Thank you for Subscribing to CIO Applications Weekly Brief
Attack Surface Analysis - Response to the Information Security Management
James Norberg, Security Director, Express Scripts
Back in the days where everything was on-premise, understanding the attack surface wasn’t as big of a deal. The inability to thoroughly understand the attack surface at all times is one of the major challenges as we are moving towards the cloud. Because the attack surface is going to be incredibly dynamic; several different surfaces are being made through several cloud environments at any time in terms of containers. Any piece of code or app could run in diverse clouds every other day which creates issues on trying to understand what the total attack surface would be. The idea of the Digital Forensics and Incident Response (DFIR) hierarchy of Needs—shaped like a pyramid, has been around for a while. So knowing the pyramid means having a clear picture about the inventory and each component of it which helps in understanding the attack surface. With a highly dynamic attack surface, these two layers become extremely challenging.
Also, ensuring that developers are abiding by the rules, following our login and coding standards, and subscribing to login APIs is another major challenge. Our goal is to move it back left in terms of SSDLC to get all of this built-in upfront so that we know our attack surface and hit the right telemetry at the right time and continue to walk up to that DFIR hierarchy.
Additionally, telemetry data is becoming extremely expensive; generally, there is a different type of cost model associated with it. We want to have good logs such as OS logs, database logs, and app server logs from all of our systems, whether they be in cloud or on-premise. But all of these different pieces of the telemetry generate a lot of noise, and that noise is going to be in the form of additional bandwidth, digital storage, additional log processing, sim license, and so on which becomes a significant investment. So taking that investment and making it more than it was meant to be is also the challenge that we are facing.
Everything that we do now is going to be based on data science as it’s going to be the new language. So through the threat hunting program with the IR people, we are trying to find that needle in a haystack
“As it stands, IoT for consumer and personal use ransomware isn’t making the headlines. This is understandable, as most IoT devices don’t typically store valuable data; it’s unlikely anyone would bother to pay the ransom.” What is your take on this statement?
When I think about IoT devices, I consider types of equipment such as home appliances, webcams, and things that are very much focused at the consumer marketplace rather than businesses marketplace. If I had to look at the consumer lines in relation with IoT then certainly it is being leveraged. But a new way of crypto mining using IoT is being used by bad actors. Talking about paying ransomware for consumer use IoT devices, I don’t see scope for it because these types of devices are for consumer use and don’t store any valuable data unless it’s a highly sophisticated trade actor who is targeting a business and not some generic malware because there is no monetary gain. If ransomware is demanded on some consumer grade IoT all they need to do is to start again without paying the ransom.
In context to the challenges you’ve mentioned, what are the major tasks for the security managers at this point?
As the Director of the security operation center, there are a few things that our team is concerned about when it comes to ensuring that we are giving the value-add for our investments. Similar to a lot of companies, we are also going through the transformation. Our wing is in operations from last two to three years. We ensure to carry out our security operation center and all other operations in agile methodology so that if new assets come at the door, they should not cause a roadblock for us. Accordingly, we are working faster so that we could adapt quickly to the changes in the market.
Another task revolves around maximizing the investment fund for all of the telemetry spend but at the same time ensuring that security operation center, network operation center, command center, and all of the different centers are synchronized. We focus at making our monitoring feature as the differentiator for us so that our logging patterns, security, reliability, user experience, privacy operations, fraud model’s data is structured and up streamed by developers. This is done in a way that when it comes into our data stores for analysis, we can create models for all these different groups.
Lastly, if you are not a CISO thinking about the talent, then you should be. There are certainly not enough people who guarantee to have a robust program and development plan which is undeniably an important task to be done. They also have to be creative in their training programs, web programs, and building college partnerships to bring in better talent.
What is your advice for budding technologists in the Information security space?
Everything that we do now is going to be based on data science as it’s going to be the new language. So through the threat hunting program with the IR people, we are trying to find that needle in a haystack. This comes down to writing alert concept based on telemetry which is in turn based on data science. I believe this is going to be one of the biggest things they have got to do in the future. So my piece of advice would be organizations have to ensure that they bring in the component of data science in their training program.