CISO
SURVIVAL GUIDE TIPS & TRICKS FROM TOP SECURITY EXPERTS
GISEC 2017 SPECIAL
04 06 08
Raising the security bar A blueprint for tactical defence Upping the ante
10 12 14
A new approach to threat protection
Six things you need to know about IoT security Why IAM implementations fail
PUBLISHED BY
CONTENTS
In the hot seat The role of chief information security officer is not what it was five years ago. According to those who find themselves in the role, that’s not necessarily a bad thing. It used to be that CISOs were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates and cleaning spyware off of infected laptops. True, that’s still the role some CISOs find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing the programme that balances acceptable risks against the unacceptable. With a number of high-profile security breaches making headlines of late, organisations are increasingly realising they must beef up their security teams or risk catastrophe. Compared to just a few years ago, CISOs now face a wide array of risks and responsibilities that have significantly increased the complexity of their role, says Matt Comyns, global co-head of the cybersecurity practice at Russel Reynolds Associates. Leading companies recognise that their ability to confront rising cybersecurity risk is driven by the talent of their CISO - and that companies lacking this talent will become increasingly vulnerable. While strong technical skills are ‘table stakes’ for success, core leadership and general management competencies make the best CISOs stand out from the crowd. Overall, Comnys says successful CISOs tend to have the following skill sets in common: • Business acumen and analytics • Creativity and innovation • Business-to-business communication • Relationships, influence and presence • People leadership
04 06 08 10 12
CISOs are distinguished by their ability to define a vision, secure support for that vision with the board and the C-suite, marshal the resources and talent required to translate that vision into reality, and engage the broader employee population to become champions for information security.
TIPS & TRICKS FROM TOP SECURITY EXPERTS
14
Raising the security bar A blueprint for tactical defence Upping the ante A new approach to threat protection Six things you need to know about IoT security Why IAM implementations fail
CISO SURVIVAL GUIDE
3
INTERVIEW MALWAREBYTES
Raising the security bar Christopher Green, regional director, Malwarebytes, gives us a lowdown on the threat landscape and what his company is showcasing at GISEC this year.
How do you see the threat landscape
they will be able to adapt their ransom
seen repeatedly over the last couple of
evolving this year?
demands to match their victims. The
years, failing to do so can cause serious
This year ransomware is likely to
intentions of attacks are also likely to
damage to a brand’s reputation, finances
continue to be a massive force
become more personal. In addition to
and – as in the case of Yahoo! –
threatening consumers and businesses
encrypting files, ransomware attackers
company valuation. All too often security
alike. Since ransomware rose to
will soon be threatening to post data
strategies are not as robust as they
prominence as the malware of
or information on social media, or to
could be, with solutions implemented
choice for cybercriminals it’s been
expose it in an equally destructive way.
on an ad-hoc basis, which means
relatively indiscriminate. However,
4
cohesion and visibility across systems
throughout 2017 we expect
What kind of fundamental strategies
suffers. This fire-fighting approach can’t
that targeted ransomware attacks will
would you recommend for CISOs to
continue. Not only does it increase a
become the new norm. If an attacker
keep pace with rapidly evolving attacks?
business’ vulnerability, but it also makes
can recognise the difference between
CISOs today need to be in a position
implementing new technologies a
an enterprise and a consumer target,
to react quickly to threats. As we’ve
headache and slows down innovation.
CISO SURVIVAL GUIDE
TIPS & TRICKS FROM TOP SECURITY EXPERTS
Cybersecurity is certainly creeping up the boardroom agenda for businesses, but it still has a long way to go. Until a serious security incident occurs, protecting the company’s networks is mostly seen as an expensive and resource-intensive process that consumes the budget and offers little ROI. Instead, CISOs need to make a
Marketing, HR, legal and other
Christopher Green, regional director, Malwarebytes
concerted effort to position of security
business functions are all seen as
as a business enabler, rather than a cost
critical. Most organisations would
centre. With this attitude, security can
recognise that they couldn’t function
What products and solutions are you
be seen as a function that underpins
without staff or customers, but fewer
showcasing at this event, and how can
the organisation and allows it to be agile
recognise the same can be said of
CISOs benefit from these?
and innovative without fear.
security. So, while we are starting to see
At the show, we will be showcasing our
cybersecurity rise up the boardroom
Endpoint Security solution, which is an
agenda, we still have a long way to go.
endpoint protection platform that uses
The pace of change in security is rapid, and that’s likely to continue. The businesses that re-think their security
multiple technologies to proactively
positioning now and have flexible, scalable
What is the primary focus of your
protect computers against unknown and
and adaptable systems in place will be
participation at this year’s GISEC?
