Trust does not exclude control!

Companies often spend a lot of money and energy on prevention of cyber threats, they spend more and more on detection and reaction to them, but they usually don’t spend enough on control. They tend to trust too much in their capacity to detect all threats that are not prevented, which is a major strategic mistake, for multiple reasons.

First, the lack of occurrence of an incident does not mean that such incident cannot occur. Understanding the precise level of exposure of an Information System to cyber attacks is key to define the right strategy to protect it.

Second, the Executive Management needs to know “what could go wrong”, also known as the company’s “Security Posture”. Simply listing the incidents that have been detected or that occurred is not a sufficient answer. It usually results in the management asking: “Does the fact that you haven’t reported any major incident to us mean that nothing actually happened or that you were unable to detect it?!”. Without any clear answer, the Execs would turn to Internal Audit in order to investigate and report… And still quite few companies hire CyberSecurity professionals experimented in audits within their Internal Audit team, which does not help to get the full picture.

Third, because providing evidences of the level of protection through the activity of internal control enables to build and keep trust in the activity of CyberSecurity teams. It enables to request additional budget and headcount, support for key projects and vision. Today, more and more partners and customers don’t believe in statements, they request evidences. Above internal (and even sometimes external) audit reports and pentests, either regular or permanent, CISOs are considering Breach Attack Simulation vendors and solutions such as SafeBreach, XM Cyber, Cymulate, etc. You may want to take a look at the following URL for further reading: https://www.esecurityplanet.com/products/breach-and-attack-simulation-bas-vendors/ . Though it is also called “continuous automated pentesting”, it aims at discovering the complete impact of a vulnerability by digging into all possible attack paths. In other words, it’s the answer to the so-called “So what?” question of the management, every time a vulnerability or audit finding is reported. It usually makes good use of artificial intelligence and machine learning.

Of course, implementing Breach & Attack Simulation solutions will generate a huge amount of work for the CyberSec teams, in order to address the findings reported. Hence, it’s important to get appropriate budget and sponsorship prior to starting such project.

Another interesting evolution of CyberSec control is related to code review. Plain old pentests approaches in black box mode turned to white box mode, code reviews (with so-called Static Application Security Testing, SAST, or Dynamic Application Security Testing, DAST solutions, like Snyk, Coverity, SonarQube, Checkmarx, etc.) by professionals and now bug bounty activity.

Public and customers don’t trust anymore what *others* have tested, they want to reduce the time to disclose any potential backdoor or vulnerability in the code that they use by exposing such code publicly. Every component needs to be permanently inspected – including libraries and binaries – at development phase, at delivery and in production – even though nothing wrong has been detected yet. Of course, it’s a bit challenging for developers and product managers to change their habits, but it’s also highly impacting brand reputation when poor quality of code is exploited…

With the emergence of IoT, more and more code will be produced and accessed by an ever-growing number of “users”, and hence such permanent cybersecurity validation methods shall drastically grow. So to conclude, get ready to address their findings!

Would you mind distinguishing “Corporate” from “Sovereign” CyberSecurity solutions?

CyberSecurity systems are used to protect against unauthorized access to confidential data, but also within cyber-warfare – cyber conflicts between nations. As I was mentioning in previous articles, CyberSecurity is mainly a matter of Trust. Combining both statements, it is key for CISOs to distinguish when they want to protect against general hackers and malware threats, initiated by any individual/nation, from the need to protect specifically against foreign nations (which, of course, restricts furthermore the selection of adequate partners and technologies). In this last case, CyberSecurity solutions must be “sovereign” in addition to being efficient and affordable…

When a foreign technology is acquired by a company which headquarter is located in another nation, it does not make it a sovereign solution for such nation. Only another corporate solution. To consider it as “sovereign”, this company would need to a) have access to all of its source code b) have it inspected by a highly skilled personnel and c) avoid from using a code inspection solution belonging to the initial country… In most cases, this happens to be simply impossible.

However, storing sovereign data in a foreign cloud remains possible provided that it is encrypted by a trusted algorythm and that encryption keys are not accessible by such cloud admins. This is usually referred to as “Bring Your Own Key” (BYOK) or “Bring Your Own Encryption” (BYOE) mechanisms. It enables to distinguish “the content” from “the container”, which enables CISOs to grant access to many public cloud solutions (Google, Azure, IBM, SalesForce, Service Now, and many others!).

Nations should avoid from forcing their companies to use sovereign products and services for all possible purposes. Encouraging or forcing use of sovereign products whilst there is no need for it would result in the atrophy of their national cybersecurity market. Sovereign cybersecurity solutions are usually more expensive at equal performance and level of protection. It’s worth using them to secure critical, national infrastructure, not for general protection against more common threats.

