will head tothe GCF room for their closed-door,executive session. The first GCFkeynote will be presented by BrianPhillips, CISO of Macy’s. Phillips, aseasoned executive and speaker, willhighlight lessons he’s learned overhis impressive career.
Following this day of high-leveltechnical and executive content, theCISOs will be treated to a networkingand cocktail reception at Atlanta’sTop Golf facility. The GCF speakercommittee recognizes that one of themost important parts of anyexecutive conference is the timeallowed for networking and peerconversations. Therefore, a fullafternoon will be set aside for thispurpose. There are many CISOs whoattend the Forum every year and lookforward to the opportunity to catchup with friends they’ve made at pastevents.
The second day of the GCF is back tobusiness with a keynote by MichaelSantarcangelo, Founder of SecurityCatalyst, entitled “The threequestions security leaders mustanswer to earn respect.” This topicwas selected because of its relevanceto the CISO role and the challengeCISOs face in breaking free from theidea that they are primarily technicalmanagers. Following the keynote,Santarcangelo will lead a panel ofsecurity leaders in a discussion oftheir real-world problems and howeffective leadership has helpedthrough their careers. Santarcangelo
will also be available for 15-minutecoaching sessions for any GCFattendee interested in hismentorship.
Next on the agenda is a keynoteentitled “From Banking to Energy toHealthcare to Criminal JusticeSystems to Academia: A CISO’sJourney” by William Miaoulis, CISOat Auburn University.
A second panel discussion willfollow, focusing on “Building anInformation Security Program on aBudget” moderated by Sean Kelley,CISO of EPA, and featuring FavourFEMI-OYEWOLE, CISO of The NigerianStock Exchange; Eric Svetcov, CSO ofMedeAnalytics; and Shane Durham,Security Threat Intelligence andAnalytics Director at WorldPay. Thetopic of building a robust securityprogram on a less than ideal budgetdrives many of the hard decisionssecurity leaders are forced to make.
Following lunch, Kathy Fithen, ChiefPrivacy Officer at The Coca-ColaCompany, will give a talk on “ThePartnership Between Privacy,Information Security, and theBusiness,” touching on the CISO’sresponsibility to bring differentstakeholders of the business togetherto ensure the strength of the overallsecurity posture.
Closing out the event will be industryauthority Richard Seiersen, ChiefInformation Security Officer & VP ofTrust at Twilio Inc. Seiersen willpresent “How to Measure Anythingin Cybersecurity Risk” – a topic heknows very well. As the CISO role hasincreasingly included riskmanagement as one of the mostimportant facets, the closing keynoteshould leave the attendees motivatedand ready to return to their offices tolead their programs to a more securefuture.
EC-Council’s CISO events have beenrunning annually since 2011 andhave attracted increasingly large andloyal crowds of executives.
Page 35-36_Layout 1 8/21/2017 12:05 AM Page 36
AD_Layout 1 8/18/2017 10:43 PM Page 2
CISO MAG | September - October 2017
INDUSTRYSPEAKS
IN DISCUSSION WITHTOBIAS GONDROMAmber Pedroncelli
38
Page 38-42_Layout 1 8/18/2017 10:12 PM Page 38
CISO MAG | September - October 2017
39
Tobias Gondrom isamong the firstgeneration ofinformation securityexperts. He has been inthe industry for overtwo decades and has
witnessed its evolution very closely.Tobias is currently the CTO forsecurity at Huawei and a globalboard member of OWASP. He is alsofinalist for Certified CISO (CCISO) ofthe year. Gondrom was interviewedby Amber Pedroncelli, where theydiscussed the roles and qualities ofCISOs, the need for certificationamong CISOs, and a bit oftechnology.
Let's start at the beginning! How did you getinto security?I got into security somewhat as acoincidence you could say, or maybeout of interest. I started as adeveloper, software development,software architect and back thensecurity was not such a hot topic.Basically, not many people wereexcited about it. Not many peoplewanted to work in this area, andmanagement didn't really pay toomuch attention on this topic backthen. So, responsible for systemarchitecture for quite a large systemand a number of people whodeveloped this, one of the things thatcame up is ‘Hey, what aboutsecurity? Who's actually looking afterthat?’ And back then people wouldsay oh, okay, maybe this is somethingfor the global architect team to workon. So, that was my first encounter,and I would say I liked it, and I feltvery excited about it. So, then I stuckwith it and over the years you learnmore and more. You see this as agrowing community. People are very,very passionate about it and so did Ifeel very passionate about it and overthe years you learn more people. Youlearn more. You see more bestpractices. You feel like you can
engage in this global communityvery well. So, it's an exciting job.
How did you get involved with OWASP?I got involved with OWASP about 10years ago. At that time, the CCISOprogram didn't exist yet from ECcouncil. So, one of the questions Ihad, how do you design theprogram? Who can you ask and therewere not many people around that.So, I went to the OWASP communityand there were at least a number ofsecurity like-minded people. So, itwas great to engage with them, todiscuss with them, hey what worksfor you? What are common securityproblems? Can we maybe share some
training materials? That would begood, some documentation materialacross organizations, because atOWASP everything is open sourceand free. That was a brilliant way todo so. So, in fact, at that time I usedquite a bit of that to ramp up myown programs.
How did your career develop from softwaredevelopment to the head of security forhuge corporations?I know there are very different angleshow to become a CISO. Personally, Ibelieve it's good that you really knowhow software is being built, to makesure that you understand the basicswhen you design security around itbecause there is plenty ofopportunities to make mistakes forthe developers and so this wasactually quite helpful for me to beable to write code. At some point, Iwas even teaching JAVA back then.So, it was very helpful to know howthese things are really done withhands on, and then later, it always isgood for me that I could open a bookand read the source code if necessaryand deep dive if it's important.
Do you find that a lot of CISOs don't knowhow to code?I find that CISOs bring in differentstrengths. So, a number of CISOsbring in strength from anorganizational perspective, from agovernance perspective, riskmanagement perspective, and somebecome more from the technologyangle. And every flavor has its ownadvantages and disadvantages. So,yes, a number of CISOs may notknow how to code. But, that's fine.They have other strengths. Andactually from my side, one of thereasons why I recognize this is that inaddition to the coding part, actuallyin 2008, I also did a senior MBA, theSloan Master's in leadership andstrategy from London BusinessSchool, which basically helped me to
“
”
I got into securitysomewhat as acoincidence you
could say, or maybeout of interest. I
started as adeveloper, software
development,software architect
and back thensecurity was not sucha hot topic. Basically,
not many peoplewere excited about it.
INDUSTRYSPEAKS
Page 38-42_Layout 1 8/18/2017 10:12 PM Page 39
CISO MAG | September - October 2017
40
get the second angle, the peopleangle, and the management angle, inaddition to the technology angle. So, Ibelieve that you need both of thesestrengths if you want to be a goodCISO.
That is an interesting spot on your resumeand it was before the trend of CISOs goingto get their Master's, or their MBA. You didthat a while ago. So, I was going to ask howthat helped your career. Oh, yes, it was exceptionally valuableand quite exciting as well. It was agood opportunity to take one year,really a full break and basically deepdive into the whole management,leadership, and strategy educationand I'm not sure whether you'refamiliar with London BusinessSchool. They are ranked among thetop 10 in the world for businessschools. So, it was a good thing tolearn these things and later when Iactually moved back into the chiefinformation security business, likedoing advisory and so on, Iincorporated quite a number of thelearnings I had back then aboutorganizational design managementand leadership part of the CISOprograms into my daily work. So, itwas quite useful.
So, you've really gone out of your way toeducate yourself on all the different facetsof being a CISO. Have you had theopportunity to share some of your wisdomwith other CISOs? Yes. It's actually not only part of myjob, it's part of my passion. So, I verymuch enjoy sharing and discussingwith people and exploring whatwould be best practices. How can youadvance global knowledge in thissphere? Because basically, we havebeen building this body ofknowledge over the last 20 years andwe are still building it. So, indeed Ihave been enjoying thistremendously and for example, likefrom 2009 to just before I started atHuawei a few years ago, I've been
advising other CISOs and actuallyteaching CISOs. Probably so far, Ihave probably taught more than 100of chief information security officersand senior security managers fromother organizations and that wasalways an amazing experience, verychallenging discussions, goodquestions, and of course, you felt
very tired at the end of the day, butyou also learned a lot and you couldfeel and see the benefit of howpeople learn and, yeah, when thepeople later said, "Hey, this was reallygreat, and we took away a lot," thenthat was the greatest reward for thatday.
