Jon's Network

For Jon’s Network Podcast Number 3, I spoke with Chris Nickerson, Director of Security Services for Alternative Technology, an Arrow Company. He knows the security industry well having held high level positions at Shook, Hardy and Bacon, Sprint and KPMG. He discusses the balance between check-box compliance and intelligent risk mitigation as well as the need to thoroughly assess your posture before you throw technology at any problem. This podcast was sponsored by Secure Content Solutions.

You can read the transcript after the break.

Jon: What’s the general situation companies find themselves in today regarding security. What common problems do you see?

Chris: You know, I think the most common problem that everybody can see right now in the industry is that attacks, losses, viruses, hackers, all of these different security concepts are everywhere. Every time I pick up the newspaper, every time I look on the internet, every time I take a look at any of the websites that are out there, it’s constantly in our face, that these things are growing at an out-of-control rate and don’t have a sign of stopping anytime soon.

Jon: And they’re all targeted attacks and we’re experiencing instantaneous financial loss more and more. What’s this say about the security industry?

Chris: Over the last 5 years or so you’ve started to see this positioning of attacks, going away from the general kind of trojans, and these mass viruses that are out there self-propagating just to kind of put a check in the box and make a few more that are kind of compromised hosts. You’re starting to see people go toward having more networks, distributed hosts, they’re selling out these hosts networks so they can attack large companies. They’re very very specific and sort of focused attacks. Some of these focused attacks are causing massive amounts of loss. When you look at a quick example that everyone’s seen the news recently, you can see that 45 million users were compromised from the recent TJ Maxx incident. The expected loss from this type of incident in not only corporate hours and cycles spent but physical loss to the company is supposed to be around four billion dollars.

Jon: Four billion dollars. That’s an expensive broken window. That’s a lot of products and services they could have produced for the economy that are gone. We’ll never have them again.

Chris: I completely agree.

Jon: If that’s the situation, what are we doing wrong? I mean, didn’t they have a defense in place, didn’t they have a firewall? Didn’t they have IDS? What’s the problem?

Chris: That’s a great question, it’s something that I’ve been really struggling with throughout my career, because I’ve seen the instantiation and inception of all these wonderful pieces of technology. You’ve seen host based IDS evolve, firewalls evolve; you’ve seen VPN’s evolve; you’ve seen the security market grow into what, if I remember right, last year was around 67 billion dollar industry and growing sharply but what you’re not seeing is people customizing the approach of how to implement these good technologies that we’re building. If you want to take a look, from the research that I’ve found in the article that I’ve been reading especially about that TJ Maxx incident, what you’ll find is that they have a wonderful security department that’s actually very very well defended in many different layers. But what you’re not seeing is that custom tailored approach that we need.

The reason they got attacked was because there was a wireless access point that was set up insecurely. Those types of things are not controlled by technology, they’re a personal process, they have to do with a kind of philosophy of an organization, and how that organization operates. The major issue is we need to start shifting more to a secure philosophy, and a secure business practice model, instead of throwing money and products at the problem.

Jon: Right, no vendor is going to call them up and say they have a product that will automatically configure all their wireless access points in a secure manner. We’re at a point where we have all this technology that can keep us secure but we’re not using it right. So what do you suggest? A team like Alternative Technology and Secure Content Solutions can consult and assess so businesses know what they need to buy, how much they need to spend, what they need to change in their awareness process so they actually defend themselves without breaking the bank, without mindlessly spending money. Is that how you describe your approach?

Chris: You know, what we try to do especially is position ourselves on both sides of that fence. We have a large service organization whose charter is to specifically go out and make kind of those custom tailored security solutions for people. On the other side of the company, we take a look at the type of product and technologies that are there to fix those holes. To give you the basic example that I always talk to people about. There are a lot of companies out there that have an amazing brand name that make extremely expensive shirts. You can put one of those shirts on and look like you’re wearing a very expensive shirt but the shirt might not fit you because it isn’t the right size. What we try and do is go with a more custom tailored approach to security. It may be a shirt that is less expensive, but you’re going to get twice the mileage out of it because it’s custom tailored to fit you specifically. What we try and do in these types of assessments is to look at the problems not just from a technological perspective but we really want to get an understanding of that philosophy of the company. We want to see how their policies and procedures are written. We want to see the processes that are implemented. We want to be able to take a tone on how that organization runs from a technical perspective and then sort of blend all that together to get an idea of where are you at today with security. The second piece of what we’re going to look is to ask: what are we securing? Often what you’ll see are people going through all these security assessments and are told to do 500 specific different things. The company will look at that and it’s so overwhelming to look at it that it almost gets ignored because it’s too much to do. So what we want to do is pound out what their critical assets are and protect those first. Then, as we move away from the critical assets, we’re going to add that to our timeline and say: look, we can protect those things that aren’t as critical to the business and organization and protection of our customers a little later in our timeline. After that we’ll just go in and we’ll pull in the process solution sets that make it the most effective for protection there.

