Tunnel vision is a phrase that describes looking too narrowly at a problem. To use a cliché, you don’t see the forest for the trees.
Infosec pros suffer from it as well, Roger Grimes, principal security architect in Microsoft’s information security and risk management practice, said at this month’s SecTor cyber security conference in Toronto.
Often all they see is a myriad of threats in front of them every day instead of concentrating on the ones that are most likely to pierce defences.
In short, he argues that what CISOs need to do is create a data-driven defence.
After the conference we caught up with Grimes and asked him to expand.
“I get hired to do penetration testing and in the last 20 years I’ve broken in in an hour or less, except for one company that took me three hours.” he said – and he considers himself an average attacker .”In attacking I’m not that great, but I can break into anything. The reason why is they just don’t do the simple things they should do – the stuff they’ve been told to do for 30 years: Patch, and don’t get tricked into running things they shouldn’t.”
“Most companies for one reason or another really aren’t trying to defend against the right things. The vast majority of corporations could significantly decrease the chance of attacks against their companies by better patching just a few programs and (with the savings) giving their employees better anti social engineering training. Yet companies spend millions of dollars on things that are absolutely not going to work because they don’t fix the two biggest elephants in the room:” Awareness training and patching most commonly exploited programs.
These he says include Java, Adobe Reader, Acrobat and Flash. These days, he adds – other than browser plug ins — Windows isn’t among the top 10 exploits.
It’s true exploits change over time, Grimes says, but how infosec teams respond shouldn’t.
Defenders should regularly monitor logs to determine the organization’s biggest threats, and then go after them.
On average an organization faces 13 to 15 new threats a day, he figures, or 5,000 new threats a year. But only five of them are really being used to breach the network. Log and other data should show that. If the main threat is Java, the CISO could have a team focusing or mitigating it. “Instead, I go to a company and tell them, ‘You’ve got to patch your Java, and I go back the next year and it’s still not patched.” He’s told to patch the issue would cause operational issues.
“I don’t think it’s communicated to the CIO and the board of directors they’ve identified the number one problem that if it was solved would eliminate the most risk – but we’re not really doing anything about it. “That conversation doesn’t happen because nobody’s even clear about what the number one problem is. They just see all the problems and try to fix all the problems, and in the process very little gets done.”
Grimes says in companies he visits two thing could eliminate up to 90 per cent of their risk. “If you don’t fix the two or three things that are your biggest risk, everything else the company does is not going to make them safer.”
“Easily” the biggest bang for the security buck is awareness training,” he adds. If the organization does a half an hour a year training at lest double it. “At Microsoft we had some issues and found if we did two to four hours a year it significantly reduced the chances of our employees being socially engineered.”
Data is king in this fight, he told the SecTor audience – if an issue isn’t being measured it can’t be controlled. CISOs have to figure out the top root causes and threats and work from there.
“You need to identifywhat your current, historic and most likely future threats are, then you figure out all the detection tools you have and how they could detect those threats, and then figure out the gaps,” Grimes said in the interview.
“If you’re worried about a worm, figure out how that it’s getting into your environment, then how to stop it, because if you’re not working on the root cause of how the big things get into your environment you’re never going to defeat it.”