Home

What can we CISOs and CIOs do to better protect our organizations from security threats?

I think that there's a number of things that they can do. The best is do what I call a control design review. Is it manual? Is it scalable? Is it actually getting the business results and outcome that you anticipated? If it's not, re-design the control, or get rid of it and stop wasting time and money. A lot of organizations have DOP. When asked why they deploy it, they say it is to prevent the exfiltration of data. Come to think of it, who would be the people moving the data to where it shouldn't be? The external person got through your firewall, your network intrusion detection and prevention system, the alerting mechanisms, and onto your hosts, the HIDs, the HIPs. You want to tell me they can't get past a signature-based DOP because they've found the crown jewel that's labeled ‘top secret’? Do you think they're going to be stupid enough to try and move it in the same package and the same form that's going to hit the trigger? If I'm looking at stealing intellectual property, dropping a logic bomb or trying to steal personal health records in a healthcare organization. Well, I've already been granted access, so I'm an authorized user. Because I have been trained on the sensitivity of the data, I pretty likely know the DOP signatures too. So, unless I was being really stupid to steal stuff, I would get caught. DOP for the insider risk only really mitigates a non-malicious actor from handling the data improperly, which is a pretty good thing to do, but it's not enough. And you spend all this money to deploy all the stuff, and it really doesn't manage any of the risk that you want it to. Going back to my execution of malicious code, if I was a malicious insider, and I wanted almost 100% certainty I'd get away with it, what would I do? I'd hire a Crimeware as a Service for a couple hundred bucks, get myself fished, have the data taken out, and have complete plausible deniability that I didn't do a damn thing. You're not mitigating your risk. You're mitigating a compliance risk, but why deploy it everywhere, then? If you have to do it for compliance purposes, go put it on the nurse's station, in front of the data storers where that healthcare information is. Take it off of 75% of the rest of the company. And stop wasting your time and money. That's the type of review that I would do on a control by control basis, to really see if it's delivering the business outcome.

4855 views
3 comments
1 upvotes
Related Tags
Anonymous Author
I think that there's a number of things that they can do. The best is do what I call a control design review. Is it manual? Is it scalable? Is it actually getting the business results and outcome that you anticipated? If it's not, re-design the control, or get rid of it and stop wasting time and money. A lot of organizations have DOP. When asked why they deploy it, they say it is to prevent the exfiltration of data. Come to think of it, who would be the people moving the data to where it shouldn't be? The external person got through your firewall, your network intrusion detection and prevention system, the alerting mechanisms, and onto your hosts, the HIDs, the HIPs. You want to tell me they can't get past a signature-based DOP because they've found the crown jewel that's labeled ‘top secret’? Do you think they're going to be stupid enough to try and move it in the same package and the same form that's going to hit the trigger? If I'm looking at stealing intellectual property, dropping a logic bomb or trying to steal personal health records in a healthcare organization. Well, I've already been granted access, so I'm an authorized user. Because I have been trained on the sensitivity of the data, I pretty likely know the DOP signatures too. So, unless I was being really stupid to steal stuff, I would get caught. DOP for the insider risk only really mitigates a non-malicious actor from handling the data improperly, which is a pretty good thing to do, but it's not enough. And you spend all this money to deploy all the stuff, and it really doesn't manage any of the risk that you want it to. Going back to my execution of malicious code, if I was a malicious insider, and I wanted almost 100% certainty I'd get away with it, what would I do? I'd hire a Crimeware as a Service for a couple hundred bucks, get myself fished, have the data taken out, and have complete plausible deniability that I didn't do a damn thing. You're not mitigating your risk. You're mitigating a compliance risk, but why deploy it everywhere, then? If you have to do it for compliance purposes, go put it on the nurse's station, in front of the data storers where that healthcare information is. Take it off of 75% of the rest of the company. And stop wasting your time and money. That's the type of review that I would do on a control by control basis, to really see if it's delivering the business outcome.
1 upvotes
Anonymous Author
Very simple, but needs expertise. Perform a data categorization and assign data ownership. Critical data (PII, HR, Financial, etc) store on very secure system, put these systems behind a separate firewall (enclave) access via two factor and IP restricted and monitoring.
0 upvotes
Anonymous Author
Perform threat modelling, map against a maturity model such as NIST or BSIMM, identify the gaps and develop a multi-year security improvement program prioritised basing on risk appetite and targeted maturity.
0 upvotes