Attack Surface Analysis - Response to the Information Security Management
By James Norberg, Security Director,Express Scripts
Please elaborate on the challenges that you have currently observed in the information security landscape.
Back in the days when everything was on-premise, understanding the attack surface wasn’t as big of a deal. Now, as we are moving towards the cloud, the inability to thoroughly understand the attack surface at all times is one of the major challenges since it is incredibly dynamic; several different surfaces are being made through several cloud environments at any time. The idea of the Digital Forensics and Incident Response (DFIR) hierarchy of Needs—shaped like a pyramid, has been around for a while. So, knowing the pyramid means having a clear picture of the inventory and its components in order to understand the attack surface and ultimately effectively act. With a highly dynamic attack surface, these two foundational layers of the hierarchy of needs become extremely challenging.
“Everything that we do now is going to be based on data science. It’s the new language that will help us find that needle in a needle stack.”
A second challenge is ensuring that developers are abiding by the rules. For example, following our coding standards and subscribing to security logging APIs. Our goal is to move security back left in terms of SSDLC to get all of non-functional security controls built-in upfront, so that we know our attack surface and hit the right telemetry at the right time in order to continue walking up to that DFIR hierarchy of needs.
Finally, valuable telemetry data creation and management is becoming increasingly expensive. We want to have actionable logs from our cloud or on-premise tech stack. All of these different assets generate a lot of telemetry noise. That noise is driving the demand in the form of additional bandwidth, storage, additional log processing, siem license, and so on, which becomes a significant investment. We must leverage our telemetry investments so that they are force multipliers for security, reliability, end user experience, etc.
“As it stands, IoT for consumer and personal use ransomware isn’t making the headlines. This is understandable, as most IoT devices don't typically store valuable data; it's unlikely anyone would bother to pay the ransom.” What is your take on this statement?
When I think about IoT devices, I consider types of equipment such as home appliances, webcams, and items that are very much focused on the consumer marketplace rather than the business one. The consumer IoT product line historically has not been a target for ransomware. Instead, the consumer IoT product line has been the target of DDOS and crypto mining. Consumer grade IoT devices likely will not be targeted by ransomware because these types of devices don’t store or process any sensitive data. Consumer grade IoT devices would need to start storing or processing sensitive information to become a viable ransomware target because currently the device would simply be rebooted or reflashed. There is no motivation to pay.
In context to the challenges you’ve mentioned, what are the major tasks for security managers at this point?
As the Director of the security operation center, there are a few things that our team is concerned about when it comes to ensuring that we are giving the value-add for our investments. Similar to a lot of companies, we are also going through a transformation. Our department has been adopting agile methodologies for the last two years. The outcome is all of our enhancements, products, and operations utilize agile methodologies focused on limiting constraints and pulling valuable work. Accordingly, we are working faster so that we can adapt quickly to the changing threat scape and business risk.
Another task revolves around maximizing the investment for all of the telemetry spend but at the same time ensuring that all of the different operational centers are synchronized such as the security operation, network operation, and command centers. We have focused on making our monitoring capabilities a differentiator for us so that security, reliability, user experience, privacy operations, and fraud model’s data is structured up streamed by developers and resides in common data lakes. The telemetry can then be correlated and enriched easily as we create data models to help other stakeholder’s missions.
What is your advice for budding technologists in the Information security space?
Everything that we do now is going to be based on data science. It’s the new language that will help us find that needle in a needle stack. Really, solving the end to end creation and management of telemetry in the form of structured data is the first phase so that hypothesis and data models can be created. Data science acumen is paramount for creating and maintaining all the content. Leveraging a wealth of data to solve security problems is going to be one of the biggest things that technologists will have to do in the future. Security organizations have to ensure that they bring in the component of data science into their training programs.