There was a story late last year on Open Source SOC, I’m curious how this has progressed and also what level of interest is there in the marketplace for such an approach? (For instance - how many external 3rd party organisations have contacted you to learn more??)
The Open source SOC project has been a great experience from its earliest beginnings. Starting out on a whiteboard to a fully-fledged solution, with 7x24 SOC monitoring, SIEM correlation and alerting. Whilst the open source path had its challenges I was in need of a cost effective solution and I was just not able to pay the large licensing fees that mainstream vendors were demanding. By having it designed and developed exactly the way BlueScope required, I could then get the full security picture across a large complex organisation that I possibly wouldn’t have had with an out of the box commercial solution.
Working closely with Kustodian was the key to its success. We were able to collaborate on design and features to get this solution right. We have incorporated Open Source Threat Intelligence IDS/IPS sensors, integration into the McAfee ePO environment and log feeds from our key systems and infrastructure. Also we included SCADA monitoring and alerting to exactly what we needed to know. In the truest sense of the Open Source community, Kustodian hold the same ethos as I do around Open Source and are rolling out a SIEM offering, called SIEMonster. It will be totally free to the public. The solution is completely scalable, documented and easy to use.
Since the article came out in CSO there has been a lot of interest. I have been approached by quite a few organisations from around the globe, enquiring about the process, the effectiveness of the solution and the benefits and challenges.
What have you found to be the largest challenge and adjustment in moving to being a CISO, from being a senior manager?
An interesting question as I still hold Group IS responsibilities for policies, governance and shared capabilities, but more and more I am finding the demands of the cyber security side growing. The implementation of the SOC and SIEM reporting tools have allowed us to focus on the areas of concern that have been highlighted.
One interesting observation I have made is a constant tension with IT wanting to implement new functionality and capability without consideration to the security implications. Ensuring that a Security Assessment is included in new developments does call for a change in the culture and collaboration between IT and Security.
In my view, Security needs to be in Strategy or Risk Governance, because, I believe, Security will be better placed to ensure that the strategic assets are protected to the level of risk the organisation is willing to accept. I also believe that too many decisions are made in IT that the broader business doesn’t really understand; for example, cloud services. Too many of these decisions are made on short term benefits without a longer term strategic overlay of where the business is trying to go.
David, I note the recent press stories around an ex-staff member who is alleged to be a rogue insider. Many enterprises would not have good crisis management processes to handle such an incident. What have been your own personal lessons on this?
There are always lessons learned and different approaches that may have been deployed. The key take-away is that regardless of what technical controls you may have in place, what policy standards and guidelines you may have, the reality is we are dealing with human beings and some people may choose to do the wrong thing. It is difficult to protect against such events. What it does do is once again highlight the need for companies to identify their critical assets and information and then protect them to the extent of risk and cost that is acceptable.
What makes a ‘CISO’ great? What attributes do you really admire??
I think there are a few differences between being a good CISO and a “great” CISO.
- Don’t just follow the pack that will just make you a CISO
- Excellent communications skills at all levels of the organisation, being able to distil complex threats and issues into understandable concepts that resonate with business people.
- Understanding the business and its strategy, making sure the critical assets are the focus.
- Having a strong intuition on threat actors both inside and outside of the organisation is critical to focus in on what counts.
- Building relationships with hand-picked vendors based on experience and not sales pitches. Great CISOs know where to get the best support.
- Out-of-the box thinking, honesty and proven results and a “can-do” attitude.
We are seeing more and more organisations move into the cloud, what’s your view on managing these threats?
It is an area of continuing debate. From my experience and discussions with some of my key vendors and industry respected security professionals, understanding how cloud providers work is key.
I don’t advocate cloud as the strongest security base for a company's critical assets. I have seen on multiple occasions where a hacker has compromised one company, gained access to the Hypervisor of that cloud provider and moved to another pod of other company’s critical data. It really comes down to your needs and if the risk-reward question is suitably examined and challenged. So, before moving your data assets into a cloud, you need to conduct your risk assessment first hand. You also need to think about your company strategies. Many cloud providers tout cost and flexibility but fail to point out the potential “lock-in”.