In any case, don’t forget that you’ll always need to trust the nation from which most of your hardware and software originates, as you’ll never disassemble its code, and probably never have the necessary skills, budget and tools for that either. So choose your battles according to your means and risk objectives!

Avoid dogmatic opinions if you wish to manage CyberSecurity properly!

Life is never black or white. That’s it. It’s the same for CyberSecurity: you may forbid something hazardous today that you’ll be able to grant tomorrow. It does not mean that you’re unstable, but rather that the risk has evolved. After all, CyberSecurity is a matter of managing risk, not defining a permanent or universal posture.

Let’s take an example: when social networks arose (that was a long time ago!), most companies were simply banning access to it. At first, there was no business need (remember “myspace”?) but rather an emerging high risk of data leakage or brand reputation damage. Then LinkedIn and other professional social networks were created, but also and more recently CASBs (Cloud Application Security Brokers) were developed in order to duly control what users can do within the cloud application itself. CISOs could hence grant access to those social networks without endangering their company’s assets.

So before you study how to technically secure your systems and data, you should wander what is at stake. It’s not a matter of choosing the best technology, but rather a matter of trust (ie: what do you trust or not) and level of acceptance of business risk. To save time and money, don’t start by making technical decisions before you have identified those risks…

Another example is related to the move to Cloud(s). I heard several people telling me that move to cloud always introduces more technical risks. Some even say that it simply jeopardizes your overal protection. This is simply wrong. Not only can systems and data be secured both on-prem and in the cloud, but cloud implementations even bring automation capacity (eg: Infra as Code and Shift-left testing, Puppet) that increases the ability to protect consistently against cyber-threats. However, without proper risk analysis based on business needs, constraints, legacy/available CyberSecurity solutions, you’ll never make it.

Analyzing risks requires both to evaluate their probability of occurrence and their level of impact. Remember this famous quotation from Einstein: “God does not play dice”. Well, it starts by observing how often those risks have or could occur (such as: will surely occur today or this month, will maybe occur this year, has never occurred at all and may never do). Similarly with regards to their impact, you will need to define at least a 3-level scale, such as: usual and accepted as many times as it may occur, acceptable only once a year, or not acceptable at all. The latest would surely trigger a crisis and require proper coverage via a Cyber-Insurance. Proper Cyber-Threat Intelligence (as we manage it at CIX-A!) is key to perform risk analysis.

Risk advisory (finding the best secure way to answer to business requests) is a critical activity for every company. It requires proper organization, technology and processes to be defined, implemented. and enforced. In other words, you need a team (at least one individual appointed!), a methodology and proper tooling to process business requests. It takes time to be tuned and trained, but once it’s done, believe me, the return on investment is huge!

Keep the pace of CyberSecurity mergers and acquisitions!

As reported by multiple sites such as CyberSecurity Ventures and MSSP Alerts, CyberSecurity companies are established and sold very quickly. I found interesting to gather some key and famous acquisitions in this list.

Looking at such a list, I believe it is critical for CISOs to adapt to this pace by anticipating their needs, managing obsolescence, contracting and migrating their Cyber Defense solutions within a very short period of time.

If they hesitate too much, for instance to decide who’s gonna be shortlisted during an RFP, they may simply have to restart the entire process again due to emerging acquisitions and technologies. When smartphones have emerged, I’ve known a friend who kept waiting for the best possible one. As each year a new smartphone was released (for sure better than any previous one) he ended up keeping his dumb phone for years… For sure not the best option!

In order to adapt, CISOs must have and share a vision and remain agile towards such a volatile market, ensuring the continuity of their strategy. Even selecting well-known vendors does not guarantee longer term decisions: famous companies have also been acquired by others, as shown in the list below, while today’s small companies may grow into future major ones.

It is also wise to avoid contracting with the same vendor for the entire fleet of CyberSecurity solutions. Which means that vendors should not try to cover all possible needs but rather ensure interoperability and proper R&D skills. It’s like a painting: plenty of colours are used, their mix ensures the best overall picture… provided that they match together !

In order to demonstrate agility both for themselves and for their teams, CISOs must not look for the perfect solution and vendor that enable them to tick all the boxes, but rather stay focused on their risks and concerns to pick the best partner and product and stay openminded and aware of the market to adapt to future stakes.