known threats, including ransomware.
the ones that find themselves in the best
The Middle East has some of the
This multi-stage attack protection is
position, no matter what comes next.
largest malware infection rates in the
important as it provides companies of
world. Since 2012, every country in
all sizes, across all industries, around the
Do you think cybersecurity is now a
the region has had at least double the
globe the ability to stop cybercriminals
boardroom agenda for enterprises in
number of infected systems than the
at every step of the attack chain.
the region?
global average. That’s an extraordinary
Cybersecurity is certainly creeping up the
statistic and shows just how critical the
benefits CISOs in a number of ways.
boardroom agenda for businesses, but it
right security protection is.
Aside from the obvious benefit of
Malwarebytes’ Endpoint Security
still has a long way to go. Until a serious
To combat this, Malwarebytes
protecting against malicious threats, it’s
security incident occurs, protecting the
recently launched in the UAE. It’s critical
scalable so every endpoint is protected
company’s networks is mostly seen as
for businesses in the region to have the
however fast and to whatever size a
an expensive and resource-intensive
right advice and protection to combat the
company grows. What’s more, it’s easy to
process that consumes the budget and
ever-increasing number of threats they
manage and deployment is streamlined
offers little ROI. Having a CISO present
are battling. We’ll be partnering with some
so the IT team’s time is minimised and
at the board meeting is progress, but
of the region’s most respected resellers
even systems without Malwarebytes that
without the backing of the entire room,
and distributors to ensure thousands of
are vulnerable to cyberattacks can be
it’s a constant up-hill struggle to make
companies are protected and malware
easily secured. It’s a one-stop shop for
any meaningful difference.
infection rates fall significantly as a result.
enterprise endpoint protection.
TIPS & TRICKS FROM TOP SECURITY EXPERTS
CISO SURVIVAL GUIDE
5
INTERVIEW CTM360
A blueprint for tactical defense Based in Bahrain, CTM360 offers a comprehensive cyber threat management service offering, which enables enterprises to leverage the power of collaborative security to address the ever-changing landscape of cyber-attacks. Mirza Asrar Baig, founder and CEO of the company talks about the concept of ‘offensive defensive’ and the importance of threat detection and response to combat the new breed of attacks.
6
CISO SURVIVAL GUIDE
TIPS & TRICKS FROM TOP SECURITY EXPERTS
How do you see the threat landscape
How important is it for regional
evolving this year?
enterprises to have an incident
It will keep evolving in line with the past
detection and response mechanism
trends with the frequency of attacks that
in place?
emerged over the last couple of years
It would be one of the most important
exponentially increasing, ransomware
parts of the comprehensive and holistic
being the leader of the pack. Next, we
enterprise security architecture and
will also witness entirely new forms of
most organisations have it. The first
attacks where the stealing of computing
issue to be addressed, is to fill in the
power would be a base. An example of
current gaps and the next issue is
that is now visible in the use of botnets
to differentiate between the incident
for mining Bitcoins.
response inside the network and the
A major new twist would be the periodic divulgence of the treasures of zero day vulnerabilities through Wikileaks, by various self proclaimed vigilante hacking groups. As the same
offensive defense incident response Mirza Asrar Baig, founder and CEO, CTM360
attacker’s territory.
information would also end up in the hands of cybercriminals, it would be a
Do you think
race between the good and bad guys.
cybersecurity is now a boardroom
The goal of IT security is enabling end users in a secure manner, information security focuses on securing cyber assets, while cybersecurity is about detecting and neutralising cyber-attacks in the cyberspace.
in cyberspace. This second part requires a reach across the globe to neutralise attack infrastructure that may be distributed across multiple
What kind of fundamental strategies do
agenda for
you recommend for CISOs to keep pace
enterprises in the
with rapidly evolving attacks?
region?
There are two main strategies that I
I believe cybersecurity
am proposing for enterprise security.
has been a board
Firstly, we need to distinguish between
room agenda since
the functions of information security,
the Shamoon
IT security and cybersecurity. The
incident of Aramco
goal of IT security is enabling end
in August 2012.
users in a secure manner, information
However, it seems
security focuses on securing cyber
to be at the bottom of everyone’s priorities,
whatever function of security we can.
assets, while cybersecurity is about
being pushed up temporarily in reaction to an
With time, the ability to capture data
detecting and neutralising cyber-
internal impact or a major impact news. The
from logs and forensics is growing and
attacks in the cyberspace. You may
issue is not within the board, but rather the
hence we have another heap of ‘Big
be able to compare this to the police,
security industry has been unable to prove
Data’. It is simply not possible to parse
military and intelligence agencies.
enterprise security as an investment and a
through data in a semi-automated
Secondly, ‘offensive defence,’ where the
business enabler. Currently, due to ‘WannaCry’
manner, take remediation actions and
cybersecurity team will adopt predictive
ransomware, the opportunity is there once
run configuration and filters to mitigate
practice and even hunt for threat vectors
more for us to make security an investment
an imminent threat, hence AI is the
that are in a very early stage inside the
with it being on top of the agenda.
only answer.
