Musings of a fireside chat with TrendMicro Team

Acknowledgements First!

My Thanks to the TrendMicro India team for inviting me as a panellist at their 'Risk to Resilience' World Tour event in Chennai, India.

Sharda Tickoo posed very insightful questions to deliberate upon. I thought sharing my views on some of these questions with a wider audience could help build mindshare within the security community.

Some of the questions and my views:

1.   How to cope up with the evolving technologies in cybersecurity; how to maintain a balance between existing investments and new initiatives?

The Gartner Hype cycle on Security provides  a bird’s eye view of the emerging cyber security solutions at various stages of the cycle. With such a huge influx of new solutions and technologies, Cybersecurity teams need to exercise caution when adopting these “next-generation” solutions within their organisation.

Cyber Security is essentially a cost centre for organisations and investments / initiatives are fundamentally aimed at mitigating perceived risk for the business. In this context, I recommend considering new initiatives when:

1.   The current (security) initiatives have achieved their objectives

2.   The evolving business landscape introduces new risks that are not addressed by existing investments

3.   Regulatory changes necessitate additional controls

Throughout my career, I have witnessed organisations jumping into the “next-gen” bandwagon too early without first deriving value from their existing investments.

CISOs should adopt the role of cyber economists focusing on maximising the value of their current investments before undertaking new initiatives or purchasing new technologies.

2.   Security consolidation; platform based approach vs best of the breed?

I recommend an approach that integrates the “best-of-need” solutions. The security community has long emphasised a defensive approach centred around "Defense-in-Depth". While this approach is very essential, it often results in each layer functioning in isolation, preventing security teams from fully capitalising on a converged Defense strategy.

This issue lies not with the customers but with the product vendors, who in their pursuit of being the “best of the breed”, for too long, overlooked the potential for collaborative defence (interoperability).

 A successful defensive design should focus on both “Defense-in-Depth” and “Defence-in-Breadth” models. I consider “Defence-in-Breadth” as interconnected mesh of technologies in each layer that provides collaborative defence.

“Defence-in-Depth” design increases the work effort for adversaries

“Defence-in-Breadth” design reduces the work effort for the defenders in combating adversaries        

In recent years we have witnessed major OEMs joining forces to build collaborative mechanisms that allow seamless integration and exchange of information between disparate security products. Initiatives such as “Open Cyber Security Alliance”, “Cyber Threat Alliance”, “MISA” and “CSA” are few cyber security focused alliances that are working towards an integrated defensive approach.

Additionally, Gartner released a research note on Cyber Security Mesh Architecture (CSMA) last year, which further demonstrates the industry’s progress toward collaborative defensive design.

3.   How to measure the security effectiveness of the technology in place?

As mentioned earlier, Cybersecurity investments are a Risk Treatment exercise for organisations.

The optimisation for Cyber security lies in “minimising the regrettable time (money) resulting from a cyber incident”

In this sense, the effectiveness of each cybersecurity solution should be measured relative to the objective it was intended to achieve.

Allow me to illustrate this point with an example: When we considered a SIEM solution as a risk mitigation strategy, some of the objectives we aimed for were:

1.   Centralised Log ecosystem

2.   Cross-correlated Incident Detection

3.   High fidelity identification

4.   Quicker Triage

5.   Efficient Investigation

Each of these objectives guided us in defining the Key performance Indicators (KPIs) for the solution. Taking the objective of a centralised Log ecosystem as an example, we consider measurement aspects such as:

-      % of constituent assets integrated into SIEM to total constituent assets in the organisation ~ gives us the coverage effectiveness

-      % of logs parsed / normalised to the % of logs ingested into the SIEM ~ gives us the visibility effectiveness

 Like this, we create measurement indicators for each of the objectives we set out to achieve. While defining the right metrics is important, it is even more crucial to consider how we generate these data points. If the consolidation of these metrics requires extensive manual effort, this exercise may eventually become unsustainable. Therefore, it is essential to ensure that the collection of measurement data is frictionless.

Excited to hear your thoughts.