Operationalizing Cyber Risk: How to Ensure Security is Aligned with the Business ISMG Security Executive Interview

Introduction Organizations will spend $92 billion on perimeter defenses this year, yet we will continue to see a growing list of high-profile organizations breached. Why are today’s strategies so ineffective against ever-evolving adversaries? And what can security leaders do to ensure that their defenses are in lockstep with what matters most to their core business?

Welcome to this exclusive executive roundtable discussion on Operationalizing Cyber Risk: How to Ensure Security is Aligned with the Business.

This invitation-only roundtable will draw upon insight from Dr. Srinivas Mukkamala, a renowned expert on malware analytics, breach exposure management, web application security and cyber risk reduction. He will share his unique perspective on why and how security leaders must shift their thinking from a vulnerability-based security strategy to one that is risk-based and aligned with the business. Among the topics to be discussed in interactive dialogue:

• How organizations are being hamstrung by their own siloed environments;• The true impact of the security staffing shortage;• How to bridge the divisive gap between security operations and IT operations;• How lack of threat and business context can lead to security blind spots; • How a growing attack surface has to be taken into account when developing defense strategies.

You’ll have the opportunity to discuss evolving threats and security strategies with a handful of senior executives and market leaders in an informal, closed-door setting, from which you will emerge with new ideas and solutions you can immediately put to work.

Key Takeaway: Through interactive dialogue, understand how your peers are tackling the challenge of operationalizing cyber risk. Walk away with new insights and ideas about cyber risk and how to manage it better across your enterprise.

Operationalizing Cyber Risk 2

About the ExpertJoining our discussion today, to share the latest insights and case studies on cybersecurity, is:

Dr. Srinivas MukkamalaCo-founder and CEORiskSense

Dr. Srinivas Mukkamala is co-founder and CEO of RiskSense. Mukkamala has been researching and developing security technologies for over 15 years, working on malware analytics (focusing on medical control systems and nontraditional computing devices), breach exposure management, web application security, and enterprise risk reduction.

Mukkamala was one of the lead researchers for CACTUS (Computational Analysis of Cyber Terrorism against the U.S.). He has been published in over 120 peer-reviewed publications in the areas of information assurance, malware analytics, digital forensics, data mining, and bioinformatics. He has a patent on Intelligent Agents for Distributed Intrusion Detection System and Method of Practicing.

Mukkamala received his Bachelor of Engineering in Computer Science and Engineering from the University of Madras, before obtaining his Master of Science and Ph.D. in Computer Science from New Mexico Tech.

About RiskSenseRiskSense security professionals have decades of experience defending and testing hundreds of complex network environments across commercial, federal and state government contracts. Its researchers are on top of the latest threats and responsible for dozens of groundbreaking vulnerability disclosures. The founders are well known for CACTUS (Computational Analysis of Cyber Terrorism Against the U.S.), Support Vectors Intrusion Detection, BRAVE (Behavior Risk Analysis of Vicious executables), and Strike Team Program.

Operationalizing Cyber Risk 4

About the ModeratorLeading our discussion today is:

Tom FieldVice President Editorial,Information Security Media Group

Field is an award-winning journalist with over 30 years experience in newspapers, magazines, books, events and electronic media. A veteran community journalist with extensive business/technology and international reporting experience, Field joined ISMG in 2007 and currently oversees the editorial operations for all of ISMG’s global media properties. An accomplished public speaker, Field has developed and moderated scores of podcasts, webcasts, roundtables and conferences. He has appeared at RSA Conference, as well as several television programs as a subject matter expert.

About ISMGInformation Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.

For more information, visit www.ismgcorp.com.

Operationalizing Cyber Risk 5

NOTE: In advance of this event, ISMG’s Tom Field spoke with Dr. Srinivas Mukkamala of RiskSense to discuss how to operationalize cyber risk. This is an excerpt of that discussion.

What is Fundamentally Wrong?TOM FIELD: Let’s start with this premise: organizations are going to spend $92 billion on perimeter defenses this year, yet many of them are still going to be breached. What is wrong with our fundamental approach to cybersecurity?

SRINIVAS MUKKAMALA: Most organizations are unable to put cybersecurity into a business context. Instead, they tend to take a tactical, cyber-based approach when approaching cybersecurity in general, using three defined layers individually rather than in an integrated, interdependent, and collaborative fashion:

• The human layer that is constantly interacting;• The applications that interact with the systems; and• The network layer.

Unfortunately, most organizations do a poor job tying everything together. They’re unable to link every single thing that’s connected to the perimeter to to internal systems, the cloud, or partners. Even if they are successful, they fail to effectively integrate the human layer, the applications layer, and non-traditional computing devices (like Internet of Things). Trying to puzzle out how these interdependent pieces work together—let alone adding the different varieties and ever-increasing volume of data into the mix—is a huge challenge. And once you look into that variety and volume, you have to figure out which sources of data are the most trustworthy.

Instead, organization need to really start examining that business context and using that knowledge to develop a true risk-based approach. They need to start looking at return risk metrics and figure out whether they are spending their cybersecurity in the right areas to minimize and mitigate risk.

FIELD: Srinivas, talk to me about some specific challenges that you see in organizations, starting with the siloed environments that you typically see.