It seems that CISOs learn best by talking,debating, discussing every point and theyseem to get a lot out of that. Have younoticed any trends that came out ofdiscussions with CISOs where you saw oneparticular thing that they tend to strugglewith that you were able to help them with?Well, there were actually manypoints and I would say, no class wasthe same. CISOs are very seniorpeople in general. They already havegood basics, understanding and tolearn things really means that youneed to discuss and go as in-depth asyou can until you finally see, ‘oh,okay, this is the problem, or maybehere's some knowledge limitations.’And so, for these discussions areessential and we would touch onstuff like security development, lifecycles, processes, governance. Anddepending on the group that wouldbe in the class, the topics would bedifferent because normally I wouldalways ask at the beginning, okay,what do you care about?
And then we would deep dive intothese specific elements, testing,training materials, how do youconvince your boss that you shouldactually invest more in security orhow do you balance how much youinvest and different CISOs have verydifferent needs and differentproblems depending on theorganization, and the maturity ofthese organizations, or how do youexecute your strategy and yourroadmap for your next CISO program,or security program for the next one,two, three, four, five years dependingon that?
”
“They already havegood basics,
understanding and tolearn things really
means that you needto discuss and go asin-depth as you canuntil you finally see,‘oh, okay, this is theproblem, or maybe
here's someknowledge
limitations.’ And so,for these discussionsare essential and wewould touch on stuff
like securitydevelopment, lifecycles, processes,
governance.
INDUSTRYSPEAKS
Page 38-42_Layout 1 8/18/2017 10:12 PM Page 40
CISO MAG | September - October 2017
41
So, I would say there were a couple ofthings. Maybe some of the thingsthat were not covered so much byothers is the trends that we aremoving towards an applicationworld and a number of CISOs, at leastin the past, like when I started, weremore about network security focus,which would be classic parameterfirewall type of things. This is like 10years plus ago, okay? And I did noticethere is a strong trend towardsapplication layer security needs. Andthat was quite an interesting shift Ithink for a number of CISOs to seethat, hey, we are not onlyresponsible, but there is no Malware.In fact, we're also responsible for thatall the application and systems thatwe are running are totally secure.And there's a number ofopportunities in that.
Do you find that sometimes security lags abit behind technology?I believe now security's actuallydriving technology. Yes, 10 years ago,15 years ago, security was laggingbehind, clearly. But, we have caughtup. We did catch up with that andnow if you look at where a lot of theinnovation is, there is so muchinnovation in the security field, westart to use machine learning,artificial intelligence technologies,big data analysis, huge detectioncapabilities, refined analysis tools. Ifyou look around this, I think securitytoday is really close to state of the artwhat's possible in technology, andreally pushing the boundary quite abit.
But yes, there is sometimes achallenge that people may want toroll out the feature first and thinkabout security second. In fact, that'show the internet was also built. I alsohave been working with the IETF,Internet Engineering Task Force, for15 years as a working group chair invarious working groups for security.
And when we started defining someof the internet protocols, we didn'treally think about security like 25years ago, 20 years ago, and so on.But, more and more this, so theinternet technology itself, securityhas become a standard part in theconsiderations for every design wemake. When it comes to theapplications, I can see that a numberof companies just a few years agowould still say, "Oh, okay. Let's boltsecurity on afterwards. Let's dosecurity second."
But, I think nowadays, like the lastfew years, after all these big securityevents in the news, more and morecompanies are quite aware thatsecurity can pose a huge risk for theirbottom line at the end of the day. So, Iwould say many companies nowhave security by design which meansthey actually think about thesecurity considerations right fromthe start, which is something that Ialso very strongly advocate and yeah,they also struggle with investments.It's always a balance. You can buildsome more features, or you can makethe features secure. And this isalways a risk based decision youneed to make. But, most companies Ithink, now got it that if they fail tomake this decision the right away,then sooner or later it will come backand haunt them.
You've been a CISO for quite a while. Howhave you seen the role change?I would say it has moved from atechnical person more to arecognized management andbusiness person. Ten years ago, therole was for a technical person whowouldn't talk with the board. But, thelast few years, I think it has becomequite apparent that a CISO actuallyhas to give reports to the board andso that requires slightly differentskills sets. It requires bettercommunication ability, leadership
abilities, the ability to influencestakeholders, etc. So, there have comea number of more managementrelated tasks with it now that isshifting the scope, and for example, ifyou would be comfortable just withworking with machines, I think theCISO role today would no longer becomfortable for you, because actuallynow you need to work a lot withpeople.
What's your experience been like reportingto boards and working with boards?Interesting. I think this also, as I said,this changed over time. Years back, itwas more an uphill battle. But, thelast few years, actually, boards havebeen quite open to these risks andthey were very curious about things.Of course, it took some interestingchallenges how to explain the scopeof security risks to them because youneeded to explain it in a way that aless technical person, including aCFO, or a chief customer officer, orsales officer would understand, oh,this is a massive risk to our business.So, you need to translate thesethings. So, this was an interestingchallenge. But once, you do that,actually I found many boardmembers are very receptive tosecurity because once you translate itinto their language, once you speaktheir language, they fullycomprehend, oh, this is a massiverisk and we have to deal with it. Andboards are quite professional when itcomes to general risk managementand looking at strategic topics. So,they can do that. You just need tospeak in their language and then it'sactually a great opportunity.
Your business education helped you graspthat fairly quickly, right?Yeah, it definitely helped a lot andtranslating this, understanding ROIand all the other measures andmetrics that you have, I think it's stilldifficult to make a good case for
INDUSTRYSPEAKS
Page 38-42_Layout 1 8/18/2017 10:12 PM Page 41
CISO MAG | September - October 2017
42
business investment for securitybecause eventually you actually haveto say you pay this amount forreducing a risk and if nothinghappens, your boss may actually say,well, you know what? Nothinghappens. Maybe we don't have to payso much. Maybe nothing happensnext year too. And then you have tocome and really show, hey, wait amoment. We are actually managingrisks here and we are trying to reduceand control the risks for ourorganization that we don't gocompletely out of business next year.And that's something that's notcoming so natural for people. So, yes,business frameworks, decisionmaking frameworks have been veryhelpful and to understand personalbiases towards risk was a good tool inexplaining how to make thesedecisions.
Personal biases. Tell me more about that.If you look at security risks, in generalif you look at risks, there's actually agreat talk by Bruce Snyder about this.People tend to overestimate certainrisks. For example, if they arespectacular but rare, you may feel ohthis is so dangerous. So, let's say for
example an airplane, if it may godown, yeah, this is a very spectacular,so everybody's very scared of it. But,effectively, your risk of let's say dyingcrossing the street is potentiallyhigher than dying when you aresitting in an airplane. So, you have abias towards misjudging which riskyou actually should mitigate more,where you should invest, and there'sa number of learnings that you cantake from that. So, if you recognizeyour own biases, that means you cancompensate for them and adjustyour investment decisions, and reallyinvesting in the stuff that reallymakes a difference, while maybeonly moderately investing in thethings that are spectacular in thenews, but potentially not your mainrisk.
I've heard from a few CISOs that having big,spectacular breaches in the news has beenhelpful for them to drive their securitybudgets. But, I wonder if that leads tomisallocation of budgest?If you don't compensate for yourbiases, it will likely lead to that youignore your most common risks andyou may overinvest, well you mayspend ...The problem is your budget is
limited and security budgets are stillnot as big as they should be, and forexample, at OWASP, I did study, aCISO survey a few years back wherewe asked CISOs how is your budget?Are you increasing next year, and soon. This was really quite interestingand we could see the budget is notbig enough to do everything that youneed or that you think you need. So,if you overinvest in the spectacularthings, that means you don't haveenough money for doing yourhomework, which is maybe not sosexy, and then effectively, you'reactually exposed on the low hangingfood that you just didn't cover.
Do you sometimes have trouble hiring foryour many teams? I assume you have quitea lot of people under you.Yes, of course. Of course. This isalways a challenge hiring people andI think it's not only me. Probablyeveryone I talk with in this sphere islike, ‘Oh, you want to hire securityarchitect or a security analyst? Ohboy, okay.’ It's really quite a challenge.But, I think this is a great opportunityfor people who want to enter thismarket that there's still a lot of roomto grow.
INDUSTRYSPEAKS
Page 38-42_Layout 1 8/18/2017 10:12 PM Page 42
CISO MAG | September - October 2017
43
Due to several data breaches in 2017, cybersecurity is a buzzing topic. Itis imperative that information security executives are informed aboutthe incidents around them as headline-making breaches can lead toboardroom discussions. Read on for the 10 most important cybersecuritystories of the last two months.
US–RUSSIA CYBERSECURITY UNIT:THE CONFUSION
After a series ofevents, the idea ofa U.S.–Russiacybersecurity unitis in doubt. Thedecision to build ajoint cybersecurity
unit was made on the sidelines of theG-20 Summit in Hamburg, Germany,where U.S. President Donald Trump
and Russian President Vladimir Putinengaged in a lengthy conversation.The issue of cybersecurity was one ofthe key points discussed during theirtwo-hour long meeting.
