Be proactive to stop cyber attacks, infosec leaders told

CISOs have to drop reactive strategies to cyber threats – including chasing alerts — and instead be more proactive if they want to stay ahead of attackers, a Canadian security conference has been told.

“The reactive strategy has failed,” Nik Alleyne, senior manager of cyber security at Forsythe Solutions Group, said Wednesday at the International Cyber Security and Intelligence Conference, held north of Toronto.

Nik Alleyne, Forsythe Solutions

Threat hunting, predictive analysis and related techniques are the tools the infosec team needs today to persevere, he said.

“Hopefully you have some type of baseline that guides your decisions,” he said, which allows the team to “figure out what’s different” on the network. That will reduce the time to detection considerably.

While there are a wide variety of attack techniques, they can be winnowed down somewhat by identifying threats targeting your vertical, he said.

Being proactive also means conducting vulnerability assessments and regular penetration tests.

In an interview Alleyne said the proof reactive strategies have failed is in the headlines so far this year: He cited revelations of the extent of the Yahoo breaches (3 billion records), the Equifax debacle, the recent so-called Paradise Papers from a Bermuda law firm – although news stories don’t detail how reporters got hold of the documents – as evidence.

“Organization have to be proactive,” he said in an interview, “both in the way they defend their networks, and more importantly how they detect because obviously prevention mechanisms haven’t done the job we expect them to do.”

Alleyne. who is based in Mississauga, Ont., admitted that small and medium-sized firms may not have the resources to undertake proactive techniques, such as threat hunting. They should consider outsourcing some of their security to managed security providers, he said.

In addition to being proactive, Allenye said infosec pros also have to conduct a thorough investigation of a breach of security controls when one occurs, which must include lessons learned.

“You want to understand when, where, how and who did it,” he said. “Failure to effectively track an incident’s timeline will significantly impact how you respond” — for example, does a backup restore come from yesterday’s data or further back?

The biggest mistakes security teams make, he added, is “probably rushing, because it takes time to understand (the attack). Today I was notified, but what happened before that, what led to the compromise? Once you figure out what led to the compromise you need to figure out what happened after, because the time to detection and time to incident will be different.”

As for the importance of lessons learned, he believes it is obvious: “If you have no lesson learned, how to do prevent it the next time? How do you detect it sooner the next time.”
If, for example, a CEO opens an email with a malicious PDF, the lesson may be more awareness training is needed (for that official, and possible for the entire firm). And, he said, if the malware took advantage of a software vulnerability, the lesson is the patching procedures aren’t good enough. If it took quite a while to deal with the infection, then maybe the incident response team – assuming there is a response team, and perhaps one of the lessons is the need to create one – should stage a table-top exercise to better know what to do next time.

Interestingly, for someone who can list how many threats organizations face and the number of breaches per year, Allenye believes we are getting better at cyber security.
“I think we are because organizations in general are putting more emphasis on it, governments are putting more emphasis on applying rules and regulations and so on. So overall we’re getting better in terms of the processes. Are we getting better in detection? That is debatable.”

Also at the conference Ulf Mattsson, CTO for security solutions at U.S.-based Atlantic Business Technologies, urged developer teams to move to the so-called SecDevOps processes for including automated reviews of code as it is being written. This is important, he said, because successful attacks on Web applications are a leading cause of breaches.
Done properly SecDevOps will alert developers in the middle of work to security risks. Among the advantages is it doesn’t leave security scanning to the end of development, which can stall the release of software.

Above all, he stressed the importance of transparent security testing. “You can actually get unbiased security metrics from this (SecDevOp)s cycle,” he said, which will show whether the number of vulnerabilities in code is declining over time. It’s a metric that can be shown to a board to demonstrate how security efforts are improving, he added.

The conference was organized by the Ontario College of Management and Technology, which offers diplomas or certificates in a range of studies including cyber security.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now