CISOs must also [define and] revise their “make/team/buy” strategy, and rather control the mix of their partners and solutions than either try to do everything by themselves or outsource everything to a unique third-party. In other words, CISOs must move from musician to bandmaster, which probably also applies to CIOs by the way 😉

2010: Intel acquires McAfee
Aug 2010: Thoma Bravo acquires LANDesk
Jan 2011: Dell acquires SecureWorks
Jul 2012: Dell acquires Quest Software
Jan 2014: Orange Business acquires Atheos
Aug 2015: Blackberry acquires Good Technology
Sep 2016: Intel sells McAfee to TPG
Jan 2017: Thoma Bravo sells LANDesk to Clearlake Capital
Jan 2018: LinkByNet acquires Securiview
2018: Thoma Bravo acquires Imperva, Barracuda Networks, Veracode
2019: Thoma Bravo acquires Sophos
2019: VMWare acquires Intrinsic & Carbon Black
2019: F5 acquires Shape Security
2019: Orange acquires SecureLink
2019: Palo Alto Networks acquires Demisto & PureSec
2019: Fortinet acquires enSilo
2019: McAfee acquires NanoSec
2019: FireEye acquires Verodin
2019: HP acquires Bromium
2019: Proofpoint acquires ObserveIT
2019: Chronicle folds into Google Cloud
Feb 2019: Carbonite acquires Webroot
Feb 2019: Blackberry acquires Cylance
May 2019: Insight Venture Partners acquires Recorded Future
Aug 2019: Broadcom acquires Symantec
Nov 2019: Opentext acquires Carbonite
Dec 2019: Francisco Partners and Evergreen Coast Capital Corporation acquire LogMeIn (including LastPass)
Apr 2020: Accenture acquires Symantec Cyber Security Services
Apr 2020: Hellman & Friedman acquires Checkmarx
Feb 2020: Dell sells RSA Security to Symphony Technology Group
Jul 2020: Advent acquires Forescout (amended merger)
Sept 2020: RSA Security operates as an independant company
Jan 2020: Insight Partners Acquires Armis At A $1.1 Billion Valuation
Jun 2020: Microsoft Acquires CyberX To Accelerate And Secure Customers’ IoT Deployments
Oct 2020: Private Equity Firm TA Associates Acquires Cybersecurity Vendor Netwrix
Oct 2020: Atos Completes The Acquisition Of Digital.security
Dec 2020: Ivanti Announces Double Acquisition Of MobileIron, Pulse Secure In Zero-Trust Security Push

Apr 2021: Rapid7 Bolsters Open Source Security With Velociraptor Acquisition

Apr 2021: Thoma Bravo Is Buying Cybersecurity Firm Proofpoint In A $12.3 Billion All-Cash Deal

Apr 2021: Accenture Announces Intent To Acquire Openminded, France-Based Cybersecurity Services Company

Apr 2021: Tenable Completes Acquisition of Alsid

Jun 2021: Private equity firm Symphony Technology Group (STG) acquires FireEye’s security products business and brand (without Mandiant Solutions)

Get ready for managing MSSPs very differently from DIY cybersecurity!

It’s a fact: it’s getting more and more difficult to recruit and retain experienced cybersecurity talents.

Such shortage in cybersecurity talents and budget fosters more and more subscription to creative, efficient and disruptive cybersecurity cloud services (so called “MSSPs“).

However, in order to do so, companies need to establish true partnerships and avoid opportunist short time contracts with their vendors. This is completely different from DIY (Do It Yourself) “on-prem” cybersecurity: it requires to trust in partners, share enough information upfront with them (including some details on their strategy), rely on their skills and experience and how they’re used to operate their solutions with other customers, instead of asking them to “only” execute… It’s more a “team” strategy than a “make” one. In a nutshell, if you don’t trust your critical partners, get rid of them…

All of the above is a complete cultural change!

For instance, CISOs need to stop hunting for a fully customized service, but rather influence their vendors’ strategy to ensure its alignment with their future needs.

In turn, to do so, they must share and anticipate their needs and concerns with the main / largest customers of their selected partner, attend its Customer Advisory Boards (invest enough time into that, at least for critical partners), etc… When common needs are identified and cannot be fulfilled by existing products, workarounds and solutions must be identified, along with proper ETAs for each milestone (to avoid the so-called “tunnel effect”) according to the urgency to get them available. I recommend using nice KANBANs or Trello boards to do so!

But then comes the need to make sure that these ETAs match the sprint cycles that are already planned by the vendor… Partners should avoid overselling super short deadlines that will never be met, while avoiding to postpone enhancements to a far future as well!

Also, while the cost of DIY is pretty stable after go-live, its alignment with business requirements and cybersecurity standards is usually quickly fading away… A well established partnership with an MSSP should bring the opposite: very careful finops management (which is a new activity for most CISOs) enabling a sustainable and agile growth of the cybersecurity service… The graal for most CISOs !

Hence, come and join CIX-A association, and you’ll meet and exchange freely with your peers (CISOs and their teams), better understand their common concerns and strategies and how to establish and keep the best relationship with your MSSPs!