What would you do if the FBI knocked on your door?
Or maybe you needed to reach out to the FBI because of a breach. Are you prepared for that? What steps are you taking now to either prevent that call or ease the path?
I recently spoke with Leo Taddeo (LinkedIn, Twitter), the CSO of Cryptzone. Leo is the former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office. In this role, he led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.
Leo is passionate about helping security leaders in industry and law enforcement successfully transition to the digital domain. We shared a conversation packed with insights that benefit security leaders.
One of the challenges seems to be the lack of resources. How can companies assess what they have and determine what they need?
While most of CISOs are facing security challenges due to resource constraints, some are “cursed” by overprovisioned budgets. Not having enough staff or budget presents obvious challenges, but how can having too much be a bad thing? The answer is that the recent recognition of information security deficiencies by some CEOs has led to a cyber security spending spree in many companies. This has saddled CISOs with expensive tools that can’t be fully implemented without additional staff, budget, and major modifications to business processes. At the end of the day, the real challenge for CISOs is not to spend more, but to spend wisely on tools that provide real value.
Some CISOs are defining “value” in terms of Return on Investment or “ROI.” We can easily determine the “Investment” side of this equation. That’s typically the price tag for a new security tool. But I have my doubts about assigning real numbers to “Return” side because we can’t accurately measure subjective concepts like risk and impact. In my mind, an ROI approach for cyber security investments is a waste of time because the field is not yet mature enough to measure the probability of an incident, or the potential impact.
As hard as CISO’s try, it’s hard to convince CEOs and Boards that security expenditures are “investments.” Security is no doubt essential, but rarely does it contribute to the company’s revenue. In my mind, the better approach is to demonstrate the “value” of security investments. In my view, this requires an enterprise approach. All levels of the leadership team must be engaged, from the CEO, CFO and Board to the CISO and business line leaders. The first order of business for a CISO is to gain top-to-bottom consensus on what constitutes “value” for security investments for the enterprise.
What’s a reasonable approach for a security leader to demonstrate need?
Instead of a hard calculation of ROI, I would recommend a “Risk-Based” approach that compares known risks and impacts. This approach requires a CISO to rank risks in partnership with the business line leaders who own the risks. At the end of the process, both the CISO and the business divisions decide what solutions are funded. Of course, this approach and the ROI approach both require subjective assessments. The benefit of the Risk-Based qualitative ranking is that it requires a lot less work than a fictional quantitative approach. The resources devoted to crunching subjective numbers for an ROI calculation can be better spent elsewhere.
A lot of companies continue to pour cash into prevention. Based on your experience, are we focusing too much on prevention?
A CISO’s fundamental value to an enterprise is his or her ability to get the best return on the security expenditures an enterprise makes. A security budget, at the end of the day, is a series of well-informed bets on what threats the enterprise faces and what solutions will help mitigate them. In my view, most CISOs are betting, even doubling down, on technologies and strategies that have proven time and time again to be ineffective. In particular, and I am not alone in thinking this, signature-based approaches and perimeter defenses are losing bets today and will only prove less effective in the future.
When I served as the head of the Cyber and Special Operations Division of the FBI’s New York Office I had a chance to review and supervise a number of high-level network intrusion cases. In each case, one of the most important questions was how did the adversary get in? In almost all cases, the answer was “we don’t know.” The adversary just showed up with valid credentials. Time after time, victims were left with little information on where to shore up their defenses. The only thing they knew for sure was that expensive AV, IDP/IDS, and all their perimeter defenses had not been enough.
As an FBI cyber executive, I also had a view of the “offense” side of cyber security. It’s no secret that the US has some very capable cyber warriors. In my dealings with these awesome young men and women, the most troubling take away was the realization that perimeter defenses are not much of an obstacle. You don’t need an expensive zero day to get inside a target’s perimeter and move laterally. Most signature-based defenses can be defeated with slight modifications to the malware’s code. This leads us to question the value of investing in perimeter-based defenses. Even behavior-based defenses, which can be very effective, require a great deal of time and human resources to fully implement.
The fact is the perimeter is harder to define and harder to defend. Continuing to spend the bulk of our security dollars on perimeter defense strategies is money wasted. We need to find and deploy technologies that make it cheaper to defend networks at the same time making it riskier and more expensive to attack them. I don’t see a silver bullet solution on the horizon, so for me, the only reasonable approach is to shift security spending from the perimeter to inside the network. Preventing an adversary from getting inside is still important, but we must harden the interior by making it more difficult for an adversary to see or move inside our networks.
What about the user experience? Does security need to be at odds with how people do their jobs?
FBI agents manage a lot of risk. One risk we all know best is the risk of a mistake made by an agent. We also always had risk of an intentional bad act, the insider threat, a bad agent in our midst. To mitigate these risks, FBI culture evolved to continually ask if a new process or tool was “Agent Proof.” This meant that no matter what, the system would detect or prevent a major incident before significant damage was done. This is really hard to do and it often requires a tremendous burden on the agents in terms of limited functionality of the IT tool we had and a significant burden in complying with seemingly endless reporting to comply with the internal risk mitigation controls.
The FBI is not alone in its approach to mitigating the risks presented by its employees. All organizations are forced to balance the access their employees need to do their jobs with the security measure necessary to limit the damage they can do if they make a mistake. The most common security control to manage these risks is the principle of least privilege. This is a simple concept, each employee has access to only the resources they need. In practice, especially for network defenders, this principle is very hard to enforce. That’s because networks are typically divided into logical segments. In most networks, a segment has more resources on it than an employee requires. As such, the employee can obtain network access to resources outside the scope of what they need. This is the main vulnerability exploited by sophisticated cyber criminals and nation-states.
To mitigate this threat, CISOs are deploying large teams and significant dollars to creating finer segmentation with VLANS and firewall rule sets. As we move more resources to cloud environments, this challenge will only get worse. We need to dramatically simplify the user access problem. This requires a network to automatically adjust user access, based on policy to ensure users have immediate access to the resources they need – without requiring labor-intensive manual access configuration.
This is difficult and time consuming today. It will only be more difficult tomorrow as the march to the cloud and BYOD continues. The answer lies in the Software Defined Perimeter (SDP). SDP allows application owners the ability to deploy perimeters that can be deployed anywhere – on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations. SDP is a way to make the machines do the work of enforcing security policies. Instead of having large teams manage VLANS and firewalls, leverage an SDP model.
What can a security leader do to get started?
The first step is to take a hard look at what you are spending security dollars on. If you are continuing to invest in perimeter-based defenses, you may need to reconsider what return you are getting today and what you will be getting tomorrow as your perimeter continues to collapse. In my view, the better approach is to shift security dollars to hardening the interior.
The next step is to consider how your workforce is connecting to the resources you need to protect. The adversary has little problem obtaining valid credentials. The best investments are technologies that are “employee proof.” Low-cost ways to improve user access controls with context-based authentication. These types of controls protect against the inadvertent, as well as the malicious employee action.
Lastly, CISOs need to take a hard look at the time and money they are expending to segment their networks. In the long run, the finer the segmentation, the more secure the network. We need cheaper and easier ways to do this. The best tools out today implement a SDP approach. Let the machines do the work.