Category Listing


Sort By:
Blog Date

Cybersecurity: The Best Defense is a Good Offense

Cybersecurity is a bit like that classic joke about two hikers and a bear.  As a bear approaches the pair, the first hiker frantically digs a pair of sneakers out of a backpack and puts them on in a hurry. 

“What are you doing? You can’t outrun a bear!” exclaims the second hiker.
“I don’t have to outrun a bear,” replied the first hiker. “I just need to outrun you.”

In an information security context, this means being harder to breach than the next target, which motivates bad actors to pursue softer targets.   That’s how Tim Callahan set up his presentation at the 2017 RSA Conference titled, An Aflac Case Study: Moving a Security Program from Defense to Offense. Mr. Callahan is a senior vice president and CISO for the supplemental health insurance carrier. 

Defining an Offense in Cybersecurity

Every company is vulnerable, which is why phrases like “assumed breach” have entered the security lexicon.  A good offense is about both making the act of a breach as challenging as possible – and being ready to respond if in fact the organization is comprised.  

It’s also important to define what an offense in cybersecurity does not mean. Mr. Callahan does not advocate for measures such as a “hack back". This is where, for example, if a company is attacked, it might in turn attack the source – or perceived source.  

Hacking back, he says, is fraught with risk for several reasons.  These include the fact that most businesses simply don’t have the intelligence to have comprehensive situational awareness.  A hacker might use a server that runs a life-support device as a proxy.  If that company responded by attacking that server, it might unknowingly put lives at risk.

The Four Pillars of a Cybersecurity Offense

Enterprises need four pillars to design and implement what Mr. Callahan calls a “preemptive environment". Those components are:

  • An effective intelligence program
  • A good analytics system
  • An environment that keeps the “fight far” from the core business
  • The right team

He walked through each pillar as follows:

1) Threat intelligence.  Security analysts need multiple sources of information.  In Mr. Callahan’s view, this means gathering internal threat data and augmenting it with several classes of external sources.  To that end, he breaks threat intelligence into three categories:

  • Internal sources.  This includes traffic, log files, appliances and even employee behavior.  The behavioral difference means being able to distinguish between a clumsy user attempt to retrieve a lost password and brute force effort to crack one.
  • External sources.  This category includes open source information, association memberships, vendors, and even government sources.  He spoke highly of the Automated Indicator Sharing service, a public-private partnership sponsored by the Department of Homeland Security (DHS).
  • Dark web.  The dark web provides the opportunity to monitor forums frequented by bad actors for information you can use to proactively protect the enterprise. Mr. Callahan says Aflac subscribes to services for this information, rather than having his own employees canvas the chat rooms.  These services have helped discover stolen credentials for sale and even helped gather information about a planned deliberate attack on Aflac, which enabled the company to make changes to avert it before it happened.  

2) Security analytics.  Security analytics is an enabling technology that allows analysts to ingest vast sums of seemingly disparate data and find connections that are hard to detect with a human mind.  It’s able to take the internal sources of data and correlate it with external sources of information.  In this way, Aflac has been able to develop a confidence score that triggers a machine to take action – to block and exploit a hole, for example. 

The challenge with this approach, according to Mr. Callahan, is it’s at odds with conventional IT change management processes.  This is why a confidence score based on internal and external sources is so important.  Aflac has been able to master this – with “almost heroic” results from just a five-person analytics team.  Those results include:

  • Two million connections blocked with only 12 false positives
  • Average of 90 threat actor campaigns maintained
  • More than five million indicators of compromise maintained

3) Fight far.  By “fight far” Mr. Callahan is referring to building layers of security in order to keep the cybersecurity battles “away from your core.”  The closer the fight is to the core business, the less margin there is for error.  The far fight is about putting multiple obstacles in-between those core systems and the avenues of approach a hacker might take in an attempt to gain entry.