After the meeting ended, Trumptweeted, “Putin & I discussedforming an impenetrable CyberSecurity unit so that election
hacking, & many other negativethings, will be guarded… and safe.”The comment drew widespreadcriticism from government officialsin the U.S. who vehemently opposedthe formation of any alliance withthe Russian government. Followingthe uproar, Trump again tweeted,“The fact that President Putin and Idiscussed a Cyber Security unit
IN THENEWS
CISO MAG staff
Page 43-48_Layout 1 8/18/2017 10:16 PM Page 43
CISO MAG | September - October 2017
IN THENEWS
doesn’t mean I think it can happen. Itcan’t-but a ceasefire can, & did!”within a few hours.
However, on July 20, 2017, a Russiangovernment-run media organizationquoted Russia's special envoy oncybersecurity Andrey Krutskikh as
saying the talks between the countryand the U.S. on the jointcybersecurity unit are still on. He wasquoted as saying, "there is no need todramatize the working process, it isundoubtedly difficult, taking intoaccount the current Americanrealities, but this is a problem rather
of the U.S. administration, not ours."Two days later, U.S. National SecurityAgency Director Mike Rogersdismissed the idea of the unit, saying“now is probably not the best time tobe doing this.”
American televisionnetwork HBO wasin the newsrecently for wrongreasons, as hackersbroke into itsinfrastructure and
stole 3.4 terabyte of data, includingforthcoming episodes and scripts ofpopular TV shows “Game ofThrones,” “Ballers,” and “Room 104,”along with personal data ofemployees.
The hackers sent an anonymousemail to reporters saying, “greatestleak of cyber space era is happening.What’s its name? Oh I forget to tell.Its HBO and Game of Thrones……!!!!!!You are lucky to be the first pioneersto witness and download the leak.Enjoy it & spread the words. Whoeverspreads well, we will have aninterview with him. HBO is falling.”
The fourth episode of the highly-watched seventh season of “Game ofThrones” was released online twodays after the hack, and a week later,the attackers leaked personal phonenumbers, email addresses, and homeaddresses of cast members of the TVseries. Asking for an undisclosedamount as a ransom to prevent
further data leaks, the hackersreleased a video that said, “HBOspends 12 million for MarketResearch and 5 million for Game ofThrones advertisements. Soconsider us another budget foryour advertisements!”
The latest security breach, which issupposedly several times biggerthan the Sony hack in 2014, isreportedly under investigation bythe FBI. The TV channel faced asimilar situation back in 2016,when four episodes of “Game ofThrones” were leaked online. Amidthe series of events, the fourthepisode of “Game of Thrones” wasleaked on August 4, 2017. HBO'sdistribution partner Star India washeld accountable for the leak. Inconnection to the incident, fourmen from Mumbai wereapprehended by Indian cyber sleuthson August 15. The next day, HBOSpain mistakenly aired the sixthepisode of the TV series before itsofficial air date. The episodeeventually landed on peer-to-peersites and was downloaded globally.
The juggernaut of leaks didn’t stopthere. On August 17, the social mediahandles of the cable giant as well as
the Twitter account of “Game ofThrones,” was compromised byOurMine Security Group , a self-proclaimed white hat hacker groupwhich hacks companies andapproaches them with sales pitch.The group posted on the page stating,“Hi, OurMine are here, we are justtesting your security. HBO teamplease contact us to upgrade thesecurity - ourmine .org -> Contact.”
HBO AND THE SERIES OF UNFORTUNATEEVENTS
44
Page 43-48_Layout 1 8/20/2017 2:22 PM Page 44
CISO MAG | September - October 2017
In a massive botched datatransfer, Sweden’s TransportAgency sent informationabout every vehicle in thecountry to marketers. Theagency believed it wasmoving the data to cloud
storage via an outsourcingagreement with IBM, but apparently,the information was forwarded tothird parties.
According to Pirate Party FounderRikFalkvinge, who is also a key playerat the Virtual Private Network (VPN)company Private Internet Access, awhole host of sensitive informationwas compromised. Several databasesthat may have had top-secretdesignation may have been included
in the information securityviolation, including data onmembers of the military holdinghigh-security positions, criminalsuspects, and citizens in witnessprotection programs. The breachincluded names, photos, andaddresses.
Falkvinge criticized the lack ofpunishment in the case. Thedepartment director found guilty incriminal court for being responsiblefor the incident was sentenced onlyto the loss of half of her monthlysalary.
It also became clear that theresponse to the leak waslackadaisical, with the marketerswho incorrectly received the
information simply receiving afollow-up email requesting that theydelete it with no follow-up. It hasalso been reported that IBMemployees without securityclearance outside of Sweden also hadaccess to the information.
BOTCHED DATA BACKUP IN SWEDEN
ILLICIT DARK WEBSITES SHUT DOWN
The Attorney General ofthe United States, JeffSessions, announcedthe shutdown of two“dark web”marketplaces,AlphaBay and Hansa.
These sites were clearing houses forthe illegal trade of products such asguns and drugs, including fentanyland heroin. Both were Tor-basedanonymous sites.
The investigation that led to theshutdowns included lawenforcement agencies worldwide, ledby the Federal Bureau ofInvestigation (FBI), the DrugEnforcement Agency (DEA), and theDutch National Police.
AlphaBay servers were seized by law
enforcement agencies in Thailand,Lithuania, Canada, Britain, andFrance. Alexandre Cazes, a Canadiancitizen and founder of AlphaBay, wasarrested in Thailand. He apparentlycommitted suicide within a week ofbeing taken into custody.
Europol estimates that AlphaBay hadover 200,000 users and 40,000
vendors. Digital currencies, includingBitcoin, were used to processtransactions. The largest online blackmarket before being shut down,AlphaBay processed transactionsworth hundreds of thousands ofdollars and had taken over much ofthe market after Silk Road was shutdown in 2013. According to FBIacting Director Andrew McCabe,AlphaBay was 10 times larger thanSilk Road at its height.
Servers for Hansa were seized inLithuania, the Netherlands, andGermany under the coordination ofthe Dutch National Police. Prior toshutting down the site, authoritiestook “covert control” of it in order totrack migration from the shutdownAlphaBay site to Hansa.
IN THENEWS
45
Page 43-48_Layout 1 8/18/2017 10:16 PM Page 45
CISO MAG | September - October 2017
IN THENEWS
MarcusHutchins,the manwhodiscoveredtheWannaCry
kill switch, is facing a jail term of atleast 40 years. The FBI arrested himon August 4, 2017, on the charges ofdeveloping and selling bankingmalware as he was about to board aflight back to the United Kingdomfrom Las Vegas after attending thehacking conference DEFCON.
Hutchins stands accused of buildingand selling a banking trojan namedKronos. He and another unknownassociate had allegedly sold themalware on the dark web between2014 and 2015. During questioningby FBI, Hutchins admitted to writingsome codes about a malware, butonly for research purposes.
Hutchins has been in a jail in Nevadaever since, He appeared in court onAugust 14, 2017 in Milwaukee, WI,and pleaded not guilty to thecharges. Currently, he is out on a$30,000 bail on several strict
conditions such as no Internet accessand an ankle monitor. He had tosurrender his passport as well.
MARCUS HUTCHINS, WANNACRY HERO,FACES 40 YEARS IN JAIL
The United KingdomTransport MinisterLord Callananannounced a set ofprivacy and securityprinciples targetedtoward automakers,
distributors, and suppliers tosafeguard the forthcomingautomated vehicles from anypotential cyber threats. The set ofprinciples was jointly drafted by theUK's Department for Transport withthe assistance of the Centre for theProtection of National Infrastructure.
The eight principles come withseveral sub-principles that encourageall the participants in the supplychain to work together. Theprinciples include:
• Organizational security is owned,
governed, and promoted at theboard level;
• Security risks are assessed andmanaged appropriately andproportionately, including thosespecific to the supply chain;
• Organizations need productaftercare and incident response toensure systems are secure over theirlifetime;
• All organizations, including sub-contractors, suppliers and potential3rd parties, work together toenhance the security of the system;
• Systems are designed using adefense-in-depth approach;
• The security of all software ismanaged throughout its lifetime;
• The storage and transmission ofdata is secure and can be controlled;
• The system is designed to beresilient to attacks and respondappropriately when its defenses orsensors fail.
