Newly-empowered CISOs must boost security visibility or perish

With SSL, mobiles and cloud applications complicating traditional defences, shunting all traffic to the cloud has helped one CISO sleep at night

Security executives are enjoying increasing prominence amongst business leaders as growing awareness of ransomware's business risks motivates new levels of CISO empowerment, one cloud-security CISO has observed while warning that those without full visibility of their environments risk squandering the goodwill when new attacks slip by.

“Boards are holding CISOs accountable,” Michael Sutton, CISO with cloud-security vendor Zscaler, recently told CSO Australia. “That's a positive thing because the role of the CISO is getting elevated – but not every CISO will survive that transition.”

“The back-office technologist who doesn't know how to deal with the business side, is never going to survive. But the person who does understand that, and can use it to his advantage – he's going to be able to use it to his advantage and get resources that he never had access to before.”

And while those resources may include business and financial support for reinvention of the business security regime, Sutton warned, deciding the next steps will be the difference between successful protection and a disastrously exposed organisation.

Getting broad visibility across information resources has become more difficult with the proliferation of endpoints and the growing use of Secure Sockets Layer (SSL) – encryption technology that is being adopted by consumer-grade cloud-storage services and ramrodded onto user devices thanks to the likes of Google, which recently began promoting a more-secure option and will soon begin marking all standard HTTP pages as 'not secure'.

Such enthusiasm for encryption is commendable, Sutton said, but it's also exposing the blind spots in conventional appliance-based security tools that have become “nothing but big paperweights” as ever-changing threats outstrip their ability to adapt. “Attackers are getting more dynamic,” Sutton explained.

“Ransomware is technically not that sophisticated,” he explained. “It often doesn't even take advantage of a vulnerability but just tricks a user into installing something. What attackers have done that is so smart, is to do a really good job of morphing that malware. Every day the binary just changes and changes. And if you don't have the detective capabilities to be able to see that and mitigate it as quickly as possible, you're going to have problems.”

Even when installed, those binaries can be hard to spot with tools providing limited visibility into network traffic: a recent LightCyber report, for one, found that most malware exploration of victim networks is conducted using common, unremarkable network tools whose presence is no basis for a red flag. Similarly, with SSL used to encrypt up to 65 percent of Web traffic, according to the 2016 Dell Security Annual Threat Report, malware can easily ride legitimate communications channels to and from mobile devices and other online services.

Given that malware authors are using the same cloud-based services to build and deploy their code as enterprises are, URL-based blocking “is really adding very little value at this point”, Sutton said. Malware authors “are in the cloud, leveraging content distribution networks, and so on. And we're not blocking Amazon Web Services sites.”

As the person charged with securing a security company, Sutton has lived the dream. His CISO role is high profile, but that has required him to move proactively to deal with the new truths of malware practice – and his solution has been to “drink our own Kool-Aid” by forcing all of the company's network traffic, regardless of device, to pass through Zscaler's cloud-based security services, which can peer inside SSL sessions as well as conventional traffic.

“The average employee spends less than half his time in an office,” Sutton said. “We're very comfortable with people using personal devices, although it always worries me that there's a gap somewhere that we're not seeing. I don't care where they are on a particular day, or whether they're using a personal or corporate device; if they want to use it for business purposes it has to be going through the cloud so we always have visibility into what they're doing.”

Shunting network traffic to the cloud not only offloads the process of finding and dealing with potential malicious attacks, but offers scalability that many CISOs may not initially realise is necessary. This, because the addition of on-premises tools for inspecting SSL traffic would require a massive boost in security tools – “2 to 3 times the number of proxies that I had before”, Sutton said.

“These things require companies to have to scale their infrastructure and many are thinking that they never wanted to own that much infrastructure. They're saying that it's time to rethink all this and use a different approach – and when they go to a cloud model, all of that becomes someone else's problem.”

Join the CSO newsletter!

Error: Please check your email address.

Tags security visibilitycloud applicationsMicheal Suttoncloud securityHTTPzscalerCISOencryptionSSLransomwareCSO Australiasecurity executivesLightCyber

More about Amazon Web ServicesCSODellGoogleLightCybermobiles

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts