After reading sensational reports of the latest data breach – or receiving news of the ever-increasing number of attacks on their infrastructure – some security pros despair of having confidence their environment will ever be secure.
Don’t give up, says Steve Martino, vice-president and CISO of Cisco Systems Inc., who oversees IT security for the billion dollar global company and its 100,000 employees.
In fact, he says, security leaders can do what he does and plan around a 95/5 rule: Use technology to stop 95 per cent of threats – with firewalls, intrusion prevention, access controls and the like — and the other five per cent to watch the network for what gets through with tools like malware detection, behaviour analytics, anomaly detection, network analytics and forensics.
In spending terms, he admits, the ratio will likely work out to roughly 60 per cent on defence and 40 per cent on monitoring. But his point is if a strategy is properly thought out and implemented, 95 per cent of threats can be stopped.
“The defences we have if used correctly are effective,” Martino said Monday in an interview
Thursday in Toronto at the company’s annual Cisco Connect show for customers. “Pretty damn good.”
“But don’t get confused with ‘I put all these things in place and they block many things.’ to think they’re going to block all things.”
He added the worst thing infosec teams do is “lull themselves into this place that ‘I put defences in, that’s all i need to do,” and not appreciate that visibility into your environment, detection and being able to respond is part of your job.”
In short the strategy is “good defence, active response.”
“You need to block 95 per cent of the things that might happen to you. If your defences aren’t good enough to automatically defend against malware, insider threats etc., then your defences aren’t strong enough and you’re going to see so much activity on your network you’re not going to be able to prioritize what’s important and be able to defend against it.” That’s why the other five per cent of the strategy actively monitoring network for when things slip through.
This may sound brave for a company whose staff on average loses two laptops a day, supports many cloud applications and allows almost all of employees to attach their own devices to its network, but Martino said with the right controls it can be done.
For example, staff-owned devices have to pass nine tests: Have a password and screen locks, use only certain versions of the operating system, encrypt all data, run antimalware (if available), agree to patch all software and validate the device isn’t rooted. Cisco also put a certificate on the device so there authentication when the user logs into its network, and inventories all software. In addition users agrees the company can remotely wipe the device if necessary.
“It’s not rocket science,” he says.
Because employees link to 500 external clouds (such as Salesforce; however, many are identical, such as portals to a local country payroll supplier) access to these also have to be secured.. It’s done through a combination of Cisco and third party technologies including an external identify service that controls onboarding of staff and a SAML-based access management program from which passes a token to the cloud provider in a way that doesn’t expose the employee’s username and password.
Cisco [Nasdaq: CSCO] is also picky about its external cloud providers. They have to pass a screen called CASPR (cloud application service provider remediation), a list of qualifications including explaining the provider secures its data, how Cisco will authenticates to their services, how the provider logs activity and what user data it will gives Cisco, privacy policy, business continuity plans and details on resiliency. Second, cloud vendors are starting to give us data about user activity and other things.
Martino won’t won’t give a Tier 1 vendor business that handles high visibility data or high business processes unless it has an API that will pass user activity data to Cisco. More cloud vendors will have to do that, he said, if they want to get more customers.
He also collects a lot of network and antivirus data — 4 TB a day – for analysis. Using Splunk, security team members run “plays” looking for particular suspicious network activity. Up to 3 petabytes of data is kept for up to six months in six repositories around the world so when an intrusion is detected staff can look back to figure out how and when it happened.
And there are intrusions: Last year 5,600 incidents needed remediation. (not false positives). Martino’s time to detection goal is 24 hours, with a goal of time to containment of 36 hours. He wouldn’t give numbers but said “on average my team has done a good job of holding to that 24 hours.” But he admits meeting the containment goal is still elusive, in part because mobile employees sometimes can’t be reached immediately to take a device offline.
Interestingly, he says Cisco’s most valuable data is not its intellectual property but customer data including data shared from Cisco-purchased devices to information from customers who use Cisco’s collaboration platform.
Martino also said that the traditional divide between IT and security teams has to be bridged. “I was on the IT job before I took this role six years ago, and instantly all of my peers looked at me and said ‘It’s your fault. You’re the reason I can’t deliver, you’re slowing us down.'” In fact action requests to the IT side were largely ignored because managers were more concerned with getting a feature online.
So a report called universal security metrics was created which aligned security priorities with IT. In addition positions called security primes were created within in the IT departments who –though trained and encouraged by Martino’s staff — reports to a IT service owner and is responsible for the security of a particular service.
“Nobody is 100 per cent safe,” he said — in fact, he acknowledged that “I expect some day I’m going to have to be explaining myself to people in the public” after a loss of data. “I hope when that happens our processes of communicating to whoever is impacted and being able to remediate and manage it are good,”