LAWS OF ROBOTICS PUBLISHED BY UKFOR SELF-DRIVING CARS
46
Page 43-48_Layout 1 8/20/2017 2:24 PM Page 46
Arecent survey byUnited NationsInternationalTelecommunication Union (ITU)revealed thatSingapore has the
best cybersecurity approach in theworld. Singapore is ahead of U.S.,Malaysia, Oman, Estonia, Mauritius,Australia, Georgia, France, andCanada. Equatorial Guinea was thelowest ranker with a score of zero.
The report lauded Singapore for anumber of its cybersecurityinitiatives, including the launch oftheir cybersecurity master plan in2005 and the establishment of TheCyber Security Agency of Singaporein 2015 “to oversee cybersecurity and
the country issued acomprehensive strategyin 2016."
The survey featured 195countries which wereevaluated on the basisof their legal, technical,and organizationalskills, educational andresearch capabilities,and cooperation ininformation-sharing networks.
It was observed that many wealthiernations did poorly in adhering torobust cybersecurity strategies,whereas some poor countries faredmuch better. The famouslytechnically-advanced Estonia isranked 98th in the world in GDP but
5th in the world on the ITU report –much higher than Germany, whichranks 4th in the world in GDP but24th on this report. Small, richcountries such as Andorra,Liechtenstein, Monaco, and SanMarino got low ranks as well.
SINGAPORE BEST IN CYBERSECURITYSTRATEGY: UN SURVEY
CISO MAG | September - October 2017
47
According to a BBCreport, the onlineaccounts involvedin collectingransoms from theWannaCry victimswere emptied by
late July or the first week of August.The attackers withdrew more than$140,000 worth of bitcoins and havebeen laying low ever since.
Bitcoins can be turned into realmoney but experts feel that a largeamount of the ransomed bitcoinshave most likely been put through a‘mixer,’ allowing the digital money
to be mixed with other largerpayments that could be usedinconspicuously and are harder totrack.
The WannaCry malware thatcrippled businesses around theworld was launched in May 2017. Tounlock victims’ computers, attackersdemanded ransoms between $300and $600 in the form of bitcoins.
Despite instructions fromcybersecurity experts and lawenforcement agencies againstpayments, several victims gave in tothe attackers’ demands.
WANNACRY ATTACKERS WITHDRAWRANSOM FROM ONLINE WALLETS
IN THENEWS
Page 43-48_Layout 1 8/20/2017 2:25 PM Page 47
CISO MAG | September - October 2017
IN THENEWS
Chinese authoritiescame down hard on alocal Internet datacenter company forreportedly notadhering to thenewly implemented
National Cyber Law. The companyreportedly failed to preserve a blogand was issued a warning from theChongqing’s Public Security Bureau(PSB). The Bureau ordered thecompany to rectify the issue within15 days.
This was the first instance ofenforcing action against a company
that did not adhere to theNational Cyber Law that wasimplemented on June 1. Thelaw requires companies tostore data like informationabout Chinese citizens or dataconcerning national interestson domestic servers. It alsorequires every firm thatexports bulk data to undergoan annual securityassessment.
Four government departments havealso jointly initiated “Action Plan forPersonal Information ProtectionImprovement,” under which an
expert panel would examine theprivacy policies of 10 notabledomestic network product andservice providers.
CHINA ENFORCES FIRST ACTION UNDERNATIONAL CYBER LAW
North Korea isfacing a barrageof cyberattacksfrom anunknown hackergroup. Accordingto experts, the
group is using Konni malware, aremote access trojan (RAT), to attackNorth Korean organizations. At leastthree campaigns have been detectedso far in 2017, the most recent beingin July after the intercontinentalballistic missile test.
Experts haven’t pinpointed a reasonfor the attacksbut suggested it maybe “geared towards espionageagainst targets who would beinterested in North Korean affairs."According to researchers, the
malware can “hide in thebackground” while victimsare tricked into releasing thepayload. Hackers can theeasily steal data usingkeylogger and screengrabbing features in themalware.
Researchers at KasperskyLabs suggested that themalware could be created bypeople of Korean origin. Someresearchers also suggested the attackcould have originated from withinSouth Korea.
Though presumably the victim inthis case, North Korea has allegedlycarried out a number of cyberattacks. Recently, South Korean
government-backed FinancialSecurity Institute suggested in areport that around 1,700 hackers arelooking to break into a number ofinternational banking systems tosteal cash. If the report is to bebelieved, North Korean was behindthe attacks on Bangladesh’s centralbank as well some Polish banks.
NORTH KOREA TARGETED BY HACKERSAFTER ICBM TEST
48
Page 43-48_Layout 1 8/20/2017 2:26 PM Page 48
CISO MAG | September - October 2017
49
CYBERSECURITYCOUNTERMEASURESSPRAWLToday, CISOs have a dizzying array ofcybersecurity technologies offeringthe promise of a securer tomorrow.Each technology performs itsappointed mission of protecting
assets and information with aplomb.Layer by layer, one securitytechnology is stacked upon anotherhoping to achieve defense in depth.However, the bad actors somehowstill find a way around our defenses.No wonder CISOs have trouble askingfor funding for the next galacticmalware cure. CFOs may not say it,
but they are thinking it, “if youcannot make what we have worktogether to reduce our risk, we’re justthrowing good money after bad.”
If there were only way to leverageour growing complexity of desperatecybersecurity technologies and forcemultiply our limited SecOps
AUTOMATION ANDORCHESTRATION: THE BIG PICTURETari Schreider, Chief Cybersecurity Strategist and Author, Prescriptive RiskSolutions, LLC
TECHTALK
Page 49-53_Layout 1 8/20/2017 2:29 PM Page 49
CISO MAG | September - October 2017
TECHTALK
50
personnel with machine agility andspeed. Well there is my fine CISOfriend, there is. The age ofautomation and orchestration isdawning. Solutions now exist thatallow you to automate yourcybersecurity playbooks. With anextensible automation andorchestration platform, you canprogrammatically curate from yourinventory of countermeasures yourresponse to various threat scenarios.
MARKET ADOPTIONYou may have already seen theirbooths at RSA or received marketinggrams from various securityautomation and orchestrationvendors and wondered does thisthing have legs? To answer in a word,yes. Market and Markets Researchpublished a report in 2016forecasting the security orchestrationmarket will grow from $826.1 Millionin 2016 to $1.682.4 Billion by 2021, ata Compound Annual Growth Rate(CAGR) of 15.3%.
Some companies jumped on thesecurity automation andorchestration train early byannouncing integrationpartnerships.
An example of seemingly earlyadoption would be the TufinOrchestration Suite integrating withCisco Firewalls. These partnershipswere generally a space holder toallow vendors to figure this marketout and create products that actuallyliveup to the promise of securityautomation and orchestration.
The field of players is becomingcrowded and I expect an aggressive2017 M&A season to follow onprevious year’s activity. In 2016, wewitnessed IBM acquiring ResilientSystems and FireEye acquiringInvotas as well Cisco Systemsacquiring Tail-F in 2014.
KEY PLAYERSAt my last count, there were overthirty providers of products claimingplacement within the securityautomation and orchestrationmarket. If you attended RSA inFebruary, you should have noticedthese products were all the rage.Some claim they are a fullautomation and orchestrationsuitewhile others are carving outnarrow niches in areas like policyorchestration or automated incidentresponse.
Below are the ones creating the mostchatter:
• Bradford Networks - NetworkSentry
• Cisco Systems – ProcessOrchestrator
• Cyberbit SOC 3D
• CyberSponse Inc.
• Demisto
• DFLabs - IncMan
• Exabeam Security IntelligencePlatform
• FireEye, Inc. – Security Orchestrator
• Gemini Atlas Platform
• Hexadite AIRS
• IBM Corporation - Resilient IncidentResponse Platform
• Intel – Open Security Controller
• Komand Security Orchestration &Automation Platform
• Phantom Cyber Corporation
• Resolve Systems
• Swimlane LLC
• ThreatNexus Orchestration Engine
• Tufin Orchestration Suite
USE CASE RATIONAL
Alert ResolutionReduce effort to aggregate, correlate,and resolve alerts from multiple
sources.
Detect & Patch
Automate risk scoring of patchadvisories, scan for missing patchesand remediate in one continuous
motion.
Incident ResponseExecute incident response playbook in
real-time.
Integrate CybersecurityCountermeasures
Automate security technologies towork as a cohesive integrated
workflow.
Metrics & Report ConsolidationReduce time required to chase downmetrics, consolidate results and
produce reports.
Threat Intel FusionReduce time and effort to source,analyze and report on threat
intelligence from multiple sources.
Page 49-53_Layout 1 8/18/2017 10:19 PM Page 50
CISO MAG | September - October 2017
When looking at these products youwill need to recognize that half ofthem will no longer either be inbusiness or operate as anindependent company within thenext two years. You should also notethat this is an arms race with featureadvantage changing sides often.
