Intelligent CISO Issue 16 - Page 42

E R T N P X E INIO OP connections which traverse many geographies – and regulatory mandates. And everything has gone digital, proliferating technology and systems that produce and manage data. In this environment, complexity has become the number-one issue facing the CISO. Because of the scale and complexity of networks today, gaining visibility to understand and secure these infrastructures has become a bigger challenge now more than ever. Organisations struggle to answer what should be a simple question: what is it I’m trying to protect and how well is it being protected? But if you can’t see it, you can’t tell if it’s secure. This lack of visibility makes security the department of ‘no we can’t’ because they can’t picture their security status as it is now, let alone how it will look throughout an innovation project. To be the department of ‘yes we can’ security needs to start with visibility. Fundamental visibility Answering the first portion of the above question is difficult: What is it I’m trying Historically, the dichotomy between security and innovation has meant that if you want to move fast, you could get hurt; if you want to be secure, you’ll hardly move at all. 42 to protect? You have to be able to establish and maintain a record of all the assets where data resides – whether its intellectual property, personal identifying information, financial records, email, etc. These assets should be categorised with appropriate business attributes and updated as the organisation changes. Creating an accurate asset record becomes a major challenge for assets in the cloud, as virtual machines are spun up and down even on an hourly basis. Also, for critical infrastructure and manufacturing organisations who have operational technology (OT) networks, the scale of OT devices can dwarf that of IT assets even in major enterprises or government agencies. In order to maintain an accurate and complete asset record, data collection has to be automated. Answering the second portion of the question – how well is it being protected? – is even harder because it requires insight into the assets as well as contextual understanding of their relationship to security controls and network paths. For example, in order to understand the risk to any assets holding customer credit card information, you’d need to know which assets pertain to this data, their vulnerabilities, the threats leveraging those vulnerabilities and the security controls affecting those assets’ exposure to threats. Exposure is the critical element of security status that is impossible to understand without insight into the relationship between the assets and network infrastructure. It becomes especially important during times of change – such as cloud migrations, mergers and acquisitions – as attackers routinely use times of chaos as opportunities to slip behind defences unnoticed. To look at another example where exposure is an important consideration, let’s look at a change to a firewall rule. These changes are made every day in an organisation to refine access and enable new services. To make sure a proposed change is secure, you have to know which firewalls are relevant to the change; if the change adheres to rule, access and configuration compliance policies; and if the change would open up a network path to a vulnerable asset. If a change to a firewall is going to create a risky exposure, it undermines the purpose of the firewall as a security control. So, does your organisation have the visibility it needs to enable secure innovation? Below is a good checklist to gauge where you are: • Do I have a record of all my assets? • If an asset is compromised, do I know the potential impact to my business? Issue 16 | www.intelligentciso.com