Security
officers who view threat intelligence and risk management as the cornerstone of
their security programs may have advantages over peers who face constraints
when it comes to taking advantage of the available data.
CISOs
are generally tasked with evaluating security controls and assessing their
adequacy relative to potential threats to the organization, and its business
objectives. Their role in cybersecurity
risk management -- the conscious decisions about what the organization is
going to do and what it is not going to do to protect assets beyond compliance
-- is still hotly debated.
The
transition towards risk management is more likely for the 42% enterprises whose
security officers report to executives (the board of directors or chief risk
officers) outside of the IT organization, according to Gartner. The firm's
analysts advise security officers to achieve compliance as a result of a
risk-based strategy, but admit that "organizations have not kept
pace."
Equinix started to build a
customized threat intelligence program about five years ago. The International
Business Exchange data center provider uses threat intelligence along with risk
assessment to do its "homework" before the company invests its
resources in information security or agrees to IT requests from departments
with different priorities.
"It
doesn't make sense to go and buy a piece of [security] equipment because
somebody in sales and marketing says, 'This is a big deal for the
company,'" said George Do, global information security director of
Equinix, which operates colocation centers in 15 countries. "We have to
vet it, and we have to understand: Is this really a threat? What are the threat
vectors?
"Sometimes,
there is this black orbit, and we are just there for the ride," said Do.
"I am always very conscious of that, and I want to make sure that whatever
we are spending resources on is truly managing risk."
Metrics
that Do reports up the chain of command, starting with the CIO, include data
from the last quarter and year on the number of critical instances --
compromised data or critical servers, for example. Because Equinix employees
frequently travel all over the world, security incidents, such as malware or
backdoors, involving employees' mobile endpoints (laptops and mobile devices)
are tracked, as well as employee acceptable-use policy violations.
In
addition to capturing incident data, the security team tracks metrics around
any attempted cyberattacks against the organization, especially around the
perimeter from firewalls, VPN servers and mobile device gateways. "We have
a Palo Alto firewall where I can see that [data] very clearly," said Do.
"I can present a very simple dashboard to any executive that shows: Hey,
at any given second of the day we are being attacked by literally thousands of
threats and the firewall is doing its job so it's not like we invested in this
for nothing."
While
threat intelligence is the foundational piece of risk assessment at Equinix,
the use of intelligence data in the security industry is often ad hoc. "It
has either plateaued or actually decreased," said Do.
"There
are always two sides of the spectrum," he continued. "The companies
that are very good at doing SIEM [security information and event management]
and all of these intelligence pieces so that the more intelligence or data
points that they've added to their infrastructure, the smarter they
become."
But
the majority of the security teams don't do that. "They are either mired
in compliance checkboxes or chasing down shadow IT services. Or there are so
many things going on in their universe that there are no resources, or time,
left to focus on threat intelligence."
No comments:
Post a Comment