TIPS & TRICKS FROM TOP SECURITY EXPERTS
ISPs and Hosts. Is it a good idea to automate security? Well, we do not have a choice and need AI to eventually automate
CISO SURVIVAL GUIDE
7
INTERVIEW NANJGEL SOLUTIONS
Upping the ante
Jude Pereira, founder and CEO, Nanjgel Solutions
Jude Pereira, founder and CEO, Nanjgel Solutions, explains why companies in the region must automate their security processes and adopt a framework-based approach to fend off breaches. How do you see the threat landscape
sanitise digital activity in real-time
the first party to be reprimanded is
evolving this year?
flowing in and outside the organisation.
the top management, not a junior
Cyber-attacks has taken a front
engineer at the bottom. This shift is
stage in the news, social media and
What kind of fundamental strategies
political discussions in 2016. Hillary
do you recommend for CISOs to keep
Clinton’s Presidency Campaign,
pace with rapidly evolving attacks?
What is the primary focus of your
Ukraine power grid attacks, the cyber
The complexity of solving threats is
participation at this year’s GISEC?
bank heist where hackers stole $81
increasing and human beings are
Security automation would be our
million from the Bangladesh National
needed to compensate for the lack of
primary focus at this year’s GISEC.
Bank’s account at the US Federal
automation. The problem is that there
We have now enabled our Condor
Reserve, 500 million breached
are so much manual processes, which
watch framework to be automated and
accounts from the Yahoo incident
is why I always say security should be
respond against the latest threats in
and the distributed denial of service
automated, and not fragmented. My
machine speed .
(DDoS) attack on Dyn that crippled the
simple advice to the CISOs is: Now that
Internet for several hours are some of
the war is against incredibly fast bots
What products and solutions are you
the most high profile attacks we have
and machines, security automation
showcasing at this event, and how can
seen last year.
would be the only key to success.
CISOs benefit from these?
Moving forward, organisations
8
very important.
We are showcasing cyber threat
wishing to get ahead of the
Do you think cybersecurity is now a
intelligence platform from Looking
cybersecurity challenges in 2017 must
boardroom agenda for enterprises in
Glass, incident response from IBM,
ratchet up their cyber defense with
the region?
multi-authenication solutions from Easy
an unprecedented level of inspection
Security is indeed a boardroom
Solutions and endpoint management
and speed. A level that not only adapts
game now, and CISOs are directly
technology from Forescout.
to new threats, but also is trusted by
responsible. Before, they didn’t even
leading government agencies and
know what devices or policies they
is a cybersecurity framework which
defense departments around world
had. Now the top is getting hammered.
has built in accountability, analytics,
to detect, dissemble and thoroughly
If a company is impacted by a breach,
and automation.
CISO SURVIVAL GUIDE
The highest value CISCO can get
TIPS & TRICKS FROM TOP SECURITY EXPERTS
DATACENTER SECURITY AUTOMATION
Incident Response Threat Intelligence Security Information & Event Management Database Security Network Access Control Next-Generation APT Insider Threat Prevention Next-Generation Endpoint Protection 21ST - 23RD MAY 2017 DUBAI WORLD TRADE CENTRE
Dubai Tel Fax Email
: +971 4 4330560 : +971 4 4537281 : sales@nanjgel.com
Abu Dhabi Tel : +971 2 6226301 Fax : +971 2 6226302 Web : www.nanjgel.com www.nanjgel.com
INTERVIEW BARRACUDA NETWORKS
Husni Hammoud, GM, Barracuda Networks Middle East & Turkey
A new approach to threat protection Husni Hammoud, general manager, Barracuda Networks Middle East and Turkey, explains how his company can help enterprises detect, protect and recover from ransomware attacks.
How do you see the threat landscape
the scene on a daily basis, forcing
Do you think cybersecurity is now a
evolving this year?
organisations to stay on top of their
boardroom agenda for enterprises in
Cyber threats are constantly evolving,
game in order to survive. And, perhaps
the region?
which requires that consumers be
more importantly, everyone is a target—
Yes, cybersecurity is now a topic of
especially vigilant in preventing such
not just the largest of organisations.
discussion at the majority of board
attacks. Security analysts predict
meetings, according to a recent NYSE/
prevention strategy is to effectively
Veracode survey. It is no longer just an
sansomware per quarter with no signs of
act on known threats and information.
