2016 to be Wild Wild West for CISOs: Carl Leonard, Raytheon Websense

Data breaches to continue in 2016 as more CISOs will adopt cyber insurance to mitigate risk, says Carl Leonard, Principal Security Analyst at Raytheon|Websense.

2015 has been the year of the data breach. What are new security trends in 2016 from a cyber security perspective? How will the role of CISO change in modern companies?

ChannelWorld India spoke to Carl Leonard, Principal Security Analyst, Raytheon|Websense Security Labs on the key takeaways for stakeholders (vendors, channels and CISOs/CIOs) in the security business. “Businesses have not been able to adapt quickly to the current threat landscape. Unfortunately we will see more data breaches in 2016,”says Leonard.

How did you see the face of security landscape or the threat landscape change in 2015?

We have seen an increasing move by malware authors to execute the social engineered attacks. Definitely this year we have seen ransomware come to the fore that relies on the fear amongst the end users. They have to transfer funds into the accounts of the malware orchestrations. That’s very specific type of threats we see.

Not only businesses are seeing that their data is being encrypted and how it is held to ransom but data is being stolen at a rather increasing frequency. There have been some very large breaches in 2015 with millions of records stolen. Malware authors are either actually trading that online of course or sharing that data. And there has been an increase in the number of advanced attacks wherein malware authors are tailoring their attacks to an industry sector or even to a region.  It is state problem of attacks onto businesses in 2015 which is very difficult environment to protect against.

It is worth mentioning on the face of the external attacker trends, other factors come into play that affect businesses’ ability to response to that. It is the fast acknowledgement and response time due to skills shortage of security professionals. It is making life difficult for businesses because they don’t really have the resources to counter these new-age attacks.

Where exactly is the skillset gap at the end user level?  Does Raytheon |Websense act as an evangelist?

The skillsets gap is a global problem. There was a report recently of a slight decline of malicious files per day but it is only a small percentage. The numbers we must not forget are incredibly high in comparison than two to three years. Businesses are facing increasing threats with increasing complexities.

The skills traditionally come out of information technology team but not necessarily from the computer forensics type of background.  Raytheon|Websense works within the industry and education sector to help promote the skillets required around forensics and reverse engineering. This will ensure the next wave of security individuals have the necessary skills in the workplace.

There is massive reliance on the skilled staff than the technology work for them. We have systems (on our technology) that allows an end user or employee at maybe accounts or HR to be alerted if they click through a suspicious URL on an email. Our product actually alert them for us to scan the problem and issue a warning. With URL sandboxing technology the end users become more aware of the dangers of these threats and the business can then use their end users as their eyes and ears. Using your entire employee workforce to help identity the threats and train them on and what kinds of threats they typically see. We are very much involved in first identifying the skillsets gap and then help educate the end users.

With threats multiplying in numbers, forms and frequency; how has role of CISOs changed over the years? Would they be prone to more sleepless nights?

The chief information security officers (CISOs) have got a greater connection into other teams within the business. We see more CISOs getting buy-in from the board. They are able to position security as a business enabler as they are allowing core departments to function quickly and innovate while providing some assurance of security. Of course security cannot be guaranteed.

CISOs are explaining the risks to board which is now beginning to understand the risk of data breaches and cyber threats and then allowing the business to place mitigation for it. They are building out ‘breach preparedness’ plans which is based on the assumption that breach will happen. But you make sure to have the capabilities to respond accordingly. You have practiced on how to respond give information to law enforcement, you understand your responsibilities that adhere to particular legislation that might demand breach notifications to send out to affected individuals. And of course call in security professionals to help you to analyses the threats international such as Raytheon Websense.

A prepared CISO who has implemented necessary controls based on the right business level discussions with the board would enjoy more peaceful sleep.

Any Dos and Don’ts for CISOs to follow in 2016 for a robust security posture?

Absolutely do focus on the importance on data theft prevention tools. Because coming from the position that breach will happen, you want to make sure that the importance of data within the business is firstly identified, know location of data, know how secure it is and how technology plays once data leaves that organization. One of our predictions for 2016 is that data theft prevention will be more of a commonality across businesses as they realize the need to stop data leaving the organization. That could be from external attacker cybercriminal or indeed internal threat.

CISOs needs to be appraised of any local legislation to be introduced in few years for them to have plenty of time to prepare. Even for legislation out of their jurisdiction like European Union data protection legislation expected in 2017. If any business stores information of European citizens, they have to understand the implications. This is very relevant to Indian business who work with lot of data of UK.

Don’t underestimate the power of the board. Get the board on your side and present to them the business implications of an incident -- say operate your website -- that will impact the bottom lines. If you can explain the brunt damage that might occur.

Don’t assume that your employees cannot help you. They absolutely can. During the various programs to educate your end users, employees can actually be part of security sort of inputs, into your knowledge base.

For example, Raytheon Websense has a global program ‘catch of the day’ for all our employees who are encouraged to alert our CISO team about any incident - whether physical or cyber. Every quarter our CEO gives award to those employees that identifies situation that could have led to risk. I think businesses can adopt similar practice as they will be surprised to see the potential gaps and it also keeps the employees engaged.

Today’s insider threats does not mean only company’s employees.

That’s right. It includes supply chain, the contractors (for your business) and these individuals have got access to the information and systems. And cybercriminals are trying to get access too.