Jon: Alright, well technology comes second, and if I understand right, from your point of view, the security companies, one of those big box security companies that goes in and gives you a docket full of paper work with a bunch of check boxes that you need to fill out – that’s mindless because there is no priority set on any of those and they’re not going to take the time to do that for you. So what the company needs is actually a look at their processes and assign priorities and make decisions from a business perspective. The way I see it is they have business processes and they are trying to fine tune those to make more money to be more efficient. What they need to do is weave in security so that security has less of an overhead. It’s part of the same process, part of the same DNA throughout their business process and not something they bolt on after the fact to check a box off. Is that a good way to frame it?

Chris: Yeah, because after all if you’re not speaking their language, they’re not going to hear you. When we look at these types of things, I can give you a very specific example much to your talk of big box vs. the custom shops of security. I’ve seen a number of risk assessments that I’ve come in to be doing a second or tertiary assessment, and seeing people make suggestions of putting giant amounts of security around particular machines that a vulnerability scan found to be very vulnerable. So you’ll look at these security environments and see that there are hundreds of hosts and they’ll single out one host because this one host is the bright and shining star of vulnerability. There are 50-60 vulnerabilities that look like it hasn’t been patched in months and months and months and the audit firms that go and kind of do that sweeping generalization approach look at the box and say this is the most critical error of risk because our scanner has found that this will be the easiest to penetrate.

Jon: That doesn’t even make sense.

Chris: Well what will end up happening is the company will go out and spend thousands of dollars in protecting this host and then what I’ll see is the next time I come in they’ll say: You’ve seen everything in our environment and, by the way, look at this host, the lab partner told us to protect it so we put everything on it. We put host based IDS, network IDS around it, we have firewall, we hardened the box and did all that. My next best question is well what does the box do? They kind of look at you perplexed because they realize: Oh wow, we just spent 9,000 dollars on a box that doesn’t nothing more than control the amount of scent going in to our bathroom.

Jon: Right, so they’re not looking at the risk equation ahead of time. Now why do they forget to do that? It’s not that hard, is it?

Chris: I think that part of that is that people have started to be so concerned around compliance, and compliance is such a check box 1 check box 2, check box 3 type process that it really leaves out the protection of the business. When you look at things like GLBA, when you look at things like HIPAA, they’re talking about protecting a specific piece of data. But in my ideas of how companies grow securely, I’d rather they change to a secure philosophy and watch that grow across the entire environment than look at these one particular pieces. When we go down and we sit with them and we say what is the most important piece in your business and we do the kind of information criticality analysis, much like IAM technology is used when the Infosec methodology was created for the NSA, we want to say what means the most to you and how can we put a score on that and once we find the things that score the highest; let’s protect those, let’s not just look at it from the fact that who’s more vulnerable than the next because what I may find is that I have hundreds of boxes that are vulnerable on the network and I may have one box that looks very secure, but that box that is very secure holds the keys to my kingdom so let’s make sure we’re doing everything we can there first, and then work our way up to the outside layers.

Jon: That actually brings up a good point that I thought about from an economic point of view why regulation and compliance doesn’t work. It’s probably more costly than the problem it solves. The government cannot do that information criticality assessment for every company. Each company has different assets and each asset is worth a different amount to them in their quest for profit so the checkbox approach makes them spend all sorts of money on things that they normally wouldn’t spend their money on or need to spend their money on to profit or protect themselves. Now if they take this other approach, the wise approach of figuring out the criticality of different systems and protecting the most valuable assets that they need to leverage every day, are they still going to be compliant? Or are they going to have to spend the extra money to protect those less valuable assessments?

Chris: That’s where you’re going to get in to those approaches that I think are very effective. One of the reasons, when we do compliance assessments, we kind of blend those two ideas is we want to make sure that you are able to go through and materialize the compliance. Because frankly, you know as well as I do, that if I don’t go through a specific mechanism I could get fined a significant amount. So that’s not going to be helpful for my business either. So what we need to do is take the approach of doing the checkbox assessment, but when we’re giving you the grading let’s also have another layer on top of so that we say, once we’ve fleshed out the grading, at the end, let’s kind of add this cost-value piece over the top of it and say let’s use this cost-value piece to really drive out prioritization and set the nature of the business. I think that’s really when our approach gets down to that sort of human connection and it take us away from the compliance and paper process. It really gets people into motivated thinking to make a motivating change in the environment. I’ve traditionally struggled with this very hard thing in compliance and security and that you give people this book of things to remediate and it’s so overwhelming and it’s so cumbersome that nothing gets remediated. What we’ve started to do is to use techniques like penetration testing, use techniques like live demos, use techniques like education, on site, and having some of the people who are hiring us go in there and ride side-saddle while this is going on . It really connects them to what the risk is. When I show you a red box, you think, “That’s bad”, but when I show you a red box and put an equal sign next to it and I show you your entire customer database you are now inspired to fix that problem.

Jon: Yeah, you are just assigning a cost to the vulnerability. What’s exciting about that approach is it can be actually be used to enhance the business rather than looking at it as a drag or just something you have to do. They’re going to want to do it – it’s kind of like a good insurance policy.

Contact Secure Content Solutions to learn more about their security assessment services. You can also send me an email directly. Thanks again to Chris Nickerson.