As the number of remote workers and IoT devices grows attack surface expands. Is AI the best option for defending data? Schellman CISO, Jacob Ansari offers insights in this SC Magazine ebook. Read an excerpt below or article in full on the SC Magazine website.
Written by Stephen Lawton
If the COVID-19 pandemic taught us anything about network security, it is that corporate assets and data today is distributed so widely that the rules companies relied on in the past might not be sufficient to defend data in the future. While companies work to reduce their on-prem network attack surface by moving to the cloud, the number of their endpoints exploded, and the network surface effectively moved outside the corporate firewalls.
Not only must security teams today find ways to protect the known network devices that reside locally, but they also need to find ways to protect devices that might have corporate data on employees’ personal networks, as well as on devices over which the company has no physical control. Additionally, they need to find shadow IT devices that do not belong on the network at all, creating vulnerabilities.
That alone is redefining the surface. The shadow IT challenge is two-fold, as both legitimate and illegitimate devices can be residing on employees’ personal networks and the corporate network, potentially causing breaches.
Will today’s best practices be sufficient to defend the corporate network? Perhaps, but perhaps not, experts say. While approaches such as zero trust and more advanced methods of identity and access management (IAM) offer some controls for the corporate security team, these are not panaceas.
Setting up the mark
While stipulating that today’s best practices for cybersecurity might be appropriate for the existing threats of 2020, cybersecurity pros acknowledge that the current environment, and certainly the future one, will bring challenges that require today’s best practices to evolve, forcing changes in the way technicians and analysts do their jobs.
One popular approach to protecting the corporate, on-premise network is to migrate data stores and applications to the cloud, effectively putting a buffer between the protected network and the untrusted devices outside the network. By having users pass data through the cloud first, companies can ensure the data is validated and wiped of any potential threats before it is effectively invited back onto the corporate network. Concurrently, users themselves are authenticated. However, even cloud services have their own challenges.
While reducing the attack surface of networks has been an important priority for CISOs for many years, security pros should focus less on the network surface and more on attack volume, says Josh Axelrod, a principal in the EY Advisory Practice (formerly Ernst & Young), leading global, national and local team that provide security services in the financial services, technology and several other business sectors. And that means more focus on business processes rather than on infrastructure. Companies need to ensure that they have not only the appropriate tools in place, but also staff that is trained to recognize anomalies as they occur and the ability to handles ever-increasing volumes of incoming data.
“The expectations of cyber risk management are not well defined,” he says. Simply providing CISOs with the “next shiny object” might not be money well spent if it does not advance the company’s security processes.
Looking ahead, Axelrod says some of today’s best practices might well have to change to meet the challenges of the increased attack volumes he expects to see in the future. For example, 5G technology will see companies dealing with “massive payloads in a fraction of a second.”
Peter VanIperen, managing partner at New York-based PWV Consultants and a senior vice president and global head of cloud security at the New York-based media conglomerate 21st Century Fox, concurs. “Is it the surface we need to worry about now, or is it the volume that we need to worry about because considering how many potential attacks we see? I’m not sure what the correct term is here, because phishing emails and phishing and all of the other variations [of attacks] — the volume has become so enormous,” he notes. “As we’ve said for years, you don’t need to get all of them; you just need you know one or two really good ones and the breach occurs. So, I would say I think the volume definitely plays into it.”
When today’s best practices fail to identify a potential threat, the attackers will have successfully set up the proverbial “mark” to be attacked. Once the mark is set, the sting is sure to follow.
Not so best practices
Today’s best practices for managing cyber threats simply do not address the overwhelming amounts of data companies will be facing, the experts agree. Technologies such as 5G and the plethora of IoT devices that are unable to be upgraded with new security software are expected to create new vulnerabilities as they are widely deployed and often overlooked and ignored. Advances in entity behavioral analytics is another security technique where we can expect to see changes in the future. Many of the products companies are purchasing today, including smart devices with built- in Wi-Fi access, are commodities and not necessarily subject to vetting by cybersecurity staff. Security teams have a basic level of trust and accept the products to perform as promised, but they still need to verify vulnerabilities do not exist, which could result in serious security breaches.
Companies need to trust but verify devices, however there simply is no way to audit every component in every device that comes through a corporate supply chain. While supply chain issues are getting greater recognition today due to the fallout from the SolarWinds incident, it also underscores that the supply chain threat is not new. The industry has seen significant threats from the supply chain in the past, such as components in video cards that had embedded malware and other devices where driver or software updates included malware while the original product did not.
Charles Edge, author of technical publications for the Apple market and currently CTO for Bootstrappers.mn, a Minneapolis-based venture capital firm, identifies one real-world example of how the internet of things (IoT) is forcing companies to challenge their own thinking on the expanding supply chain.