I have not mentioned the girth of logmanagement and security incidentand event management (SIEM)products that have just created whitepapers to convince us they are asecurity automation andorchestration solution.
THE PROMISE OFAUTOMATION &ORCHESTRATIONThe promise of automation andorchestration solutions lies in usecases. Depending on your solution,you can improve just about anySecOps function or process.
Below are some of the use cases bestserved by these solutions:
From what I can see from theseproducts, your imagination is youronly limitation on how deep you canautomate SecOps.
ALL THAT GLITTERS IS NOTGOLDIf you are waiting for the other shoeto drop, well listen – thud there it is.Security automation andorchestration solutions are the nextbest thing to sliced bread, but theyare not magic. You have to modelyour processes in advance before youcan automate and orchestrate them.These solutions have no idea whatyou want to accomplish unless youtell them. Remember that old adage“garbage in, garbage out?”
Modeling a process is a 360-degree
TECHTALK
51
Page 49-53_Layout 1 8/18/2017 10:19 PM Page 51
CISO MAG | September - October 2017
52
TECHTALK
exercise. You will need to considerPeople, policies, procedures,processes, products and proof(metrics). It is only through the unionof these domains does automationand orchestration occur.
I know what you are thinking, “I canget rid of all my SecOps staff throughautomation and orchestration. I willhave a lights out SecOps.” Wait what?Nice try but it does not work likethat, you will still need people. Yourgoal is to root out the rote tasks ofSecOps freeing your people up tofocus on the strategic aspects of yourcybersecurity program. Yes, you maybe able to stave off hiring more staffaddressing the growing skills gap,but don’t go into acquiring a securityautomation and orchestrationsolution thinking you’re going to cutstaff.
SECRET SAUCE:PLAYBOOKS & PARTNERSSometimes the difference in beingcompromised or not is a matter ofseconds. Security and automationsoftware provides the ability torespond to attacks at machine speed.Designed to execute preset detectionprotocols, these solutions reduce thedependence on manual intervention.Some of the solutions already comewith playbook templates.
Solutions that offer the broadestpartner eco system and customizablelibrary of playbooks should be at thetop of your evaluation list. However,for them to acquire either, they willhave had to log time in the seat. Youwill want a company; whose producthas a reasonable size customer base(25+) and can provide evidence ofautomating and orchestratingdozens of security products withinthe same client.
ELIMINATING YOUR MSSPSecurity automation andorchestration has been the secret of
Managed Security Service Providers(MSSP) for years. However, theirsolutions where mostly hybrids ofservice management tools or customcode written specifically for theirSOCs. Having managed SOCs aroundthe world, I know thing or two aboutwhat goes on behind the scenes. I canalso say that some of you are perfectcandidates for replacing yourexpensive MSSP contract through theintroduction of an automation andorchestration solution.
Most organizations gravitate to anMSSP because they do not have thepeople to watch their networkaround the clock. In addition, when acritical event does happen, mostcompanies still want a call in the
middle of the night. What if youcould eliminate all the white noise ofSecOps, automate your incidentresponse and receive a call only intimes of emergency? It can happenwhen you implement securityautomation and orchestrationsolutions.
DEVOPSDevOps has produced one of themost profound changes in IT in thepast five years. In many ways, it is adisruptive technology foreverchanging the landscape ofapplication development andoperations. Security automation andorchestration solutions are perfectfor facilitating DevOps by supportinga playbook that integrates security-testing, validation and monitoringthroughout the lifecycle ofapplication development todeployment. Playbooks support theintegration of security testing intothe domain of applicationprogrammers rather than securitypersonnel. Application developmentbecomes their own gatekeeper andthey no longer can blamedeployment delays on the securitydepartment. Also, imagine theeconomies of scale of automatingpatching and hardening into releasebuilds. In my mind, DevOps justifiesmoving toward a security andautomation solution alone.
A WORD OF CAUTIONI am a huge believer in taking stockof the past to ensure I do not repeatan incident as a future failure. Isearched my disaster archives andfound an extreme example of anautomation blunder that serves as acautionary tale. In June 2012, RoyalBank of Scotland’s (RBS) NatWest andUlster Bank subsidiaries descendedinto chaos following a glitch in theirsoftware workflow automationproduct.
Solutions that offer thebroadest partner eco
system andcustomizable library ofplaybooks should be at
the top of yourevaluation list. However,
for them to acquireeither, they will have hadto log time in the seat.
You will want acompany; whose producthas a reasonable size
customer base (25+) andcan provide evidence of
automating andorchestrating dozens ofsecurity products within
the same client.
Page 49-53_Layout 1 8/18/2017 10:19 PM Page 52
CISO MAG | September - October 2017
The outage was so profound it got itsown Wikipedia page. During the one-month outage, 1,200 branches had toremain open past normal hours, callcenter staff was doubled andmillions of customers suffered. TheCEO had to forego his bonus becauseof the fiasco's impact on roughly 20million customers, and RBS canceled
its presence at Wimbledon that year.Game, set, match.
CONCLUSIONOrchestration and automationsolutions are not new, but advancesin technology has made their timefinally come. As we try to maneuveraround a critical shortage of IT
personnel, manage an average of 60security products, adapt to DevOpsand strive to be more effective andefficient, few choices to accomplishall are left. As the CISO of yourorganization, you should be leadingthe charge toward SecOpsautomation.
TECHTALK
53
Page 49-53_Layout 1 8/18/2017 10:19 PM Page 53
AD_Layout 1 8/18/2017 10:47 PM Page 2
AD_Layout 1 8/18/2017 10:48 PM Page 2
CISO MAG | September - October 2017
Argus Cyber Securityis a privately heldautomotivecybersecuritycompany, workingwith the majorprivate and
commercial OEMs, Tier 1 suppliers,aftermarket connectivity providers,and fleet managers to address thegrowing security challenges posedby increasing vehicle connectivity.
Argus was featured among the bestcybersecurity startups in 2016 by
Automobility LA in the LA AutoShow, in the annual Top TenAutomotive Startups Competition.
Founded in 2013, Argus understandsthat the more connected vehiclesbecome, the more vulnerable theyare to cyber attacks. With hundredsof millions of connected carsexpected on the roads by 2020, Argusenables the motorists to stayconnected and protected.
Argus’ solutions are developed by acompetent research team and
automotive veterans and are basedon the technology of over 29 pendingand granted patents. These multi-layered, end-to-end solutions embedsecurity into the vehicle fromconcept stage through production,protecting the vehicle and keepingpassengers safe, preventing costlycyber recalls by automakers, andsafeguarding customer data andproperty. Argus is headquartered inTel Aviv, with offices in Detroit,Silicon Valley, Stuttgart, and Tokyo.
KICKSTARTERS
56
ARGUS
With cybersecurity gaining more importance than ever, cybersecuritystartups have become a main attraction for venture capitalists. Thecybersecurity market has seen tremendous growth despite the slowdownin the global economy with many companies inking record-breakingfunding deals with venture capital firms. The influx of money has driveninnovation and solutions to important security challenges. In this section,we look at some emerging companies making waves in the informationsecurity domain.
CISO MAG staff
Page 56-60_Layout 1 8/18/2017 10:23 PM Page 56
CISO MAG | September - October 2017
57
KICKSTARTERS
B-Secur is a Belfast-based cybersecurityfirm that hasdeveloped a biometrictechnology thatauthenticatesidentity through a
unique heart pattern. The technologyis a level ahead of the existingbiometric technologies likefingerprint or iris scanners, which areknown to be vulnerable to hackers. B-Secur’s solution is based on ECGtechnology that minimizes hackingor spoofing risks.
B-Secur has several approved patentsthat include B-Secur Tracker, B-SecurSmartcard, and B-Secur Mobile. Thecompany claims that all thesesolutions make the experience ofauthentication more secure,convenient, and cost effective for theend user.
The company was included in theTop 30 fintech startups of 2015 bySilicon Republic. It was also one ofthe finalists at the Accenture’s 2015Fintech Innovation Lab Dublin andGoogle’s Adopt-A-Startup program.
B-SECUR
BIOWATCH
Founded in 2015,BioWatch is a Swissstartup that claims tohave created world’sfirst miniaturized wristvein scanner that can beintegrated into a
module and added to any watch orwearable, turning the user’s wristvein into an avenue forauthentication.
The BioWatch solution can be used asreplacement for badges, keys, cards,passwords, and PIN numbers. It canbe used to unlock a car, access anoffice, log in to systems, purchasegoods and services, and signcontracts and digital documents. Thedevice leverages always-onauthentication for the user for theentire period of wearing it.