The far fight for Aflac begins all the way out in cloud with “blackholing”, which he describes as working with an ISP to shed any traffic “that can’t be good.”  The depth also includes multiple firewalls, anti-virus, and quarantine that continuously reduce the threat.  Inside the firewall, Aflac maintains IPS, sandboxing, an experimental program with deception and decoy tools – and of course HIDS. Slide #9 of his presentation contains a graphical illustration of the far fight Mr. Callahan describes.

4) Staffing and building the team.  It’s no secret there’s a cybersecurity skills gap.  Mr. Callahan cites data from research firm Frost & Sullivan which suggests 1.5 million cybersecurity jobs will go unfilled by 2020.

This is a challenge he’s experienced firsthand at Aflac.  He says his hiring – about 30 new employees per year – is limited purely by the ability to find the right experience and skill sets.  To that end, he’s improvised and offered several ideas to work through the challenge of a talent shortage.

  • Recruiting military and veterans.  Mr. Callahan noted veterans have the core instincts to protect sensitive information.  This in combination with the fact he finds this group “very trainable” makes veterans an ideal source of talent.  It might help also that Mr. Callahan himself once wore a uniform, and that the Aflac headquarters is located in Columbus, Ga., which is close to a sprawling military community of Ft. Benning.
  • Relatable skills.  Sometimes skill sets from other functional areas are a good match, as well.  For example, a data scientist can be even better suited to a security analytics role than experienced security personnel. Mr. Callahan points out you can train a data scientist on the security threats to look for, but they often inherently have a better aptitude for the important task of data interpretation.
  • Grow from within IT.  He also discussed “re-purposing” employees from other IT specializations.  He has found network engineers have the right aptitude for security.  There’s an advantage to the fact, network engineers already know the IT environment and corporate culture.  

He was careful to point out the importance of cultivating and maintaining some existing leadership and experience to successfully tap talent from these other areas and train them properly. 

* * *

Mr. Callahan’s session was recorded and is freely available online without registration.  His entire presentation runs about 45 minutes and is well worth making the time to listen or watch. 


If you enjoyed this post, you might also like:
Salary Survey: What's a CISO Worth in 2017?
Photo Credit: Pixabay (CC0 1.0)

Salary Survey: What's a CISO Worth in 2017?

What is a CISO Worth?On the heels of a record-breaking year for incidents and breaches, the security industry may be headed towards breaking one more:  the salary paid to top security officers. 

Security Current, a news and advice site for security professionals recently released a survey putting the average Chief Information Security Officer (CISO) salary in the U.S. at $273,000 per year. 

A CISO we spoke with thought the average was “about right” for large enterprises, especially those in regulated markets. However, he thought the figure was not reflective of smaller organizations where a leader may be tasked with security responsibilities, but may not hold the designated title of CISO.

That CISO works for a sizable managed services provider serving a sensitive vertical market. He requested his comments remain anonymous.

Overall his reaction wasn’t so much as to whether or not $273,000 was the right figure, but emphasized value a CISO delivers as the driver behind rising salaries. It’s “not whether it’s the correct amount in relation to the responsibility, it’s the value you receive from a CISO that is going to really understand this space, drive compliance measures and help align and balance risks, in conjunction with the board [of directors],” he said.  He likened the role of the CISO to other leaders in the C-suite.  They all have responsibilities that extend to other areas of the business and are not typically well understood.

"You need a trusted advisor and business leader," he said. A CISO provides subject matter expertise that helps enterprises mitigate risk and "minimize bad outcomes." He was careful to underscore the leadership aspects of a CISO as well.  He noted that supporting staff are still necessary to execute on security recommendations.

"That makes more sense when you see that spending in risk mitigation should be some factor of that potential loss exposure. Organizations that hire a $273K CISO and then starve security spending thinking that’s the key are not getting the bigger picture."

