Is The Cyber Security Industry All Smoke And Mirrors?

Episode #79 of Task Force 7 Radio this week featured a cyber security expert panel to discuss all the hype around the crowded solutions market and analyzed the true effectiveness that so many products are having on organization's defense in depth security posture.

The Chief Security Officer of Bitgo Thomas Pageler; the Chief Information Security Officer of Ciena Andrew Bonillo; and the Chief Security Officer of the National Australia Bank David Fairman, made up this expert panel. They joined TF 7 Radio Host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, to discuss the cyber security industry’s fear-driven solutions market, how convergent security models in Australia are gaining attention, how companies currently share cyber intelligence with the government and the Five Eye Alliance, and current state of election security around the world.

The Convergent Cyber Security Model

Fairman was the first Chief Security Officer to come into the National Australia Bank. Therefore, his role was created last year, which is what brought him home from New York, back to Australia in about June of last year. With a broad role spanning access managements to broad critical security, employee surveillance, bribery, corruption etc., Fairman said that he is a big believer in the convergent security model, noting that the National Australia Bank is the first bank to actually implement this type of security model.

He explained that the benefits of the convergent security model includes bringing together data that is typically really siloed , being allowed to identify patterns on that data that probably wouldn’t have been seen if it weren’t under one roof, and it allows them to be more intelligence led. “You have the entire click strain from the mouse click through, all the way through to the financial transaction for the customer. You know, you can see everything into that space.”

It brings together all external threat data completely making patterns more identifiable, therefor, making anomalies outside of that more identifiable, which could potentially be areas of threat. Fairman added, “I think it's really bringing the teams together in that situational awareness that you get of having the team integrated and working more collaboratively than ever before. The team is sitting together, hearing other teams talking about specific instances, being involved in incidents side by side. They're starting to see … it generates thought and it triggers conversation that probably wouldn't have been seen before, which I think allows us to be a little bit quicker in joining some of the dots, in responding to some of these issues.”

See Related: “The State of Security for Australia's ASX 200 Orgs”

“How are the physical security teams and the executive protection teams integrating with the cyber teams?” Rettas asked.

Fairman said that they both have security operation centers for physical security should there be a physical security incident. But, they also have a security operation center management response process for cyber capabilities. “So we’re starting to bring that together.” They are also aligning inter-management processes and disciplines, pulling in a bit more discipline around the way they manage incidents (back in to lawyer’s disciplines and practices) and bolstering the overall capability from a physical security perspective.

When it comes to executive management and executive protection, Fairman said the benefit he is seeing is no longer is executive protection just about security monitoring, setting up alarms and checking the perimeter. It's also around looking at the digital risk profile of that executive and leveraging the cyber security technology that “allows us to go out there and scan the environment, looking for false or fraudulent LinkedIn profiles, etc., which are clearly used for business email compromise or social engineering of adversaries or actors purporting to be executives.” It brings together the combined approach for the executive protection process, including the physical security guys and making them more aware of the cyber security threats that impact the executives they protect.

Fairman also noted that there can be challenges from this model as well. “I think one of the biggest challenges is the cross pollination of the skill sets, and how we're truly trying to make that effective,” he said. He also talks about managing change going from siloed to convergence, as well as just brining all the data together. But, Fairman agreed with Rettas that the benefits are still there enough for other financial institutions to follow suit on this security model.

Pageler explained that he has been a CISO a CSO a CRO, a CCO, so chief appliance officer, chief risk officer, CSIO, chief administrative security officer, chief security officer. However, he said that the title does not really matter. It is just a matter of clearly knowing who owns what. “I think it's just that management skill, knowing who to put where, and knowing what you don't know, what you need to recruit in and bringing the best people, to do the best at their job, and then holistically work together as one team, to secure your institution.”

Is Cyber Security All Smoke And Mirrors?

Rettas opened up the second segment by citing an article by Amit Yoran, Chairman and Chief Executive Officer of Tenable, where he mentioned his general thoughts on the RSA Conference, saying that a good chunk of the cyber security industry was smoke and mirrors. He thought that companies were hawking these shiny products that aren't needed to block most intrusions and most attacks that happen and that “it's an industry that has fed and continues to feed, to a large extent, off of fear mongering.”

See Related: “TF 7 Radio Covers What's Going On At RSAC This Week”

Bonillo explained, “People are just building tools, and it's the same buzzwords every year, and they don't have a good fundamental understanding of what some of the tech is that behind it are used as the buzzwords. I think, unfortunately, like you said the fear, uncertainty or doubt component of the fear mongering, you know, that's why I think most companies are moving towards a risk-based model.”

How much is enough? What do I have to spend? What is the threat that I face? And am I unique? “So it's unfortunate but I think there's been a ton of investment in a lot of products, you see cyber security tools start to fade off really quickly, and then the only the really strong ones survive. Also, unfortunately, trust is a big component, people follow security tools based on who's behind the tech and if you don't have a good understanding of who's really innovating in this space it's easy to fall into a trap where you think a tool is really good,” Bonillo said.