BioWatch has offices in Martigny,Lausanne and Neuchâtel. Matthias
Vanoni, a former EPFL/IDIAP PhDstudent, and Joe Rice, a formerengineer at Kodak are the co-founders. The company recently gotrecognized at the Swiss FintechConvention in 2017, held in Geneva.It has also participated in multiple
accelerated programs and wasrecognized at various events,including Kickstart Zurich in 2016where it secured third position in theFuture and Emerging Technologiescategory.
Page 56-60_Layout 1 8/20/2017 2:31 PM Page 57
CISO MAG | September - October 2017
Corelight is anAmericancybersecuritysolution providerheadquartered inSan Francisco,California. It is the
creator of Corelight Sensors, anopen-source framework thatprovides network visibility bytransforming high-volume networktraffic into high-fidelity data forincident response, intrusiondetection, forensics, and more.
Corelight claims that CorelightSensor features a comprehensiveAPI, enterprise integrations forSplunk, Amazon S3 and Kafka, andperformance optimizations yielding3-4x higher data processingthroughput compared to standard
servers. The sensor helps in theinvestigation and prevention ofransomware, denial of service,unauthorized access,
misconfiguration,abuse, exfiltration ofdata, malwareinfection, insiderthreat, port scanning,and advancedpersistent threat (APT).It can also be helpful totrack phishing or othermail-based attacks orincidents.
According toconsumers, thesolution is used as a“flight data recorder”for their networkbecause users caneasily go back in time
to quickly understand sophisticatedcyber attacks more effectively thanever before.
CORELIGHT
Capsule8 hasdeveloped a threatprevention andresponse platform toprotect legacy andnext-generationLinux infrastructure.
The company claims that its solutionspans the entire Linux infrastructurein data centers, in the cloud, and asacross virtual machines, bare metal,and containers.
Capsule8 Protect aims to providesimplified and automated securitysolutions for organizations that areadopting containerized and micro-service architectures. The platformprovides visibility, ensures real-timethreat prevention, and performs“intelligent investigation” that allow
the user to review old data stored inthe distributed “flight recorder” tosearch for signs of an attack.
Founded in 2016 by experiencedhackers and seasoned securityentrepreneurs, the company is
headquartered in Brooklyn, NewYork. Earlier this year, the companyraised seed funding of $2.5 millionfrom Bessemer Venture Partners aswell as individual investors ShardulShah of Index Ventures and Jay Leekof ClearSky.
CAPSULE8
58
KICKSTARTERS
Page 56-60_Layout 1 8/20/2017 2:32 PM Page 58
CISO MAG | September - October 2017
KICKSTARTERS
FunCaptcha claims to bethe world’s onlymanaged CAPTCHAservice. It uses a patent-pending 3D modelapproach to creategamified puzzles that
leverage gaps in machine vision.Working with researchers such asMathworks (MatLab), the companyensures that all its security imagesare outside the gaps of off-the-shelfmachine vision software, forcingwould-be attackers to write PhD-level software to attack FunCaptcha.
This approach turns one 3D modelinto millions of unique images byautomatically introducing variationssuch as random noise, changing the
camera angle,and shifting theimage position.Every securityimage is uniqueto the user,which makes itheavily resistantto all forms ofautomatedabuse, machinelearning, client decryption, bruteforcing, and sweatshop techniques.This approach also makes it easy toundo machine vision and trainingattacks.
Additionally, dedicated datascientists monitor FunCaptchatraffic patterns 24/7 and respond to
threats within a guaranteed SLArendering automated abuseinoperative and disarming attackersbefore they can recoup their costs.
FunCaptcha was founded by KevinGosschalk in 2013, and isheadquartered in Brisbane,Australia.
FUNCAPTCHA
Headquartered atSingapore,Addo AI isinvolved inthe field ofartificial
intelligence, machinelearning, and data science. Thecompany claims that itprovides data-driven servicesand products to helpbusinesses analyze massiveamounts of data and gaininsights.
It offers services related tostatistical analysis, machinelearning, user predictions,code engineering, cloud-basedarchitecture, deep learning,and much more. The companyuses several techniques such
as intelligent speech andnatural language processing,intelligent system modelling,simulation and controls, datamining and self-rulegeneration, neural networksand fuzzy systems, andcomputer vision.
Addo collaborates withexperts in the artificialintelligence domain whooversee algorithmdevelopment and testing ofthe company’s products inorder to ensure efficacy,accuracy, and validation. TheAI solutions offered by thecompany are used in sectorssuch as transportation,finance, healthcare, retail, realestate, and logistics.
ADDO AI
59
Page 56-60_Layout 1 8/20/2017 2:32 PM Page 59
CISO MAG | September - October 2017
SENTRYO
Sentryo is the creator ofSentryo ICSCyberVision, a networkmonitoring and threatintelligence platformthat protects IndustrialControl Systems (ICS)
and SCADA networks. The solution,which is made up of various sensors,central data visualization, and
analytics software, provides analysison industrial networkcommunications, meaningfulinformation about network assets,advanced anomaly detection, andreal-time alerts.
Sentryo was founded in 2014 by twoformer tenants of Arkoon NetworkSecurity, Thierry Rouquet (CEO) and
Laurent Hausermann (COO). Thecompany collaborated with ETDigital, a digital innovation andentrepreneurial educationorganization, in 2014. In 2016,Sentryo raised two million Euros($2.36 million) from ACEManagement and Rhône-AlpesCréation in France.
KICKSTARTERS
60
Page 56-60_Layout 1 8/18/2017 10:24 PM Page 60
AD_Layout 1 8/18/2017 10:49 PM Page 2
CISO MAG | September - October 2017
KNOWLEDGEHUB
UNDERSTANDING TRENDSAND THE CYBERSECURITYSKILLS GAP By Amber Pedroncelli
62
Page 62-72_Layout 1 8/18/2017 10:25 PM Page 62
CISO MAG | September - October 2017
63
KNOWLEDGEHUB
First, the survey collected basic geographic and industry demographic data, whichis important to keep in mind when interpreting the results from other categories.Represented in the survey were the following regions:
South America 5.6%
Europe 16.7%
Asia 16.7%
Middle East 16.8%
USA 38.9%
Africa 5.6%
As for industries represented in the survey, there was quite a diverse range:
Banking, finance, insurance 33.3%
Consultancy or business services 11.1%
Government, public service, military 22.2%
IT 11.1%
Manufacturing or construction 11.1%
Transportation, utility,telecommunication
11.1%
EC-Council recently surveyed its pool of CertifiedCISOs to discover what is important to informationsecurity executives in four categories: hiring theirteams, current and past employment, looking for ajob, and career success.
Page 62-72_Layout 1 8/20/2017 2:38 PM Page 63
CISO MAG | September - October 2017
64
e
The last area of demographics collected was on the CCISOs current level within their companies:
What level is your current position?
C-Level, VP, SVP, etc. 23.5%
Consultant 29.4%
Director 35.3%
Manager 11.8%
The first section of questions dealt with how CCISOs hirenew employees for their teams. This section wasimportant because it highlights challenges thatmanagers, directors, and C-Level executives have when itcomes to filling their teams. EC-Council was interested indetermining where these leaders are feeling the knowninformation security skills gap the most. The results pointto some interesting conclusions.
First, the leaders were asked how many job openings ontheir teams they are currently looking to fill. Over 57% ofthem reported they had between 1-5 job openingscurrently available. Another 31% have over 5 jobopportunities with one survey respondent reporting 300jobs needing SOC analysts!
How many information security positions are you currently looking to fill with new hires?
Zero 5.3%
1 to 3 47.4%
3 to 5 10.5%
I don't make hiring decisions 5.3%
Over 5 31.6%
The next question asked how many jobs had already been filled in the current year, finding that most leaders had onlyfilled between 1 and 3 jobs.
How many information security positions have you filled in the last year?
Zero 6.3%
1 to 3 50.0%
3 to 5 6.3%
Over 5 37.5%
KNOWLEDGEHUB
Page 62-72_Layout 1 8/18/2017 10:25 PM Page 64
CISO MAG | September - October 2017
65
What position is the most difficult to hire due to a lack of skilled candidates?
When asked which jobs are the hardest to fill with qualified candidates, the CCISO reported a range of problem areas,which the most popular job being Security Analyst with 31.3% of respondents pegging it as the most difficult to fill.
The next subsection of the survey dealt with what ismost important to infosec leaders when deciding whomto hire. The results point to many different facets of aresume all being crucial to landing an informationsecurity job. The most important, however, is finding agood personality fit for the culture or the team, which81.3% of CCISOs rating that quality as either extremely orvery important. Limiting hires to people with specificpersonality traits can be troubling, as studies have shownmanagers tend to hire people with their own personalitytraits, leading to teams without diversity in point of viewor other areas. Conversely, it’s easy to understand whylooking for a good fit for a team can lead to bettercohesion. As long as hiring practices are fair and open-minded, hiring based on cultural fit can be a good option.