MUKKAMALA: The average organization has an environment that encompasses internal and external networks, building control systems and business systems, among many others. They are all

separate systems. You’re spending money on perimeter devices, on firewalls, on web gateways, on next-gen endpoint devices, on intrusion prevention systems, and so forth. Each platform or tool is trying to do something useful, but they aren’t necessarily working together. As a result, there’s always a heavy reliance on the human to understand what each technology is doing and what

CONTEXT

Q&A on Operationalizing Cyber Risk with Srinivas Mukkamala

“Most organizations are unable to put cybersecurity into a business context. Instead, they tend to take a tactical, cyber-based approach when approaching cybersecurity in general...”

Operationalizing Cyber Risk 6

would be an appropriate way to follow up in competing vectors of information. When you have this many disjointed technologies telling you something about an anomaly or risk, you’re forcing people to somehow connect everything together and take action—and people are just not fast enough to respond and to mitigate. That’s why a traditional siloed organization ends up with these confidence and interdependency issues.

FIELD: Another topic I want to discuss with you is the skill shortage. What do organizations specifically need?

MUKKAMALA: What we’re missing in today’s workforce are skilled professionals with a breadth of experience. More specifically, organizations need professionals who have strong analytical skills and strong fundamentals in computer science. They need to understand data structures, straight parsing and normalization. Moreover, they need to have a strong understanding of every piece of the Open Systems Interconnection (OSI) model. Do they understand Layer 2, standard packet capture and analysis? Or Layer 3, which has to do with routing? Or Layer 7, which is focused on how domains are resolved and the fundamentals of DNSSEC?

Unfortunately, we are missing that fundamental piece because we’re experiencing a shortage in computer scientists, and within that grouping, you have a hard time finding people who understand true data communications models and can apply that in the field.

FIELD: Another important topic is the communications gap between IT ops and security ops. Please characterize this disconnect for us.

MUKKAMALA: IT ops and security ops are at odds. IT ops always has one mission in mind: availability. Not surprisingly, security ops is most concerned about security. When security receives an alert or finds a vulnerability, they tell IT to fix it. But because they speak in different terminologies—because of silos—the IT people lack context into the importance of a scenario.

So, security ops needs to be able to tell IT ops why, if this vulnerability leads to a breach, it will impact availability on the systems and impact the business. In addition to providing that context—that analysis —security ops need to provide a step-by-step remediation process that IT can act on. Fortunately, today’s analytics can give organizations the ability to provide that context and business impact analysis that wasn’t available even just a few years ago.

FIELD: Why is context so important when it comes to detecting and responding to threats?

MUKKAMALA: Without context it’s very hard to prioritize threats and take actionable steps to mitigate them. But organizations face three fundamental challenges when trying to obtain that context:

• Lack of automation that prevents tools and technologies from talking to one another; • Shortage of human resources to triage and manage incursions and potential vulnerabilities; • Understanding the business impact of these attacks and vulnerabilities.

From a raw perspective, let’s say you have 10,000 vulnerabilities on your network. It’s impossible to muster the human resources to prioritize, let alone remediate them. You need to funnel these down in order to determine what to triage first. Of those 10,000, let’s say 1,000 of them are known exploits, and maybe 100 are impacting your critical systems. But that’s still a big number for even a large security ops team to wrangle with. That’s why automation is so critical—it does the majority of that funneling for

“Security ops needs to be able to tell IT ops why, if this vulnerability leads to a breach, it will impact availability on the systems and impact the business.”

Operationalizing Cyber Risk 7

you, so you can then focus on, say, the 10 things that need action right this minute, rather than trying to sift through hundreds or thousands of items hoping you choose the ones that are most critical.

FIELD: Srinivas, to this point, most organizations have built security around their vulnerabilities, but you said they need to shift to a risk-based approach. What does this shift require in terms of changing how they think, changing their staffing, and adopting new tools?

MUKKAMALA: Organizations need to shift to a cyber risk management strategy that is based on machine learning and that is interactive and creative. I say interactive and creative because you want your systems to learn over a period of time through analytics and the ability to interact with human knowledge and input. When your system pulls threat intelligence in an automated fashion, the system is able to understand the threat object and correlate it to known vulnerabilities, as well as information being pulled in from your scanners at the network, application and configuration layers, from the internet and other feeds. Once the system parses, de-dupes and aggregates the data, it can then provide the context needed to prioritize the threat in question.

This is where automation comes into play. With automation you can set up rules, integrate data, do a risk ranking, provide a step-by-step process of what needs to be done, and quickly assign the issue to the appropriate team to mitigate. This automation helps give organizations the confidence to act quickly and deliberately to manage overall risk.

FIELD: We’ve covered a lot of ground here. Could you summarize some of the questions that security leaders really need to be asking themselves now to determine their degree of alignment with their businesses?

MUKKAMALA: In simple terms, they need to ask themselves about their return on risk. It’s no longer just about throwing money at the problem. In the risk management process, you want to do two things:

• Mitigate or eradicate risk; and• Transfer the risk.

Ideally you want to mitigate the risk, but sometimes that’s too expensive. Therefore, buying cyber insurance is the simplest way to transfer the risk. To determine the balance between risk mitigation and transferring risk you need repeatable and quantifiable metrics to determine the degree of economic impact of your risk. And the moment you can quantify that, you can then translate that information in a manner your c-levels, board members and shareholders will understand. n

“Organizations need to shift to a cyber risk management strategy that is based on machine learning and that is interactive and creative.”

Operationalizing Cyber Risk 8

902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 sales@ismgcorp.com