Mumbai,Krishna Bahirwani: The number of hacking incidents are constantly rising and companies are struggling to keep up with the attackers. In an exclusive interview at Black Hat Asia 2015, Chris Thomas, Security Analytics and Advanced Security Operations Specialist, Asia Pacific & Japan, RSA speaks to Krishna Bahirwani and shares his thoughts on where organizations are going wrong.
Where do you believe that organizations go wrong when trying to deal with the latest cyber threats?
Many organisations make the mistake of buying the latest "shiny toy" in technology without first considering the people that have to use it, and the processes in which it will be used. In many cases, only adding technology creates more work for analysts and, without the right processes and prioritisation in place, may only add noise, making it harder to find relevant alerts that need to be actioned.
What kind of security awareness is lacking in companies worldwide?
From a general user perspective, we are seeing that users are not as security savvy as we sometimes expect them to be. Users still fall for emails pretending to be from a legitimate organisation – phishing campaigns – that is why they still exist! Organisations should look at bolstering their security programs with end-user security awareness training. Organisations can better understand their exposure and risk through activities such as simulated phishing campaigns to test and assess how their users react. This educational aspect and continued assessments can then track how effective the training program has been.
What process does the EMC CIRC use to deal with growing cyber threats?
The approach used by the EMC CIRC and other leading organisations to combat growing cyber threats is based on 3 key areas: "Visibility, Analysis & Action". Analysts must have the visibility to see into all parts of the environment to eliminate blindspots and to enable them to identify and investigate attacks.
Analysts must also be able to detect and analyse the most advanced attacks before they can impact the business. Analysts can no longer simply wait for alerts – they must proactively search and hunt for threats in their environment. This includes correlating the extra data from their network environment that most businesses fail to consider, and moving beyond the basics of security, such as conventional antivirus solutions.
Finally, the analysts must be able to take targeted action on the most important incidents. This means having the tools that are flexible enough to allow analysts dive deep into the technical specifics of a breach, while also linking the effects of any such attack to the business' priorities. With this relationship, analysts can prioritise issues affecting critical assets first, immediately acting on the most important impacts to the business.
What is one piece of advice would you want to leave the readers with?
Security teams must evolve from being simple security event gatherers to network hunters – proactively looking for threats and anomalies in their environments. Simply relying on alerts from traditional, preventative controls is not enough to detect and deal with advanced threats. By adopting an approach that includes Visibility, Analysis & Action, security teams will be much better equipped to detect and respond to threats before they have significant impact on their business.