The next highest rated characteristic for a job-hopeful tohave is experience that exactly matches the job, with62.5% reporting this as either extremely or veryimportant. Requiring experience that exactly matchesthe job has been flagged as problematic by industryexperts over the years for the simple reason that it isdifficult to gain experience in a particular role when allthe jobs available for that role require previous
experience exactly matching what the employee will bedoing. This means that companies are trying to lureemployees to make lateral moves with better salaries andbenefits. No security leader has an endless budget, so itmight make better fiscal sense to find new hires thatshow potential or whose previous roles and certificationsmake them good candidates to grow into new roles, forpotentially smaller salaries.
However, it is easy to understand why leaders mightwant turnkey solutions to their problems. It takes time totrain new employees, even those who have the exactexperience needed for a new role. When an employeeboth has to learn new skills as well as a new company,independence in their work will take significantly longer.This may point to an opportunity in the industry foreducation providers to offer customized solutions to helpteams overcome this obstacle and hire for potentialrather than on specific experience.
Other top finishers for candidate qualifications wererelevant certifications and years of experience, each with56.3% of respondents finding those qualities extremely orvery important.
KNOWLEDGEHUB
CISO, Director of Information Security, CSO 18.8%
Computer Forensics Investigator or Forensic Analyst 12.5%
Consultant 6.3%
Information Security Manager 6.3%
Penetration Tester 18.8%
Security Analyst 31.3%
Security Architect 6.3%
How important is experience that exactly matches the job in hiring decisions?
Extremely important 43.8%
Page 62-72_Layout 1 8/18/2017 10:25 PM Page 65
CISO MAG | September - October 2017
66
KNOWLEDGEHUB
Important 37.5%
Very important 18.8%
How important is personality fit with culture/team when making hiring decisions?
How important are Relevant industry certifications when making hiring decisions?
How important is years of experience when making hiring decisions?
How important is years of experience when making hiring decisions?
Extremely important 50.0%
Important 12.5%
Very important 31.3%
Somewhat important 6.3%
Extremely important 12.5%
Important 31.3%
Very important 43.8%
Somewhat important 12.5%
Extremely important 12.5%
Important 18.8%
Very Important 43.8%
Somewhat Important 25.0%
The second main section of the survey dealt with thecurrent and past employment and salaries of the leadersthemselves.
When asked how long they had been in their current role,most respondents reported only 1-5 years of tenure at
their current organization. This fits the common wisdomin the industry that CISOs tend to change jobs every 18monthsIt was interesting, however, to see that over 23%of CCISOs have actually been in their jobs for over 10years, showing the maturity of the information securitymarket.
Less than one year 11.8%
1 - 5 years 41.2%
Page 62-72_Layout 1 8/20/2017 2:38 PM Page 66
CISO MAG | September - October 2017
67
KNOWLEDGEHUB
In what range is your current salary in USD?
The next question dealt with salaries. All salaries have been converted to US dollars for the sake of comparison. Veryfew CCISOs earn less than $75,000 per year, with most making between $150,001 - $200,000. EC-Council expectssalaries to grow for security leaders every year that they continue this survey.
Over 5 years 23.5%
Over 10 years 23.5%
Less than $75,000 6.3%
$75,001 - $100,000 6.3%
$100,001 - $150,000 31.3%
$150,001 - $200,000 37.5%
Over $200,000 18.8%
Page 62-72_Layout 1 8/18/2017 10:25 PM Page 67
CISO MAG | September - October 2017
68
The third section of the survey dealt with how CCISOs goabout finding new jobs. Asking about a number ofaspects of a new job, the survey found the CCISOs valuethe culture of an organization and the compensationpackage on offer, with 82.4% of respondents rating thesethings as extremely or very important. In second placewas having an alignment in the vision for the security
program with the organization, with 76.5% of CCISOsfinding this extremely or very important. Coming in justbehind alignment of security vision was the work to lifebalance offered by the organization with 75% of thesurvey participants rating it as extremely or veryimportant. The rest of the results can be found below:
KNOWLEDGEHUB
When looking for a new job, how important is an adequate budget for security program?
Important 29.4%
Very important 41.2%
Extremely important 29.4%
When looking for a new job, how important is alignment in vision for security?
Important 23.5%
Very important 29.4%
Extremely important 47.1%
When looking for a new job, how important is Culture of organization?
Important 17.6%
Very important 35.3%
Extremely important 47.1%
When looking for a new job, how important is the number of direct reports you will have?
Not at all important 5.9%
Somewhat important 23.5%
Important 52.9%
Very important 5.9%
Extremely important 11.8%
Page 62-72_Layout 1 8/18/2017 10:25 PM Page 68
CISO MAG | September - October 2017
69
KNOWLEDGEHUB
When looking for a new job, how important is the prestige of company/organization?
Not at all important 6.3%
Somewhat important 18.8%
Important 25.0%
Very important 18.8%
Extremely important 31.3%
When looking for a new job, how important is compensation including salary, signing bonus, stock options, etc.?
Important 17.6%
Very important 17.6%
Extremely important 64.7%
When looking for a new job, how important is the title?
Somewhat important 20.0%
Important 20.0%
Very important 46.7%
Extremely important 13.3%
When looking for a new job, how important is to whom you will report (CIO, CEO, CFO, etc.)?
Somewhat important 5.9%
Important 23.5%
Very important 35.3%
Extremely important 35.3%
Page 62-72_Layout 1 8/20/2017 2:38 PM Page 69
CISO MAG | September - October 2017
70
KNOWLEDGEHUB
When looking for a new job, how important is work/life balance?
Somewhat important 6.3%
Important 18.8%
Very important 43.8%
Extremely important 31.3%
When looking for a new job, how important is the opportunity for advancement?
Not at all important 10.5%
Somewhat important 5.3%
Important 26.3%
Very important 31.6%
Extremely important 26.3%
How important has earning industry certifications been to the success of your career?
Not at all important 27.8%
Somewhat important 5.6%
Important 27.8%
Very important 27.8%
Extremely important 11.1%
The final section of the survey asked CCISOs about thefactors that contributed the most to their success. Theoverwhelming winner for this category was networking.83.3% of respondents said that networking was very orextremely important to the success of their careers. It’seasy to understand why there are so many informationsecurity conferences around the world with results like
these. Cultivating relationships, sharing information, andincreasing their spheres of influence are all things thatcan be done at conferences. The second key to CCISOs’success is education, with 58.8% of respondents sayingtheir college or university educations have beenextremely or very important to their success. The rest ofthe categories can be found below:
Page 62-72_Layout 1 8/18/2017 10:25 PM Page 70
CISO MAG | September - October 2017
71
KNOWLEDGEHUB
How important has effective networking been to the success of your career?
Not at all important 5.6%
Important 11.1%
Very important 50.0%
Extremely important 33.3%
How important have executive recruiting services been to the success of your career?
Not at all important 23.5%
Somewhat important 35.3%
Important 23.5%
Very important 11.8%
Extremely important 5.9%
How important have executive recruiting services been to the success of your career?
How important has college/university education been to the success of your career?
Not at all important 17.6%
Somewhat important 5.9%
Important 17.6%
Very important 35.3%
Extremely important 23.5%
Not at all important 23.5%
Somewhat important 17.6%
Important 64.7%
Page 62-72_Layout 1 8/18/2017 10:25 PM Page 71
CISO MAG | September - October 2017
72
Very important 11.8%
Extremely important 5.9%
KNOWLEDGEHUB
How important has mentorship been to the success of your career?
Not at all important 5.6%
Somewhat important 22.2%
Important 22.2%
Very important 33.3%
Extremely important 16.7%
CONCLUSION The skill gap in the cybersecurity industry spans all levels,from CISOs to security analysts. It appears that theshortage of skilled professionals is not a problem thatwill be solved in the conceivable future. Most CISOs haveseveral job openings yet to be filled and CISOs and theothers involved in the recruiting process are looking forprospects with relevant certifications and experience. Amajor hurdle in the recruitment process is finding theright fit both with culture, personality, and experiencethat matches the job.
Another key finding was that most infosec professionalswere holding onto their seats for years, with severalCCISOs serving the same position for almost a decade.The reasons cited for this were work culture, pay scale,the organization’s approach towards security, and work-life balance. For most infosec experts, networking is oneof the key components of their success. Severalrespondents also felt mentorship and earning industrycertifications were crucial for success.