CISOs should look at information that resides within your organization and anything that may be unusual, out of line which typical happens in your business. It might not be that the individual is stealing data but their machine being compromised. We typically recommend a baseline for normal activity and any abnormities. There might be some controls in place but one needs to immediately stop that large file of customer addresses being sent through peer to peer network.

Do look at supply chain as well as the risk might be brought through their email accounts that you are doing business with. It needs the same level of analysis assuming that at any point they could be compromised and that should not impact your business.

In today’s hyper connected world, e-commerce shopping and e-wallets can be new playground for hackers.

Any new technology introduced could be a potential risk which could be managed through risk management.

For example the entry of pin number is not needed for contactless credit card In UK. Banks first tested with small amounts of money to gain confidence that the fraud did not happen as expected. They understood the situation with new technology, put controls and alerts in place and then expanded to have convenience for consumers to use transactions of larger amounts. That’s the lesson to be learnt with any new technology.

As per Raytheon | Websense predictions for 2016, Hacks targeting mobile devices and new payment methodologies will impact payment security more than EMV. The increase in non-traditional payment methods on mobile devices or via beacons and smart carts will open up the doors for a new wave of retail data breaches.

Another prediction is around generic top level domains. One could register .co as top level domain but the malware authors have already choked on them. The banking sector have now adopted .bank domain and some have added technologies like DNS to provide some level of control on individuals registering on .bank domains. It also monitors people’ interaction and further grows their confidence on this legitimate domain of the bank.

You assess the new technology, be cautious, anticipate the dangers, get confident and then scale the use of technology as a real business enabler. It is same for IoT.

Does that indicate IoT to become a larger nightmare for CISOs?

IoT is in infancy state with all connected devices have few controls in place first before we become more confident about the systems working for us.

The energy sector have sensors in place since long time. We see some homes in UK have connected thermostats to control heating temp that is programmed with the phone with geo location. The potential for IoT to improve our lives is limited only by the imagination as people are averse to implement new technology.

IoT is relatively new but malware authors are exploiting it. We have seen ‘proof of concept’ attacks on - connected vehicle taken off the road remotely, lightning turned off and the heating manipulated of a hotel, medical machines can be manipulated to administer wrong dosage to patients in healthcare sector (which is wide adopted of connected devices). These dangers are lurking as more connected devices (total of 50 billion devices expected in 5 years) will be additional risk.

It will be a combination for regulations and guidance for creators of these connected IoT devices to build in security by design and not as an afterthought. And of course as these connected devices are deployed in homes and Bsuiness, you need to make sure that they are not used as a platform to get access to other networks.

Securing various pieces (hardware, software, sensors, and services) from different vendors in IoT world sounds a difficult task too.

It will be a huge challenge. It is a wild wild west at the moment.

Many competing and even OS or customization of operating systems are implemented with no industry standards for IoT. There are association bodies trying for standardizations but internet by its very nature is an unique beast that no single entity can have complete control. The creators of connected devices have ‘first to market’ strategy with new style of device to sell lot of them. There is perception that if they take longer to install security codes and degrees on standard, they will not make more profits as desired.

IoT applications are like short term fashion statements. Some of them might have short life span with no updates, run on older OS and no patches. But people will have them in their homes perhaps using lot less than before. With a foothold on their network, it poses a real danger. Home Wi-Fi have been hacked in the past.

There are keyless door locks that are IoT connected. I even saw a barbeque which was IoT connected for temperature controls to cook the perfect meal. These is no end to all kinds of applications in the market.

What about the threat through wearables or connected watches (traditional watch makers to like Fossil joining bandwagon of Motorola, Apple) to the corporate network?

We expect more end users to adopt wearables in the workplace. Gartner has predicted that in two years, there will be globally 2 million employees that are actively encouraged to have  a wearable – where it measure heart rates etc. it will definitely be a trend and we will appraise the situation and see what types of risks these could involve.

Right now some wearables the communication is limited to blue tooth. The capability of current devices is just logs data on heart rate, steps etcetera. That data sent to cloud away from the perimeter of the device and that data can be manipulated. There needs to be control for data.

The year of 2015 has been year of data breach. Can you stick out your neck on the big security trends in 2016?

Many of the trends of 2015 will continue in 2016. Businesses have not been able to adapt quickly to the current threat landscape. Unfortunately we will see more data breaches in 2016. The threat landscape moves so quickly and not all business are able to invest in security solution that innovates as the cyber criminals. Sometime implement a solution and becoming comfortable takes time making it incapable to have Longetivity in real time to protect from emerging threats.

CISOs will have to work hard to get their board’s attention to wisely invest in security solutions that can protect adapting the threat landscape as we have new arenas of generic top level domains, mobile payments, IoT and more.

While the current threat landscape continues, data breaches will continue to pose more   challenges for CISOs. In 2016 more business can adopt tools like cyber insurance to spread the financial burden in case of attack to third party or insurer. However these are difficult as we predict that the insurers will work on evidence based system asking business to provide evidence on the good solutions in place, good understanding of data, steps to protect the data like encryption. Also provide the insurer that they have implemented some technology that is working for them. 2016 will be year where businesses look to cyber insurance but insurers too will be more specific on their requirements to set the cost of the premiums.

Yogesh Gupta is executive editor at IDG Media. You can reach him at yogesh_gupta@idgindia.com or follow him at @yogsyogi1