Benchmarking: 3 Additional Security Salary Surveys

While just 74 CISOs took the Security Current survey, nearly half of the respondents (46%) said they were the first person to hold the CISO title in their organization.  This suggests that industry benchmarks including the role, responsibilities and compensation are still emerging.  Even so, we also reviewed three other salary surveys to identify ranges or other salary benchmarks that might prove useful to a CISO.

1) 2017 Salary Outlook by Mondo.  Citing the 2017 Salary Outlook by the talent agency Mondo, Ann Bednarz of Network World reported: “CISO ranks third in Mondo’s salary guide, with a salary range of $145,000 at the low end and $250,000 at the high end.”  “It’s one of two security jobs with a salary range that tops $200,000,” she noted in her piece titled, 13 tech jobs that pay $200k salaries.  “The other is application security engineer, which commands between $125,000 and $210,000.”

The Mondo guide did not provide an average or median salary as a point of comparison.

2) SilverBull on CISO Salaries, Cities and Issues.  The second benchmark we looked at was from the staffing agency SilverBull.  This recruiting agency has published several surveys like this that have been widely reported. The most recent survey we spotted was published in May of 2016 and put the median salary for CISO at $224,000 with a range between $137,000 and $346,000.  An infographic visualizing the SilverBull data lists six cities, all notable tech hubs, where CISO jobs are most in demand.  These cities are Boston, New York, Washington, Atlanta, Chicago and San Francisco.

It also lists 10 top issues facing CISOs including advanced persistent threats (APTs), cloud security, bring-your-own-device (BYOD), network transformation, and malware or spyware.

3) The median for a CISO by  The third and final source we revised was an assessment provided by  The website said, “The median annual Chief Information Security Officer salary is $198,226, as of January 30, 2017, with a range usually between $166,662-$239,680.” The website provides a caveat noting the range “can vary widely depending on a variety of factors.”

CISOs May Earn More than CIOs

“In some cases, CISOs may now make more than CIOs,” according to CIO Dive citing the 2017 Technology & IT Salary Guide by the recruiting and staffing firm Robert Half Technology in a comparison to the Security  Current survey. That guide puts estimates salaries for chief information officers will range between $175,000 and $ 279,000 – a 3.1% gain year-over-year.  While the Robert Half survey doesn’t list the title of CISO, it does estimate a compensation bracket for the comparative title of Chief Security o
Officers (CSOs) at between $145,250 and $236,750.  Those salaries will rise at a slightly higher rate – 5.3% – over the previous year.

CISO Reporting to the CEO

It’s not just that CISOs might earn more money than CIOs, they, in fact, might be on their way to becoming peers.   In a column for Forbes, Steve Morgan, the founder of Cybersecurity Ventures, cited research from IDC  predicting three-quarters of CSOs and CISO will “report directly to the CEO, not the CIO” by 2018.  And that might make sense when the responsibilities of these professionals are considered in context.  For example, in a commentary published on LinkedIn about CISO salaries and recruiting, Bruce A. Brody, a CISO with PricewaterhouseCoopers noted, “the average breach now costs almost $4 million according to the Ponemon Institute.”

Mr. Brody’s commentary is now older, but still quite relevant.  Newer data only seems to substantiate his assessment.  For example, as we noted earlier, reports stemming from the 2016/2017 Global Fraud and Risk Report by Kroll detailed the cost of cyber incidents (as opposed to breaches) as a percentage of revenue.

The majority respondents (57%) said costs of such incidents costs enterprises 1-3% of revenue; another 10% said the cost was 4-6% of revenue, and 3% put the cost between 7-10% of revenue.  About one-third (30%) put the cost at < 1% of revenue.

The Human Problem in CISO Demand

The market for CISOs is likely to remain highly competitive as demand continues to outpace supply.  More importantly, some CISOs seem open to jumping ship.  About half of all respondents (51%) to the Security Current survey “said they would be open to accepting a new position in 2017.”  While about the same number (47%) cited the chance to earn more money as a motivation for a job change, “other influencing factors included more visibility to the board and executive leadership team as well as an equity stake.”