Page 62-72_Layout 1 8/18/2017 10:25 PM Page 72
AD_Layout 1 8/18/2017 10:51 PM Page 2
CISO MAG | September - October 2017
COLLABORATIONS
74
INFOSECPARTNERSHIPS
Page 74-77_Layout 1 8/18/2017 10:27 PM Page 74
CISO MAG | September - October 2017
75SNAP ACQUIRES STRONG.CODESSnap, the company behind Snapchat,has acquired Strong.Codes, a Swissstartup that specializes in creatingsoftware protection codes to make theprocess of replicating an app or programdifficult. Snap’s hiring of LaurentBalmelli, the co-founder and software
engineer of Strong. Codes, triggered theacquisition. Most of the staff membersat Strong. Codes followed Balmelli andjoined Snap, leaving only a fewemployees in the company that led to itsclosure. The remaining employees inStrong. Codes former headquarters inSwitzerland now work for Snap.
Snap had spent months in Europelooking for cryptography and
COLLABORATIONS
In an age where cyber threats are vast and frequent,and the business landscape is evolving, it isimperative for CISOs to take a strategic leadership roleand adopt a collaborative and inclusive approach. Anacquisition or a collaboration can serve severalpurposes for organizations, from propelling them intonew markets to strengthening their critical ITinfrastructure to sharing information for turningknowledge into action. These partnerships can bedifficult, challenging, or chaotic events, but can shapethe future growth of a business. In this segment, wetake a look at some notable collaborations andacquisitions in the cybersecurity domain.
CISO MAG staff
Page 76-77_Layout 1 8/20/2017 2:40 PM Page 75
CISO MAG | September - October 2017
76
cybersecurity experts, and the moveto acquire Strong. Codes is seen aspart of the company’s strategy toexpand into Europe. Snap’s growthpotential is currently limited by thedominant position of Facebook in thesocial media sector and the ability ofFacebook to incorporate some ofSnapchat’s most popular featuresinto its stable of features. It isbelieved the acquisition of theStrong.Codes portfolio is an attemptto limit Facebook’s ability to adaptpopular Snapchat features, though itis not clear that Facebook is basingnew features on Snapchat code.
BLACKSTONE GROUP TOBUY 40% STAKE IN ISRAELIFIRM NSO GROUPAccording to reports, BlackstoneGroup is in the advanced stages ofnegotiations with Israelicybersecurity firm NSO Group toacquire 40% of the company at anestimated value of $400 million. As asecond buyer, Clearsky is expected tocollaborate with Blackstone for 10%of the stocks, as reported by Israelibusiness newspaper Calcalist. None
of the firms made any commentregarding the deal.
The Blackstone Group is amultinational company based inNew York that specializes in privateequity, credit, and hedge fundinvestment strategies.
The NSO Group, a maker of spywarefor mobile devices, was founded in2009 by OmriLavie and ShalevHulio,and is headquartered in Herzliya, TelAviv. The firm is known for thedevelopment of Pegasus softwarethat targets mobile phones to gatherinformation and provides“authorized governments withtechnology that helps them combatterror and crime.”
Prior to the deal with BlackstoneGroup, private equity firm FranciscoPartners owned a majority of theNSO Group stake. The new deal willsee the holdings of Francisco Partnersreduced to 40%, with Blackstone andClearsky jointly also holding 40%.The owners will account for 6% eachwhile the 500 employees of thecompany will hold another 8%.
Recently, NSO Group caught theattention of the internationalcommunity due to the alleged use ofthe Pegasus software by the Mexicangovernment on the devices ofopposition lawmakers and privatecitizens, including human rightslawyers and journalists. The Mexicangovernment denied any suchinvolvement by terming theallegations as false rumors calling foran investigation.
OPENTEXT TO ACQUIREGUIDANCE SOFTWAREIn a recent announcement, Ontario-based content managementcompany OpenText said it is all set toacquire Guidance Software as a fullyowned subsidiary for an overall priceof $240 million in a deal that isexpected to close by the third quarterof this year. The shareholders ofGuidance will be paid $7.10 a sharewhich translates to a total value of$18 million, making the final pricejust around $222 million.
Guidance Software is a forensicsecurity and eDiscovery vendor that
COLLABORATIONS
Page 76-77_Layout 1 8/20/2017 2:40 PM Page 76
CISO MAG | September - October 2017
77
COLLABORATIONS
has a customer base of 78 of theFortune 100 companies. Theacquisition will give OpenTextcomplete access to the forensic andeDiscovery tools along with the richcustomer base of Guidance Software,though some overlappingfunctionality is included in thepackage. OpenText had alreadyclosed another high-profile deal withoverlapping functionality last yearwhen it acquired enterprise contentmanagement firm Documentumfrom EMC for $1.62 billion.
Several other analysts from thecontent management industryresearch firms expect to see moresuch acquisitions from OpenText inthe coming months.
HPE PARTNERS WITHCYBERINCCyberinc has signed an originalequipment manufacturer (OEM)partnership with Hewlett-PackardEnterprise in a move to promote andmarket its advanced web malwareisolation system Isla. The partnershipwill allow Cyberinc to leverage HPE’sgo-to-market infrastructure andsupply chain to roll out Isla on amajor scale.
Isla was developed to countercybersecurity threats in a uniqueway. Unlike the commonly followed‘detect and respond approach,’ it usesunique technology to isolate all thecontent in a website outside thenetwork perimeter, thus improvingprotection from malware-basedthreats.
Phillip Cutrone, vice president andgeneral manager, Worldwide OEM,Data Center Infrastructure Group ofHPE acknowledged the importance ofIsla technology to counter malware-based attacks. He said, “Partnershipslike this enable both HPE andCyberinc to utilize our strengths todeliver unique solutions that bring
value to customers. Consistent globalexecution is one of the cornerstonesof the HPE OEM Program. We providethe technology portfolio, supplychain and services that enablepartners like Cyberinc to quicklyscale their business so they can focuson and build upon their uniquevalue.“
SIMPLILEARN AND EC-COUNCIL PARTNER TOTRAIN TOMORROW’SCYBERSECURITY EXPERTSDigital economy training companySimplilearn and cybersecurity leaderEC-Council announced theirpartnership to bridge the growingskill gap in cybersecurity. Simplilearnwill now offer the same EC-CouncilCertified Ethical Hacking course usedby many of the U.S. Government’smilitary and security agencies.
A report by Frost & Sullivan predictsthat there will be a global shortage of1.5 million cybersecurityprofessionals by 2020. In the U.S.alone, over 40,000 informationsecurity analyst jobs go unfilledevery year and employers arechallenged to fill 200,000 other cybersecurity related roles, according tocybersecurity data tool Cyber Seek. Tobridge this shortage in skills,employers must not only increasetheir hiring of certified and skilledprofessionals for these lucrative andhigh-demand security jobs, but alsotrain existing employees from withinto meet these strategic goals.
The course is available throughonline self-learning as well as livevirtual classrooms where individualscan learn from global instructors.This partnership further providesflexible training access to attendmultiple live classes for all learnerswho enroll by August 31. EC-Council’s in-depth training in cybersecurity is augmented by
Simplilearn’s learning model thatallows learners to access communityforums, projects, teaching assistance,study plans, and reminders. Uponcompleting the courses, learners willbe better prepared for IT security jobroles across the industry.
FIREEYE INC. ANDWATERFALL SECURITYSOLUTIONS PARTNER TOBOOST INDUSTRIALCONTROL SYSTEMSIsraeli industrial cybersecurity firmWaterfall Security Solutions hasannounced a global partnership withCalifornia-based cybersecurity firmFireEye Inc. that will enable Waterfallto protect their Industrial ControlSystems (ICS) using FireEye’s cloud-based Helix service. The move willallow Waterfall to integrate itsUnidirectional CloudConnect withFireEye’s Threat Analytics Platform(TAP), drastically reducing anypotential threat of remotecyberattacks to the ICS environment.
Waterfall caters to customers fromdifferent industrial sectors, includingpower plants, nuclear plants,manufacturing plants, utilities, andthe oil and gas sector across theMiddle-East, North America, Asia,and Europe. Waterfall is alreadyaccredited with global standards likeNERC CIP, ANSSI, NEI, NRC, and IEC.
The integration of the FireEye’s TAPwith the Unidirectional facility byWaterfall will allow security teamsand plant managers to monitorindustrial networks on a real-timebasis, without interrupting the dailyprocesses of the organization.Through the partnership, Waterfallalso looks forward to bringing newcustomers who had stayed awayfrom using any cloud or IoT servicesdue to their concern over externalcyber risks.
Page 76-77_Layout 1 8/20/2017 2:40 PM Page 77
AD_Layout 1 8/18/2017 10:56 PM Page 2
AD_Layout 1 8/18/2017 10:58 PM Page 2
AD_Layout 1 8/18/2017 11:00 PM Page 2