At the RSA Conference in San Francisco, on February 15, 2017, an expert panel of senior executives discussed strategies and practical approaches to maximizing cyber testing programs and getting away from “hamster wheel” status quo practices.
The panel:
- Wendy Frank, Principal, PwC, Moderator
- Diana Kelley, Global Executive Security Advisor, IBM Corporation
- Lisa Lee, IT Examiner, Office of the Comptroller of the Currency
- Latha Maripuri, SVP and Global CISO, News Corp
Frank: What trends do you see happening in security testing?
Maripuri: There is an interesting shift going on. Traditional testing like vulnerability management and pen testing is getting commoditized by many tools and service providers, who focus on finding breaches. The dialogue is shifting to detect and respond. Have we realigned testing programs accordingly? Are we testing our people? Our processes? Do you get a false sense of security from testing and finding problems, when things often don’t get fixed? Are you tracking what does? If it’s too expensive to fix, what happens to those results? Traditional testing methods also don’t translate well to the cloud.
Lee: Do you understand the threat against your organization? What’s driving you to do the test? Weight the level of effort against the impact.
Kelley: Understand the tools to get the needed value out of them. Don’t put too much power into those tests. If you get a stack of problems, how are you going to prioritize and apply fixes?
Lee: Other value can come out of testing, like red teaming. It’s a good a way to train your incidence response team.
Maripuri: Phishing is an easy email to send to your employees, but there’s huge value in raising awareness. Bug Bounty programs take a bit more effort, but crowd sourcing can help you get to the next level.
Kelley: Focus on the impact to the executives. A phishing test is something a CEO will see. It provides “high visual yield”. It will help executives understand what your program is doing and see the success.
Frank: What about the maturity model of testing?
Kelley: First, understand your organization’s maturity and readiness, deploy in a useful manner and get some success, then expand. Don’t try to go to Level 6 maturity right away. Start small, with a small group. Find a high visibility app to get some success and confidence. See the blemishes early and fix them.
Lee: Doing the same thing more often doesn’t really increase value. Rethink the scope and frequency that might just be assumed to add value.
Maripuri: It’s not natural for developers to think about maturity models, but it’s very important. Looking at where you are and where you want to get to can be very helpful. We’ve started aligning our testing to our incident management process. Scanning our servers is good, but we found most errors were coming from the employee base. How do we automate and integrate more? Make testing part of the fabric of how you do services.
Frank: How do you get off the hamster wheel?
Lee: It’s not just the cost of the test itself, it’s also the time it’s going to take to remediate the issues that come out of the test. Factor in time and cost. On the benefit side, factor in potential training opportunities that can come out of it.
Kelley: Plan for the results – do you have an implementation strategy? Hackers will go through layers – voice, websites, mobile. We tend to test in silos – but how do these intersect? Prioritize based on where the real holes are. Develop an orbital threat model that goes around your company and all those channels.
Lee: Are 25% of employees giving up credentials to social engineering? In a flat network that’s not segmented, that’s a big problem! Explain what could happen to executives. Quantify the monetary risk.
Maripuri: I asked many CISOs what testing they’re doing. The unanimous answer: 1) table top exercises and 2) testing detection capabilities.
Frank: Closing Thoughts?
Lee: Mobile devices, IoT, threats to executives like data leakage from phones, cars, hotel rooms – these are interesting emerging threats. What are the potential vectors to your organization and how do you test against them?
Maripuri: Think through coverage of your testing. Do you have 500 web apps and you’re testing all of them, or only 50? When reporting, be very clear about your scope and coverage.
Kelley: Look at multiple channels and attack layers. You start to see where systems are breaking down so you know where to focus your defenses. Don’t do this work in a vacuum! Find a way that your Board and executives see the value. You don’t only want the attention from Leadership when there’s a breach.