To that end, it’s not just money or even demand that makes recruiting the CISO role so challenging, as New York University Professor Nasir Memon explained to the New York Law Journal.

"Security is not just a technical problem," he said in an interview for a piece titled, FBI Official: Feds Can't Compete With Top Tech Companies for Cybersecurity Analysts. "It's a legal problem. It's a policy problem. It's a human behavior problem."

* * *

What do you think?  Are you addressing the legal, policy and behavior challenges related to security?  Are your security challenges being starved of appropriate funding?


If you enjoyed this post, you might also like:
Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Photo credit: Pixabay (CC0 1.0)

Cliff Notes to 3 Notable Cybersecurity Studies

Cybersecurity Studies

There have been several new cybersecurity reports published since the beginning of the year. It’s hard enough to keep pace with security events, let alone the studies about the events, so we’ve put together a cliff note version for the time-strapped security professional.

Each section provides a link to the underlying source along with links to news and commentary around the study for additional review. 

Interestingly, in mulling over the aggregate of data, the trend line appears to follow a trajectory like this:  incidents and breaches are up and so security budgets are shifting to address the business problem.

This post provides a short summary and a links to underlying sources recommended for additional reading.   Here are the cliff notes to these three cybersecurity studies:

1) Costs add up as Cyber Incident Volume Grows

More than 85% of executives experienced a cyber incident over the past year, per Dark Reading.  The data stems from the 2016/2017 Global Fraud and Risk Report by Kroll which commissioned Forrester Consulting to survey 545 executives

It’s worth noting that an “incident” is not necessarily synonymous with a breach.  The Dark Reading report summed up the type of incidents this way:
  • 38% experienced theft or loss of intellectual property
  • 33% reported virus attacks
  • 26% experienced phishing attacks in email

Interestingly, the origin of many cyber incidents could belong to a familiar face. “Nearly half (44%) of respondents hold insiders responsible for cyber incidents; more than half (56%) say insiders were ‘key perpetrators’ of security problems.”

“Statistics prove that more risk exists within an organization,” wrote Ryan Francis, the managing editor of CSO. He put together a handful of tips on how to eliminate insider threats.

Technology trade publication eWeek honed in on the costs of such incidents.  The majority 57% reported the costs of such incidents costs enterprises 1-3% of revenue. Another 10% of respondents said the cost was 4-6% of revenue, and, alarmingly, 3% put the cost between 7-10% of revenue. 

2) Data Breaches Set U.S. Record in 2016

There were more than a thousand U.S. data breaches in 2016, which was a 40% increase over the previous year and set an all-time record.  More specifically, a report by the Identity Theft Resource Center (ITRC) and CyberScout put that number at precisely 1,093 – well above the 780 breaches reported the previous year.

The organization has tracked breaches across five sectors since 2005.  The business sector experience the most breaches with 494 in 2016, while the financial sector experienced the least with 52.  The report suggested recent efforts to make breach information publicly available may have been a contributing factor to the spike.

In a news analysis for Light Reading, Security Editor Curtis Franklin places this into context:

“Regardless of the source, there's no doubt that the number of records involved in data breaches in 2016 was huge. A quick scan through the list of breaches made public in 2016 (though the list includes some breaches that occurred in previous years) show more than 2.3 billion records revealed to unauthorized individuals. And those compromised records carry a steep cost. Per the 2016 Cost of Data Breach Study, Global Analysis conducted by the Ponemon Institute, the average cost per lost record is $158, with an average cost per breach of $4 million.”

Hacking, skimming or phishing “attacks accounted for 55.5 percent of breaches in 2016, an increase of 17.7 percent over 2015,” per reporting by eSecurity Planet.  “Accident exposures of information by email or online came in second at 9.2 percent, followed by employee error at 8.7 percent.”