Another aspect is the question around who really does have access to your data? Large cloud providers can sometimes outsource patching, firmware upgrades and other maintenance tasks to third party companies who may use overseas support. We not only have to adhere to Australia’s Privacy Act but also to America, Asia and NZ. As more and more companies move to the cloud, I strongly recommend that you know exactly where your data is, who looks after your data and any back-to-back outsourcing contracts your cloud provider has or seek assurance that vital maintenance is not done by unknown parties.
I believe there is still quite a lot of maturity that needs to happen in this space as well as greater transparency. For example, people buying PCI DSS compliant cloud solutions still might not be compliant. Often, the expectation is that because I am paying for a PCI DSS solution then automatically I must be compliant; this is not necessarily the case. There is often misunderstanding of where roles and responsibilities start and end in some of these agreements. I believe there needs to be standard frameworks like ISO 27001 for Cloud.
What’s your view on the gap that Boards have around Cyber Security. Are there specific areas that they need to focus on?
On the question of boards, one of the key challenges is making sure that the risks posed by cyber attacks are well enough understood and there is a reasonable and fair understanding. Given this is such a new and evolving area, generally speaking I feel that there is a gap. I believe the Board should be asking management: “Do we know what we need to protect?” “Why do we need to protect it?” and “Are we investing enough to achieve that outcome?” 2015 certainly brought cyber security into the spot light of risk management with a number of very public and costly breaches, that have had direct impact on Senior Executives and Board members, I think that has been an “ah-hah” moment for many, but I fear there are some who still think it will never happen to us.
I’m interested to understand your view on Cyber Security Insurance. Is it critical or is this just a crutch?
Cyber Insurance is still in its infancy and will continue to evolve.
As it stands now, unless the company has a well thought out policy, they will find that unless they are specific in the policy, they may not be covered in a manner that they believe, and thus unknowingly expose the company to unacceptable risk position. So I think some companies may tend to use it as somewhat of a crutch because they can’t or won’t try to deal with their cyber risk profile.
A case in point is an incident that happened to BitPay last year. BitPay bought a policy to cover hacking incidents.The security breach was a social engineering incident and cyber policy in general does not cover social engineering attacks.
The Lesson learned: Buyers of cyber policies need to address the question of how their specific coverage will treat social engineering. Spear-phishing is as much a threat as direct computer hacking and that risk needs to be addressed. Holders of cyber policies need to investigate social engineering coverage gaps well in advance of any potential claims.
Are you tracking any new cyber security startups?
Yes, there are a few that I am tracking.
Whilst not exactly a start-up, Kustodian have been innovative in the development of the SOC/SIEM open source tools, which I mentioned earlier, they will be offering to the community.
I am also very interested in the likes of Elastica and Skyfence who see the need to give visibility to what cloud services a company is consuming and how secure these cloud services are. I think this is an exciting trend especially as companies find a lot of unauthorised shadow services being consumed.
Services and solutions like Forter, who provide a very cleaver fraud analysis and detection will come into demand as more transactions are carried out online and the bad guys get more sophisticated. The idea of “Decision as a Service” is an interesting one.
When you are hiring new staff, are there any qualifications that you believe are important to look for?
For me, at a minimum candidates need to demonstrate a passion for technology and an understanding of how it works. A curious mind and a willingness to try things is important. A CISSP is good as is a CEH or the likes of Offensive Security certification, (I am a BIG Kali fan by the way). It really depends on the role, but regardless there has to be passion and curiosity.
You have been granted an audience with the Board Risk Committee what’s the one thing that you always want them to have as a takeaway?
One of the key takeaways would have to be around the quality of the data they are getting from the business. Often risks can be represented in ways that do not accurately reflect the impact.
Cyber security is not as concrete as physical asset risks and often causes businesses to understate a potential outcome. Using FAIR (Factor Analysis in Information Risks) methodologies can help, but perhaps an independent analysis on an annual basis would go a long way to providing better information on the real risk profile. It must always come down to knowing what it is you need to protect, its value to the organisation and are we doing enough to achieve the risk level that is acceptable to the business!