IT issue, a policy or compliance issue –
slowing well into 2023.
Utilising solutions such as next-
it is a corporate risk issue.
According to an Osterman
generation firewalls, endpoint security
Forrester, states that CEOs are
Research sponsored by Barracuda
and secure email gateways—is important
now mainly held responsible for data
Networks, Phishing and ransomware
in order to reduce the expensive and
breaches – a shift from it solely being
are very serious threats that can
time-consuming analysis and effort of
the responsibility of the CISO.
cause enormous damage to an
advanced threat detection and mitigation.
organisation’s finances, data assets
Detection. Organisations must
and reputation. Both phishing and
have detection points that span all the
ransomware are increasing at the rate
access vectors (email, Web etc.). This is
of several hundred percent per quarter,
especially true given the explosion of the
a trend that will continue for at least the
attack surface with mobility, and cloud
next 18 to 24 months.
computing presenting access points
Barracuda is well-positioned to provide the necessary protection with
The stakes are very high and getting it wrong has significant consequences, including: - Brand damage due to customer loss - Loss of competitive advantage due to corporate espionage - High cost of responding to a breach
into the enterprise. Mitigation. Finally, organisations need
What is the primary focus of your
it’s portfolio of security products, that
to be able to effectively—and quickly—
participation at this year’s GISEC?
are all protected with its ‘Advanced
mitigate any detected intrusions. The
The middle east market is focused on
Threat Protection’ technologies, that will
goal is to remove the threat. Timely
cyber security and web security which
remove all known and unknown threats.
mitigation should help stop an attack
made Barracuda participate in GISEC
before it results in a breach.
this year as this is platform fully focused
What kinds of strategies do you
10
Prevention. The goal of a successful
an average of 200 new variants of
Repetition. Securing the organisation
on cyber threats and IOTx. We are going
recommend for CISOs to keep pace with
is more of a journey than a destination. For
to showcase Barracuda Web application
rapidly evolving attacks?
this entire process to be effective within an
firewall, which helps you to secue your
The cyber threat landscape is constantly
evolving environment, organisations need
apps on-premise and in the cloud,
evolving with new attacks (malware,
to place emphasis on the significance of
next-gen firewalls and Barrcacudea
spam, URL-based attacks) entering
an ongoing threat assessment mentality.
Essentials for Office 365.
CISO SURVIVAL GUIDE
TIPS & TRICKS FROM TOP SECURITY EXPERTS
90 SECURITY BREACHES! %
OF ORGANISATIONS SUFFER
*
digital readiness in the face of ever-changing risk. By 2020 our digital footprint will be larger than life and fully mobile, requiring more security than ever before**.
With CARM your customers can: blocking their path Protect their core business and achieve compliance without compromising agility Keep one step ahead of evolving threats Adopt a universal, end-to-end cybersecurity approach that addresses post-breach
What is CARM? CARM – Cyber Attack Remediation & Mitigation – is Exclusive Networks’ unique cybersecurity solution framework, supporting organizations on their journey to address changing risk in the digital world. * Source: 2015 Information Security Breaches Survey Technical Report, HM Government * IDC, The Digital Universe in 2020
For more information: www.exclusive-networks.com/ae Call us:+971 4 3757612 Exn_Me
Exn.Me
Exclusive Networks ME
Exn_me
INSIGHT IOT
Six things you need to know about IoT security It’s in every company’s best interest to ‘do’ IoT correctly, which means ratcheting up security measures for protecting data and bringing better services.
Successful IoT offerings rely on the
penetration testing. Keep in mind that it’s
Transparency matters
perception of benefit they can deliver
better to fold security into the product
Good transparency principles aren’t
to businesses and consumers while
development cycle, rather than bolting it
exclusive to IoT, but require understanding
creating a proportionate foundation of
on after the fact.
that privacy threats in an IoT system are
security, trust, and data integrity. There
unique and require transparent disclosure
are ways IoT technology can reduce data
Proactively manage IoT security
security risk while improving customer
operations remotely
experience in a connected world.
