The pace of change for the security threat landscape is accelerating. To cope with the change and ensure success against adversaries, Xerox Chief Information Security Officer (CISO) Dr. Alissa Johnson believes the security community needs to rethink the way it anticipates and responds to threats. It also needs to be more open and effective in the way it shares information.
Johnson’s background has given her a unique perspective on the security landscape from the perspective of both private industry and the public sector. An NSA-certified cryptologic engineer, she spent three years with the Obama administration as deputy CIO where she was resonsible for White House technology and some of the technology at Camp David and in Air Force One. Johnson has also worked at Lockheed Martin as a deputy CTO and at Northrop Grumman as a senior network security engineer.
CSO had the opportunity to speak with Johnson recently about her views on how companies should prepare for future threats. We also spoke about how Xerox, which sells web-connected document imaging devices, deals with security issues around the Internet of Things (IoT).
CSO: How you see the security threat landscape changing?
Alissa Johnson: Just as technology changes, security's going to change as well. You're moving into more digitization. Your IT strategy is not really your IT strategy anymore. It's a data strategy. It's a digital strategy. It has to be all‑encompassing and cohesive across all of the different layers. When you think about how that is changing and then you think about the security controls and the impacts of that change on security, I think about the cognitive approach.
CSO: What do you mean by the cognitive approach?
Johnson: It really digs into artificial intelligence (AI) and machine learning and the thought that that is where technology is going. We have Siri. We have the Google Voice application. You've got Alexa as well that interacts with the cloud. When you think about that, we don't have that same thing from a security perspective. Not just talking about the security controls around that type of functionality, I'm talking about that function being a security function as well.
As we move to AI, then we also have to move into AI in a security space ‑‑ thinking about the talent shortage, thinking about the fact that we're not going to close this talent gap. How do we close the talent gap? How do we get around it? By allowing AI, allowing robots and smart learning and things like that to play a role in this. We need to challenge our vendors and say, “You've got great platforms that perform analytics for me, but now I need these great platforms to not just perform the analytics, but to actually do something.”
That's where it stops. It stops at analytics, and then it expects you've got a team of people that will actually do [something with the data]. It would be great if, as the smart security people that we are, we could say these are the list of security things that I am comfortable with a machine doing for me. It may be setting some policies or turning off firewall ports or turning off ports on systems that haven't been used in the past two months.
If we get to that basic understanding, that, to me, is progression in that [the system] will not wait for me to say, “Let me set a policy.” I may get an email or I may get some alert saying, "Hey, nothing has been sent on this port in the past two months. I'm shutting it off. Letting you know I shut it off." To me that is evolution. That is cognitive security.
Now, [the software] is learning about my system, learning about my infrastructure, my network. It is analyzing, and then based on that learning and that analysis, it is doing something for me. It's a cycle. It's going to learn, analyze, do, learn, analyze, do, learn, analyze, do. That’s what I mean when I say cognitive security.
CSO: When companies adopt new technologies, they often find themselves with new security risks. The key example here is the IoT. Can you speak a little bit to how a company like Xerox that is at the forefront of the IoT, is securing access to those devices?
Johnson: Our whole value proposition around security really is in four different areas, prevent, protect, detect, and external partnership. What is really, really important and closer to my heart is the external partnerships.
Our goal is to not just sell you a secure device or offering. That's not our main intention. Our intention is about the true partnership, as well. You're not only getting a secure device and offering, but you're getting a continuous partnership.
One of the issues [in our industry] sometimes is it's one and done. We've won this sale, we won this customer, now we're done, and we can move onto the next one. That's not the model that we have here. We continue our partnership.
We have solidified a partnership with McAfee. When you buy a Xerox device or buy into one of our offerings, we're bringing that partnership with us. There are things that we have layered in to prevent, there are things that we have layered in to protect, and then we have a detect when things happen, as well. We can detect when the configurations on the printer have been changed. We can detect when something has happened that doesn't look like the norm, that's not baseline.
We can detect when something is heard, and then the device or the offering will send us alerts or send the customer alerts. We can whitelist and detect when malicious software is trying to be added into the system. This is all through our partnership with McAfee.
I look at it as when Xerox hired me as a CISO, they didn't just hire Alissa. They hired my whole network. I've got lots of other CISOs that I know and lots of friends who are in different parts of the industry that I lean on for help, that I talk to and meet with periodically. That's the same type of mentality that we have to push down to our vendors and say, "Well, I don't just want you. I'd like your partners, as well."
I like collaboration, because that's the only way we're going to win this. That's the only way we're going to win against the adversary, is to not just say, "I'm going to buy this secure device, and this security control, and I'm going to get this one here, and try to fit it together ourselves." We've got to be bringing in partnerships. That's one of the things that Xerox specifically does.
These types of partnerships that we're building, this is where we're going in the future, as well. We're continuing to build those partnerships. We're continuing to say, "How do we continue to raise the baseline?" Security has always been a part of the Xerox story. We've always evolved, and every year tried to do something different, and something better, and raise the baseline, and raise the baseline.
CSO: When you roll out a large number of devices for a customer, you must work with them closely, then, to figure out how they want to set up their security. How does that process work?