The attackers were “sophisticated, extremely creative and dogged” in their pursuit of information, the target of which, appears to have shifted.  More than half (52%) involved social security numbers (SSN) which rose 8% over 2015, while roughly 13% targeted credit or debit card information, which was down 7% from the previous year.

“The spike in SSN exposures is in clear alignment with the surge of CEO spear phishing attacks, which target this type of information,” per the report. 

3) Security Budgets Shift Towards Detection

Enterprises are increasingly concerned about existing cyber threats and are shifting their budgets to more thoroughly address detection, per an Anderson Research survey reviewed by Help Net Security.  Upwards of three-fourths of security budgets have been allocated to traditional breach prevention tools, but the findings indicate nearly half may soon be dedicated to detection tools.

“These numbers validate that organizations are adopting an ‘assumed breached’ security posture and are now looking to modernize their security infrastructure with tools that provide accurate in-network threat visibility and will improve their efficiency in post infection detection and response,” per the article.

Noteworthy statistics from the survey include:
  • 70.3% of respondents are more concerned about in-network threat detection than in previous years.
  • 51.9% say current security defenses reliably prevent cyber threats
  • 54.5% say lack visibility to threats inside the network
  • 52.2% say they receive too many false positive alerts
  • 59.2% say correlating attack information

“There have been too many breaches in the past to suggest that prevention tools alone can protect organizations,” per an online statement by Attivo Networks, which sponsored the survey.

Indeed, the hunt for threats already inside the firewall appears to be on.  As our own CEO, John Trauth, recently remarked:

“The reality is threats already exist inside the firewall leaving organizations at risk and security analysts with the near impossible task of keeping up in a complex infrastructure. IT Security must layer in new methods of detection aimed at the east-west traffic to mitigate threats and reduce complexity, dwell time and time to containment.”

* * *

What do you think? Will a shift in cybersecurity focus and investment to detection help ensure the final tally for this falls short of the records set last year?


If you enjoyed this post, you might also like:
Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Photo credit: Flickr, Blogtrepreneur, Hacker (CC BY 2.0)

Bricata Heading to RSA 2017 with Momentum!

Bricata is headed to the 2017 RSA Conference in San Francisco, February 13-17 with momentum stemming from a recent deal with Cylance to strengthen its solution with artificial intelligence and recently being named among “vendors to watch” in the 2017 Gartner report: Magic Quadrant for Intrusion Detection and Prevention Systems

The Gartner report lists several use cases driving the continuation of the IDPS market. “IDPS continues to be a significant network security market, but needs to start addressing the internal use case better that covers protection of internal assets, and helps detect and prevent lateral movement,” wrote the report authors Craig Lawson, Adam Hils and Claudio Neiva, who are all analysts with Gartner.

The market has a pressing need for new cybersecurity technologies that proactively hunt for advanced persistent threats (APTs) that are already inside the firewall. By proactively hunting for threats, dwell time of malware is decreased and time-to-contain APTs is accelerated. Indeed, the integration with Cylance adds one more layer of inspection to address the challenge of detecting and hunting for threats within the organization by bringing to market a solution that weaves together three leading threat detection engines.

Bricata adds Open Source (Suricata and Bro) to provide signature-based protection and scripting to hunt for any undetected threats through pattern matching, variance and behavior anomalies with the integration to Cylance adding machine learning analysis to the files carved for inspection and scoring to address zero-day threats.

Our sense of momentum is being fueled by the traction and interest we are observing in the market for tackling the cybersecurity problem differently. Many of the recent high-profile breaches can be traced back to the presence of undetected malware inside the network.  Enterprises need to evolve their security strategies to layer in an active hunting capability alongside detection and prevention strategies.

We will be demonstrating the resulting technology integration at the RSA Conference in Booth #536 in the South Hall of the RSA 2017 conference. 