Ideally, companies should be able to
Here are top tips for securing IoT:
remotely push security patches and updates as soon as they’re available
• Personal data collected or generated. • Data actions performed on that information. • The context surrounding the
Justify the business expense of
to prevent vulnerabilities. Updates
collection, generation, processing,
‘embedding’ security
and patches should not modify user-
disclosure and retention of this
As with all technology, IoT security
configured preferences, security, and/or
personal data.
considerations should be embedded
privacy settings without user notification.
in every phase of development, from
Automated (as opposed to automatic)
Embrace edge analytics and minimise
inception to deployment. Everyone
updates increase customer trust
the amount of sensitive data in transit
wants the wondrous new capabilities,
because you do the heavy lifting, while
With IoT applications, as information is
but many balk at the price tag and
still providing users with the ability to
relayed from IoT endpoints to the cloud
operational complexity that goes with it.
approve, authorise or reject changes.
for computation and analysis, there’s
Security becomes an afterthought that
12
related to three inputs:
always a risk of exposure and threat
is addressed at the end of the process, if
Encryption is your friend
of interception. But the current trend
at all. Those same organisations should
Beefing up encryption is also advised
toward moving some computation to
be aware that there are now numerous
in the new IoT Trust Framework. Show
IoT endpoints and transmitting only
legal implications surrounding how an
your customers you care about their
prescribed information reduces the
organisation handles its IoT security.
privacy by ensuring that any support
amount of potentially sensitive raw data
websites used in your IoT service fully
in transit. While the arguments for edge
Test, test, and re-test
encrypt user sessions, from the device
computing generally centre around
As you’re developing your IoT
to the backend. ‘Current best practices
increasing real-time functionality and
applications and services, you need
include HTTPS or HTTP Strict Transport
the savings associated with machine
to conduct continuous internal and
Security (HSTS) by default, also known
learning and AI, mitigating customer
third party vulnerability analysis and
as AOSSL or Always On SSL.’
data exposure is an added benefit.
CISO SURVIVAL GUIDE
TIPS & TRICKS FROM TOP SECURITY EXPERTS
Synchronized Security A revolution in threat protection
It´s time your security solutions started talking. Synchronized Security is a best of breed security system where integrated products dynamically share threat, health, and security information to deliver faster, better protection against advanced threats.
Visit Sophos at B-100, Hall ZABS in GISEC 2017 21st to 23rd May
INSIGHT IAM
Why IAM implementations fail It is easy to overlook identity access management as static infrastructure in the background. Too few organisations treat IAM as the crucial, secure connective tissue between businesses’ multiplying employees, contractors, apps, business partners and service providers.
When organisations fail to properly align
and operational stages. Forecast
Fumbling executive buy-in
business processes and organisational
the number of people needed,
Top executive is crucial in every IT
practices with IAM deployments,
whether the IAM solution will run
programme, but too often IAM fails
security strategies are put at risk. Here
on-premise, for example and what
because backers use vague words like
are some of the biggest missteps
infrastructure expenses are expected.
‘security’ and ‘risk.’ Instead, put IAM
companies should avoid when it comes
Within this plan, a team structure
advantages in quick-win ROI language
to IAM implementations:
should be developed, with an IAM
any executive will recognise - like
‘owner,’ so roles, responsibilities, and
explaining how this initiative will let you
Treating IAM like a project,
accountability standards can be
onboard new employees faster, use new
not a programme
established. Without this philosophy in
applications more flexibly or seamlessly
Organisations treat IAM as a one-and-
place, IAM programmes are paralysed
engage with more overseas partners.
done project, not the type of evolving
by chronic resource shortfalls and are
and adaptive programme necessary
dangerously incomplete.
to actually encompass organisations’
14
Poor communication, period This dooms any programme, but
riskiest asset - their people. Words like
Dictating IAM to end-users
particularly when it comes to IAM
‘checklist’ and ‘end date’ are red flags
Face it, frontline end-users are
because unlike forensics or threat
in IAM meetings, they betray short-
reflexively hostile to change, meaning
intelligence, identity and access seem
term, project-oriented thinking. This
an IAM programme that feels arbitrary
abstract and obscure. In a recent NACD
misstep dooms many IAM initiatives
and foisted upon them will trigger
study, only 15 percent of directors were
right out of the gate.
backlash. Spend time to understand
“very satisfied” with the quality of cyber
end-user stakeholders’ requirements
security information they receive from
Investing too little in IAM
and routine; they’re almost always
their management team. Don’t be a
Project-oriented thinking leads to
perfectly compatible with IAM elements
statistic - IT and security leaders need
shortchanging IAM. You avoid this by
tailored the right way. This deftly
to take their first, best opportunity to set
beginning with a multi-year plan that
avoids complaints about productivity,
the storyline for why IAM is important
breaks up costs into implementation
application support and other headaches.
and its business advantages.
CISO SURVIVAL GUIDE
TIPS & TRICKS FROM TOP SECURITY EXPERTS