Scott McIntyre spent over a decade as the chief security officer for the oldest ISP and telco in the Netherlands. Now, he’s the chief security specialist for Telstra. His career has spanned Internet/IT security for nearly 30 years. He believes the Internet can be re-claimed by those who want to do good, and shouldn't fall prey to the creepy behaviour our headlines are being filled with.
McIntyre posits that incident responders know that large amounts of technical data are needed for investigating computer security and privacy incidents, but the aggregation of data creates significant risks for most organisations. With many breaches being related to poor information security controls around big data, there’s a balancing act between minimising risks and using technology to help us prevent, detect and respond to incidents.
McIntyre’s roll at Telstra means that he is often asked to provide a “security sign off” when a new application or service is going to be launched.
“I explain this to them. It’s more of a conversation. We will find out about risks and learn about controls. We will compensate for them. There will be technologies, policies… this is all really important for your project to be able to conform,” he said.
The trouble with this, according to McIntyre, is that it’s often the day before going live that his team is brought into the discussion. And the discussion often starts by thinking about threats and putting in place steps to prevent or block potential attack vectors. During his presentation at AusCERT 2014, McIntryre said the conversation sways from this position to one where the business starts to think about the consequences of a breach.
According to the Ponemon May 2014 report, the cost of data breaches increased by 15 per cent over last year. The average cost of a breach has now been pegged at US$3.5.
McIntyre noted that businesses don't want to learn about potential vulnerabilities via Google News alerts. “The majority of data breaches are found by external notifications."
Systems may be designed with data in another hemisphere or a need to move hundreds of gigabytes of data in order to protect valuable assets but this complicates threat response if a problem is detected. Very few businesses consider how to extract their own data in the event of a problem with a SaaS provider. Rapid access to data from those systems is key to analysing threats so that an appropriate response can be initiated.
It’s also important that information is presented to stakeholders quickly. This is where latency is critical as data may not be onshore.
“Time is the one commodity that executive directors have zero of and certainly would not consider calls at two o’clock in the morning where the answer is ‘it’s on its way', what they want to hear,” he said. Part of that management response needs to be what McIntyre called “management porn” – visualization of the data to help management understand and have confidence that you know what you’re doing.
Although there are some well established threat response frameworks companies can follow, McIntyre noted that "lots of the response process is out of our control”.
A critical place to start, in order to have better threat management and resolution, is to actually know what data you have and where. This is one area where McIntyre sees Australian businesses languishing. There is a lack of attention being paid to what legal jurisdictions data is stored in.
With the number of threat actors and vectors continuing to rise and the cost of breaches increasing, it’s important that businesses ensure that at the conclusion of every incident response time is taken to evaluate what has happened.
"You must learn from any type of data breach or incident."