* * *


Gartner Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention

More than 20 million sensitive documents were extracted from the IT infrastructure of the Office of Personnel Management (OPM). The breach enabling the extraction wasn’t discovered until more than six months later as the first indicators of malware were discovered, which triggered an incident response. That’s according to a recent webinar conducted by the Cylance team titled, Dissecting the OPM Breach (recording available with registration). The webinar walks viewers through a case study of the incident and lessons learned.
Cylance - Dissecting the OPM Breach

OPM is essentially the “central human resources department” for the federal government and keeps records on millions of employees and contractors. Cylance, which is the first company to incorporate machine learning into advanced cyberthreat detection and prevention, played an instrumental role in discovering and remediating this high-profile cybersecurity incident.

It took 10 days for Cylance to triage – time-to-contain – approximately 2,000 pieces of malware. However, significant damage was already done.

Personnel records, fingerprints and security clearance application documentation, known as a Standard Form 86 (SF-86), were all taken from OPM systems between July of 2014 and early 2015. The presenters noted evidence to date suggests the breach was likely performed by a nation-state for intelligence collection.

Clearance records contained background information on federal employees and military personnel, including any foreign contacts and overseas travel in which they’ve engage. This is information that can be mined, analyzed and correlated for intelligence purposes. To place the sensitivity of these documents into context, the Cylance team cited commentary from FBI Director James Comey at the time: 

“My SF-86 lists every place I've ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

Unknown Unknowns

The OPM breach highlights how the cyberthreat environment has evolved, according to Thomas Pace, a Cylance incident response consultant, and the primary webinar presenter. We’ve gone from broad brush attacks using malware like worms without a specific target, to highly sophisticated attacks, seeking specialized information and using advanced persistent threats.

The tools for launching attacks have gotten easier to use and the execution more methodical. Mr. Pace said a hacker could configure a modern hacking tool and launch an attack within an hour. Similarly, the community has largely begun to describe cyberattacks in stages akin to a military operation: reconnaissance, infiltration, actions on the objective and exfiltration.

One of the most unsettling aspects of modern cybersecurity threats is that the originating malware can disguise itself and live inside an IT environment for months without being discovered – dwell time. The attackers simply wait for the right opportunity to execute. To that end, IT organizations literally don’t know what they don’t know. To build on a famous phrase from a former U.S. Secretary of Defense, the IT security community is dealing with “unknown unknowns.”

The Best Defense is a Good Offense

The cyberthreats of today involve “persistent and motivated attackers” with a specific target in mind, according to Mr. Pace. They are using “advanced extortion tactics” and “advanced infection vectors” such as cross-platform malware. The attacks are different and so the remedy must be different as well. Sure, we still need signatures, but we also need behavioral analysis, anomaly detection and the benefit of machine learning. More importantly, the cybersecurity posture of today needs to be proactive rather than reactive – the best defense is sometimes a good offense.

This is where Bricata and Cylance share the same philosophy. As our recent announcement indicated, we've partnered with Cylance to embed their technology into our network appliance and virtual solution. The combined solution will integrate three detection engines, including artificial intelligence to provide advanced intrusion detection, reducing complexity, dwell time and time to containment.

“The combined approach is the only commercialized solution of best-of-breed technologies, Open Source and partner developed, in concert with our intellectual property addressing today’s zero-day market requirements of threat evolution,” said Bricata CEO John Trauth. “The reality is threats already exist inside the firewall leaving organizations at risk and security analysts with the near impossible task of keeping up in a complex infrastructure. IT Security must layer in new methods of detection aimed at the east-west traffic to mitigate threats and reduce complexity, dwell time and time to containment.”

* * *

What are you doing to go on the offense and hunt for the Unknown Threats? It's not if or even when, you have already been breached. How are you hunting?


If you enjoyed this post, you might also like:
White paper: IDS/IPS: The Most Useful Threat Detection Tool You Have
Photo credit: from the Cylance webinar presentation