A Canada-based Guyanese high-tech cyber-security expert has urged Chief Information Security Officers (CISOs) to drop reactive strategies to cyber threats – including chasing alerts — and instead be more proactive if they want to stay ahead of attackers.
“The reactive strategy has failed,” Nik Alleyne, senior manager of cyber security at Forsythe Solutions Group, said Wednesday at the International Cyber Security and Intelligence Conference, held north of Toronto.
Before migrating to Canada, Alleyne- a former student of St. Stanislaus College- lived at La Grange, West Bank Demerara.
Threat hunting, predictive analysis and related techniques are the tools the infosec team needs today to persevere, he was quoted as saying in an article published in IT World Canada and authored by Howard Solomon.
“Hopefully you have some type of baseline that guides your decisions,” he said, which allows the team to “figure out what’s different” on the network. That will reduce the time to detection considerably.
While there are a wide variety of attack techniques, they can be winnowed down somewhat by identifying threats targeting your vertical, he said.
Being proactive also means conducting vulnerability assessments and regular penetration tests.
In an interview Alleyne said the proof reactive strategies have failed is in the headlines so far this year: He cited revelations of the extent of the Yahoo breaches (3 billion records), the Equifax debacle, the recent so-called Paradise Papers from a Bermuda law firm – although news stories don’t detail how reporters got hold of the documents – as evidence.
“Organization have to be proactive,” he said in an interview, “both in the way they defend their networks, and more importantly how they detect because obviously prevention mechanisms haven’t done the job we expect them to do.”
Alleyne. who is based in Mississauga, Ont., admitted that small and medium-sized firms may not have the resources to undertake proactive techniques, such as threat hunting. They should consider outsourcing some of their security to managed security providers, he said.
In addition to being proactive, Allenye said infosec pros also have to conduct a thorough investigation of a breach of security controls when one occurs, which must include lessons learned.
“You want to understand when, where, how and who did it,” he said. “Failure to effectively track an incident’s timeline will significantly impact how you respond” — for example, does a backup restore come from yesterday’s data or further back?
The biggest mistakes security teams make, he added, is “probably rushing, because it takes time to understand (the attack). Today I was notified, but what happened before that, what led to the compromise? Once you figure out what led to the compromise you need to figure out what happened after, because the time to detection and time to incident will be different.”
As for the importance of lessons learned, he believes it is obvious: “If you have no lesson learned, how to do prevent it the next time? How do you detect it sooner the next time.”
If, for example, a CEO opens an email with a malicious PDF, the lesson may be more awareness training is needed (for that official, and possible for the entire firm). And, he said, if the malware took advantage of a software vulnerability, the lesson is the patching procedures aren’t good enough. If it took quite a while to deal with the infection, then maybe the incident response team – assuming there is a response team, and perhaps one of the lessons is the need to create one – should stage a table-top exercise to better know what to do next time.
Interestingly, for someone who can list how many threats organizations face and the number of breaches per year, Allenye believes we are getting better at cyber security.
“I think we are because organizations in general are putting more emphasis on it, governments are putting more emphasis on applying rules and regulations and so on. So overall we’re getting better in terms of the processes. Are we getting better in detection? That is debatable.”
Alleyne has over 18 years in IT, with the last 9 being more focused on Security. He is currently employed as a Senior Manager, Cyber Security for a Managed Security Services Provider, where he is responsible for leading 3 teams supporting various security technologies including IDS/IPS, AntiMalware tools, proxies, firewals, SIEM, etc.
He is also a SANS Instructor, teaching both the SEC503: Intrusion Detection In-Depth and SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling while also making the time to actively write on his blog at http://securitynik.blogspot.com
His academic credentials include a MSc Cyber Security Forensics, BSc Computer Science, along with PG Cert (Hons) specialization in VoIP and Wireless Broadband. He currently holds (and or held) various industry certifications such as CISSP, GCIA, GCIH, CCNP Security and R&S, CCMSE +VSX, SFCA, SFCE, SWSE, MCSE, MCITP/EA, BCCPA,IBM Certified Deployment Professional – Security QRadar SIEM V7.1, ITIL, ISO9001 Internal Auditor, Splunk Admin/Knowledge Manager, etc.
Also at the conference Ulf Mattsson, CTO for security solutions at U.S.-based Atlantic Business Technologies, urged developer teams to move to the so-called SecDevOps processes for including automated reviews of code as it is being written. This is important, he said, because successful attacks on Web applications are a leading cause of breaches.
Done properly SecDevOps will alert developers in the middle of work to security risks. Among the advantages is it doesn’t leave security scanning to the end of development, which can stall the release of software.
Above all, he stressed the importance of transparent security testing. “You can actually get unbiased security metrics from this (SecDevOp)s cycle,” he said, which will show whether the number of vulnerabilities in code is declining over time. It’s a metric that can be shown to a board to demonstrate how security efforts are improving, he added.
The conference was organized by the Ontario College of Management and Technology, which offers diplomas or certificates in a range of studies including cyber security.