“I can go on Amazon, and I can buy a smart plug from some company I’ve never heard of,” he says. “I can install the smart plug in my house, I throw it into my Wi-Fi. I don’t know exactly what that smart plug is doing, but when I tell Alexa to turn the smart plug on, the smart plug then is federated, or at least their APIs are federated, over to the Amazon one. My data is flowing over into Alexa, but I don’t know all the different sub-processors of data or open-source projects as they pull them in [the plug’s] web apps.
“I got a smart plug for $20,” he continues, “but what all is happening between that electronics and all the web services [and] the internet? In the age of COVID, you have hundreds of thousands of workers working from home. Those endpoints are now sitting in a network with a $20 smart relay from a vendor who none of us have ever heard on the network.”
Ultimately, he says, not knowing what is happening in that cheap plug could be a vulnerability, since the data could be redirected to a command-and-control server of an attacker.
Users are mostly interacting with cloud services, says Edge. “I have concerns around the chain of trust going upstream and I don’t think products are necessarily giving me the telemetry. Theoretically, if I’m a big company using some other software, I have data processor agreements with [the software suppliers]. I have a mature infosec team that manages those relationships; obviously, you don’t have that at home.”
While technologies change, attackers tend to use similar attack techniques but on different devices. For example, he says that port scanning, a popular attack technique used for years on desktop and laptop computers, is being replaced by IoT scanning.
“[It] is kind of the new port scanning. Let me go look for open devices that I just get into, what can I escalate from there. I’ve seen some pretty incredible and gnarly things,” he notes.
That said, he also offers a suggestion on how to defend against these types of attacks. VanIperen uses a second router in his home and connects all his IoT devices to that router. This second router allows him to put all these devices on a separate network segment, allowing him to use a zero-trust approach to verify each device’s request for access.
"It will essentially see phishing schemes and social engineering schemes move over to working into IoT devices as a vector."
“It will essentially see phishing schemes and social engineering schemes move over to working into IoT devices as a vector. I really think that that is going to be commonplace because at the end of the day, it’s the same thing with zero trust.”
One reason why IoT devices are such popular targets today is because they make excellent devices on which to conduct phishing attacks. The ubiquitous cell phone, tablet and other devices connect not only to email, but also social media sites and messaging applications, which are prime targets for cybercriminals.
“Phishing has been around for 30 years; now it’s on social networks. You know — weird phone calls and fake customer service and things like that, [including] short message service phishing and things like that. It’s been around because it is the most successful, targeted vector,” he says.
However, VanIperen notes that the phishing threats of the future go well beyond consumer products and IoT. “There’s going to be more and more of these devices that come out and there’s going to be more and more access points,” he notes.
"You’re going to see more opportunity to get in and to phish people; also it means that this kind of cybersecurity education and responsibility is really on everyone in the company. You know, we don’t really talk about customer-facing assets and customer service people,” VanIperen says.
He adds that cybersecurity education is not only for technical staff, but for everyone, ranging from the custodial staff to corporate executives.
You are not just extending the digital surface defenses, he notes. Effectively, what a company is doing is “ameliorated by blocks and segmentation and prevention that we put in your expanding human surface of attack.”
AI: Future imperfect?
CISOs today are reacting to the pandemic- induced changes that forced companies to modify both work environments for employees and their own network infrastructure. These forced changes wreaked havoc with long-standing security controls by forcing some companies to convert to cloud-based operations before the companies had time to fully vet all of the operational changes.
Some companies rushed their digital transformation to the cloud for business continuity reasons, says Jacob Ansari, CISO of Schellman & Company in Racine, Wis. Now they are reassessing their decisions.
Law firms, for example, place cybersecurity at a lower priority than they do business continuity, he says. As a result, they are at greater risk of a breach than others.
Ansari says that law firms, like other organizations, are expecting artificial intelligence (AI) and its subset, machine learning (ML), to provide the security needs they require going forward. That promise, he says, is still unfulfilled.
Tom Brennan, CIO for the Roseland, NJ- based law firm Mandelbaum Salsburg P.C. and the USA chairman of CREST, an international accrediting firm for security professionals, has a unique view of how law firms address cybersecurity. “I’m a CIO, so I consult with the CEO on a daily basis. After building trust, [executives] have to understand that sometimes you have to have a resource on the team, or resources, or a security operations center. Their job is not to produce revenue; it is to protect revenue.
“Some of the organizational shifting is super important because of how the business strategically puts guards, gates and cyber controls in place to protect what matters most,” Brennan says. “And then it does require sometimes a third-party opinion only because that’s your audit.”
"Ansari wonders if CISOs view 'the future' as short-term or long-term when it comes to implementing these advanced technologies."
Ansari wonders if CISOs view “the future” as short-term or long-term when it comes to implementing these advanced technologies. Today’s data sets are so massive that the days of pivoting through these files are “passing us by.”
About the AuthorMore Content by Jacob Ansari