Pageler agreed, “I think its unfortunate there are a lot of people that are new to this space and when they're out there, they are swayed by shiny new items and that's the job of people in RSA, to try and sell shiny new stuff. That is why, personally, I do like a risk based approach. I make sure that I have my fundamentals that I need, I require, and then I deal with that, I build on that, and I don't get distracted with the shiny new thing.”

“We're not immune to the over-hype and the over marketing that we see coming out of the cyber security industry more broadly. We have our own ... innovative, environment and ecosystem here, just as much as you, obviously not on the scale you see coming out of the valley or out of New York or out of the U.S. in general or out of Israel,” Fairman added. He said that there is a lot of confusion with his peers and other cyber security specialists across Australia. “I want to echo some of the comments from Tom and Andy around just basic hygiene. You mentioned it before, just basic hygiene, I do not think that can be over estimated or overstated. For me that's always been discipline that I've really pushed in my previous organizations because I do think that some of those basics, good patching good hygiene, locking down USB ports, removing those real common attack vectors that we see, if we get that discipline right and really be rigorous around that and drive that into the operation, that's your biggest defense right there.”

“And then I think, to answer Tom's comments, you get that right and then you overlay that with very selected point pieces that you want to compliment that environment, but what you don't want to do is you don't want to think you need every tool to solve every particular problem,” according to Fairman.  

Rettas then posed the question: “Why aren’t people focused on the basics?” Some theories include:

1. There is a big need for security leadership and because some people do not have the experience and training, they rely on vendors too heavily.
2. People inherit a program that might have vendors already in there that they are stuck with. Then, they try and piecemeal things together instead of just holistically ripping it apart or starting again.
3. Some do not realize what’s really an important tool on the roadmap and so they’ll settle on something and evaluate it later. Sometimes it is not the tool they really want.
4. While a CISO may recognize the value of good hygiene, the line of business may not have it as part of their DNA.

It comes back to being about people, process, technology and culture awareness said Bonillo.

Update On The Five Eye Alliance

Fire Eye CEO Kevin Mandy, told CyberScoop last year that his company particularly gives the U.S. and it's five allies a heads up about intelligence reports that it plans to publish. Some cyber security professionals took issue to that, they were saying, ‘hey, look, we do not like that whole method that you are using with the Five Eye's, we are basically arguing for a country agnostic approach to disclosing packing threats.’ So when asked to weigh in on the issue Yoran basically said that a decision to go public with cyber threats is not always cut and dry. Internet users around the world deserve to be protected, he said, but not all threats are created equal and not all threats warrant disclosure.

Pageler said that he does not think “we're obligated to tell everybody, but I do think exactly on the case by case.”

Bonillo added, “I mean, it really is all about trust, and I think the line of trust will start to become blurred on a government level as nation states are embedding their operatives more deeply into the boards of companies, or leadership of companies that they want to have more control or visibility into, right? So I think we're going to have to take a hard look at who are we sharing with and why?” He added that from a tactical level, trust is a big component.

See Related: “Will Huawei Take Down The Five Eye Alliance?”

The panel discussed how the Five Eye Alliance was stood as a government coalition for war time, so we have to be very thoughtful about what we’re sharing. Unfortunately, in the U.S., the battlefield is not owned by the government, it's the infrastructure that exists around the world and we've got to be very mindful of who we're sharing it with and why.

Taking Election Security Seriously

Rettas then switched gears to address election security because “it's imperative that we get it right, and it's imperative that we bring as much attention to it as we possibly can.” Therefore, he posed the question to Fairman, “in your opinion, how seriously are people taking election security in Australia and do you feel comfortable that the proper security is in place?”

“I think the Australian Government is taking it extremely seriously.” Fairman explained that he was actually in Canberra less than two weeks ago, and “we were talking about matters of national security and the recent report around the breach or the compromise of the three major political parties in Australia came up in discussion, so it is an issue that is taken extremely seriously.” He said that the Australian government is making more moves to ensure that the right measures are taken to protect the sanctity and the integrity of the Australian voting system. “You know, we are coming up to a new government federal election where we will be voting for a new power government at the federal level and therefore a new prime minister, and that is only months away. So clearly a lot of focus on that within the government at the moment,” Fairman said.

With the breach that was recently announced back in February, there still has not been any clear indicator as to who the perpetrator was. However, there has been speculation through non-verified sources that it was China.

Fairman explained that the biggest threat here is not just that, “I think the biggest threat is really what we saw back in 2016 with regards to fake news and misinformation, right? The Australian government had launched an information warfare capability in the Australian defense force, which is specific and focused on disrupting and taking down misinformation and fake news or looking to identify where campaigners are trying to address it and skew and influence specific elements of society.”

So there is activity on that and counter measures being taken for that within the Australian government. In addition, while the Australian people are aware of it, they may not necessarily think of it as seriously as the government or security professionals, but there is definitely awareness there within Australia according to Fairman.

Pageler added, “I think any threat to elections is a threat to Democracy, so it's something that all of our governments need to really take seriously and put measures in place.”

See Related Event, “Cyber Security Digital Summit – Spring 2019”

The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.

To listen to this and past episodes, click here.