Johnson: We collaborate a lot. We are not just bringing something that you can plug into your network. It has to integrate and integrate in very well. Because the IoT is booming and new, we can't be in jeopardy of our offering being a conduit into the network. The adversary may not be coming for the printer or trying to get into a printer in order to get what's in the printer or try to find documents. The impetus may be, "This is my way into the network to get other things."
We are talking about really integrating very well into a customer's network. We make recommendations. We say, "These are the lists of firewall rules you should probably have. We want to make sure you're closing all of the ports that aren't used."
We come back. We check in. We assess. These things are very, very important to make sure, not only are we helping them secure their data and protect the device, but that we're still building that solid partnership. We can't just drop it off and keep moving. We've got to work with our partners and say, "This is specifically what the security control should be around our device. These are our recommendations."
CSO: A lot of your channel partners now are also offering security services. I imagine the channel partners are a key part of this?
Johnson: Yes, our channel partners are key. That's part of that external partnerships. When things don't go well, when you get that call at night, it's not just the channel partner that is on the hook. It's Xerox that is on the hook.
We try to make sure that that relationship is solid, because we want all of our channel partners to call us. We want them to reach back to us and say, "Hey, something's not working right. Maybe I can't figure it out. Alissa, can your team figure it out for me? Can we do this together?" We go in together and we solve issues.
CSO: When a security incident occurs through a Xerox printer, how do you respond?
Johnson: We have a very solidified incident response program. A very, very mature incident response program. We align to the NIST Cybersecurity Framework and ISO 27001. That's what I have built this program, or framed our new program around. I say our new program because the company split at the beginning of this year, and now we are reimagining a new Xerox.
When you think about it from that perspective, and what the new Xerox looks like, and how we handle incidents, it's very, very different from a document technology perspective. We have the typical incident response process that everyone has. We have partners that we call on to help us with our process. We've got different vendors on retainer, and things like that. We have a very, very mature process.
Johnson: We have a very alive and active Xerox security page. All patches are maintained there. We even push it out and make sure our customers know what patches need to be updated, what the newest release is, things like that.
We communicate security bulletins on that page as well. When the newest hacker or something comes out, we put a statement on there saying, "Hey, there are the things you need to do to protect your Xerox device or your Xerox offerings. Don't forget we're here. Call us at any time."
CSO: New threats are emerging all the time. Just this week, server vendor NetSarang had its products hacked through its supply chain. What does the security community need to be doing differently to meet these new threats?
[Related: The dark web goes corporate]
Johnson: I hate to keep honing in on external partnerships, but to me that is the sticky widget in this. I say that because when you think about the adversary and how they're winning, the adversary is winning because of their partnerships.
That's what the dark web is all about. It's about, "Hey, you don't have to write this piece of code. Buy it for $2.99 or go to another site. It's probably for free." Hackers don't even have to know how to code. They don't have to know much of anything, because the dark web has it all.
That's where we, on the right side of the law, are differentiating ourselves, because we don't share enough. I did a talk yesterday with the Defense Intelligence Agency (DIA). One of the things I said was from vendor to vendor, we don't share enough. From product supplier to product supplier, we don't share enough. From government agency to the next government agency, we don't share enough.
It's not just enough to share and say, "Oh, yeah, I've heard about that vulnerability." You have to get down in the weeds and say, "I've got this issue. How would you fix this? Let me fix this for you. Let me help."
That collaboration, a lot of times, isn't happening. We try to collaborate on a high level because we're so afraid something is going to happen. We're so afraid that something's going to be leaked. We're so afraid that there are going to be some regulatory or financial implications.
I understand the concerns with that, but we have to build a partnership in the security space where those concerns can be released, and we can really share and get down to the nitty‑gritty of it. To me, that's why we end up losing, a lot of times, against the adversary.
I don't think hackers are smarter. We're all normal people. We're all smart people. Their methods are different from how we interact.
CSO: What should companies focus on when they're looking ahead at what the future threat landscape might be like? What kind of data should they be looking for? What kind of trends should they be following?
Johnson: I've been in private sector and public sector. What I've seen is that the adversary may not be going for the exact same thing, but their methods are the same.
We don't have deep, dark nuclear secrets at Xerox, but adversaries are using the same tools that they were trying to use when I was at the White House to penetrate the White House networks. They're using the same tools with private industry.
If you think about it from that perspective, a lot of times we focus, "Well, what is the new threat landscape going to be? How is this threat going to manifest itself?" Some may think nation states are really geared towards government. No, nation states are geared toward product manufacturers, as well. Anything to undersell or undercut a product, reduce the price--all those things play a role.
We focus on the threat landscape, but we should always be focused on raising our security baselines. We shouldn't wait for the threat landscape to change to move the baseline up. We find ourselves sometimes in a precarious situation where, "Oh my goodness, something has happened. Let me take a look," instead of, "Things are going well."
That's one of the things that Xerox is doing. We are looking at the baseline, and we're saying, "We're prepared for 2018," and saying, "OK, how do we want to raise our baseline now?" That's not just with security, but that's with technology. If technology is going to continue to evolve, security has to continue to evolve, as well.
How do you get ready for 2017 and beyond? You've got to continue to raise the security baseline. You can't do it every two years. Your security strategy can't be a four‑year strategy. I'm thinking a two‑year strategy, and a lot of times I think two years is too long. It has to constantly be revisited, and protection has to go across all layers. It has to go across data, applications, processes, and infrastructure. It has to be cohesive