This week the stylish venue of Ham Yard Hotel, London played host to the summer edition of the OASIS event, bringing together industry specialists to discuss and share their thoughts on some of the main talking points across the cybersecurity sector at the moment.
Kicking off the presentations was Mark Nicholls, principal security consultant at cybersecurity firm Context, whose services include penetration testing and assurance, incident response and investigations, and technical security research.
Nicholls talked about the pitfalls of Red Team testing outlining the benefits of conducting such tests, and how a SOC team can best apply them.
“Red Team testing can mean different things to different people,” he explained, “but ultimately we’re talking about testing the whole business and processes; quite a wide test in terms of attacking the processes, systems and people of an organization. This allows us to triage issues in terms of seriousness and fix them accordingly.”
Often a Red Team will turn up issues that are not always technical, so maybe the fact a company isn’t training people to identify phishing emails for example, added Nicholls.
“Our Red Team approach in terms of testing is depth versus breadth; we look to target people and processes as well as technology. We assess the capability of an organization to identify the test when it happens and, from an attack perspective, see how they react in that incidence.”
Speaking next was Chris Strand, senior director of compliance and governance programs at Carbon Black. Strand’s presentation explored how companies can create a realistic ‘Cybersecurity Scorecard’ to aid them in measuring and reporting their security posture to meet with ever-changing regulatory pressure, incredibly timely given that the GDPR is now confirmed to be coming into effect in 2018.
“No matter who you are in the organization, whether you’re a board member, a CISO, an analyst, you all have regulations that affect you,” he said. “Every time there’s a security incident there’s a new regulation to back that up; there’s a new data security policy or some kind of industry vertical regulation introduced or made stricter that we then have to answer to.”
There’s a constant shifting of the sand when it comes to polices and data security standards continued Strand, and no matter where we work in the industry, there are always going to be regulations that will be challenging us.
So, what do organizations need to do to ensure they are on top of this? According to Strand, the answer lies with adopting cybersecurity or IT scorecarding, with the aim of making sense of your information and presenting it in an understandable, structured way.
“At the end of the day scorecarding is about reducing liability and providing security assurance, not insurance. Insurance is reactive; assurance is proactive and that’s what we want to aim towards,” he added, outlining the following nine steps as common components of a solid risk scorecard.
1. Business Objectives/Risks
2. Security Objectives/Risks
3. Understand Stakeholders
4. RACI
5. Identify Sponsors and Resources
6. Apply a Framework
7. Enforce Framework via Policy
8. Collect Data based on Policy
9. Report Critical Security Controls
Lastly, we heard from Adam Bridge who is a senior intrusion analyst at Context. Bridge shared his insight on the main ways that companies are being compromised and discussed the importance of securing the endpoint, something that organizations still appear to be failing to do.
Most commonly, he explained, companies find out they have been breached via third party notification and not internal intelligance, often coming from sources such as official bodies, independent researchers, banks or the dreaded ransomware message.
What’s more, breaches are occurring as a result of time-tested methods, with phishing emails still the most successful technique adopted by hackers, followed by other methods such as drive-by downloads and malvertising.
“We are seeing the defenders do a better job,” added Bridge, “and things are getting better, but they are still pretty bad. The biggest thing that organizations fail to do time and time again is secure the endpoint. They have all sorts of network perimeter defenses, which all do an excellent job at what they do, but they all seem to forget about securing the endpoint.”
Failing to secure the endpoint leaves companies relying solely on traditional approaches like firewalls and anti-virus, which alone are less effective and far slower, Bridge said.
“Endpoint protection has an obvious and important place; if you do not have it in your organization your organization is lacking something critical. It compliments other technologies, it doesn’t replace them.”