When you cozy up with 1,500 of your closest cybersecurity friends in Boston, you're bound have some productive conversations. Between the sessions, the networking, and the trade show floor - everyone at SecureWorld Boston had plenty of opportunities to consult with their peers on the biggest issues the industry is facing right now. While a lot of what we heard wasn't exactly new, we picked up on the urgency needed to find solutions to some of these issues. To be blunt: there is a lot more work to do - and we're going to have to do it together.
Howdy, Partner
Partnership is more than a buzz word right now. It's the only way practitioners are finding solutions to stay one-step ahead. Wouldn't it be great if we were 15 steps ahead? Sure, you probably have a lot of different partnerships with vendors to protect your firewall and your endpoints. But what about partnerships with people? We heard it during sessions, during panel conversations, and each Keynote Speaker addressed partnerships in his/her own way.
For example, BPD Detective Steven Blair talked about the partnerships he uses every day to catch cybercriminals. From companies like PayPal to agencies like the FBI, everyone has to work together to track down IP addresses, online photographic evidence, and to bust through the home of a woman scamming people out of money from her living room.
Dawn-Marie Hutchinson's Keynote Presentation focused on a different type of partnership: the one you have with your incident response team. Working together--ahead of a breach--is the only way to effectively manage a security incident. Hutchinson outlined some key partnerships to keep in mind:
- Technical Team
- Evidence Team
- Analysis Team
- Physical Security
- Malware Team
- Business Team
- Executive Team
- General Counsel
- Media Relations
- Customer Relations
- Outside Support Teams
- Outside Counsel
- Forensic Provider
- Insurance Provider
That's a lot of people, right? A lot of partnerships to maintain? One of the best pieces of advice Hutchinson gave was that you need to develop and cultivate these partnerships NOW, not when you're in the middle of a security incident. How much more likely are you to pick up the phone when someone calls if you have already established a relationship with that person? If your forensic provider already knows you, your network, your business, you're a lot more likely to get an emergency response from that partner when you're dealing with an emergency.
Even our panelists talked about the importance of partnerships. During the "After the Hack" panel, the topic of partnerships came up in an area you might not expect: the shortage of industry talent available. The panel estimated the unemployment rate in cybersecurity is -5% right now, meaning 5% of jobs are going unfilled because there isn't anyone to hire.
"When you think about people in process, realize, you're going to have to partner with people. You're going to have to bring in the 'best of breed' to get these capabilities because there just isn't the talent pool yet," said Christopher Scott of Crowdstrike.
The most common theme about partnerships is one you've heard before, but it bears repeating. The partnership between the security team and the executive team is the most important one you can develop. And it goes both ways from the top down and vise versa.
Steven Beaudrot's presentation on Communicating Risk addressed the partnerships needed throughout the entire company to effectively manage risk. You've heard everyone say, "get invited to the board meeting and you can communicate to the C-Level about how you need to address security now." That's valid. But Beaudrot's message went beyond that, showing that it starts with the engineer. We need to lose the "knowledge is power" attitude and check our egos. That doesn't make you more valuable. "Hoarding knowledge doesn't make you the smartest person in the room," said Beaudrot. Developing a transparent and communicative partnership with all stakeholders is the best way to battle bad guys.
The Wire
The email phishing attack is not going away. We heard horror stories about this vulnerability in three separate sessions. And not just anecdotal stories. We're talking real-world examples of the CEO scam. Earlier this week, we reported on Mattel's close call. Can your company afford to lose $3 Million in a fraudulent wire transfer? No, of course not.
BPD Detective Blair said the email phishing scam is the single biggest crime his division is dealing with right now. He gets calls DAILY from Boston businesses that are getting targeted by these email scams. One case he described was about a spoofed CEO email to the CFO requesting a wire transfer where just a little bit of investigating would have saved the day. The CEO's spoofed email was just one letter off from his actual email address. But, if we train our employees better, they'll know to look for these anomalies.
The overall consensus on the email phishing scams was this: everyone wants to do a good job. There are protocols in place to keep CFOs from wiring money to the bad guys. These CFOs are following the protocols, but they're still getting tricked. That's how good the bad guys are. What protocols do you have in place to keep this from happening to you? Even in Mattel's case, the protocols were followed. Two executive team members signed off on the transfer (or so it would seem) and that wasn't good enough. That's because one of the two execs "sent" the email. When you're compromised, it doesn't matter how good your protocols are. You've got to empower your team to ask questions and follow-up. And it really starts with warning them that this is a potential trap to begin with.
Scott Drucker's session on identity management addressed some of the ways bad guys are getting into our networks with valid credentials. His solution offerings included multi-factor authentication that doesn't inconvenience your end users. Consider setting up a robust identity authentication program that goes beyond a password. Drucker explained how device fingerprinting and threat-analysis scoring can help keep cybercriminals from assuming someone's valid identity and launching email phishing scams or ransomware programs. All the firewall, data, and endpoint protection in the world can't stop a bad actor if they've gotten into your network with approved credentials.
Spoofing and identity hijacking seemed to be one of the biggest issues discussed at SecureWorld Boston - which means people are really worried about staying ahead of it. If you haven't invested in Security Awareness Training yet, don't you think it's a good time to do so?
Back to the Future
Yes, we spent a lot of time talking about the future of information security. But we wanted to address the basics first. Now, let's get back to the future: planning ahead and planning for problems needs to become more of a priority for all of us. We're getting more proactive about how to manage a security incident. We're considering security as we consider whether to put an IoT device in our homes or on our wrists. We're demanding that companies consider the consumer and bake security into their products. And we're analyzing whether self-braking cars are safer than when we're solely in control.
As we focus on being more proactive and look into the future of cybersecurity, there are a few factors practitioners highlighted at SecureWorld Boston. Esmond Kane of Partners HealthCare dedicated his entire session to the future. We asked him what topics does he think are going to be most prevalent in the near future.
First, Kane talked about leveraging the human factor. Not just seeing it as a liability. Humans may be the biggest threat to our networks, but they could also be a valuable resource. "Engage with your community, leverage their strengths, don't focus on the negatives, and see if you can work with them rather than against them. Don't view it as adversarial," said Kane.
He also talked about the future optimistically. We're now being seen as a business. We're getting invited into the boardroom. We're starting to be seen as leaders. And we're starting to be seen as an innovation space.
Finally, Kane's crystal ball honed in on technology. Knowing there is not one single product that can cure all cybersecurity problems, Kane sees more partnerships and product integration that will help us do our jobs more effectively. "Stitching together all these tools so that you're getting single dashboards. It's a problem space but it's getting better and I certainly encourage its pursuit," explained Kane.
The other problems of the future are, of course, centered around consumer demand for IoT devices and the lack of knowledge when it comes to securing them. It appears, however, that there is some encouraging news on that horizon. In a SecureWorld Media exclusive, you can read about the government partnership (see, we're back to partnerships!) in securing IoT devices. The news won't be released until next week, but SecureWorld got the inside scoop from Joe Jarzombek during his Keynote Presentation on Wednesday.
Best of Beantown
Last but not least, here's what we learned about Boston in our short time away from the Hynes Center:
- Who knew it could get so wicked windy in Boston?
- The accents are serious
- Ordering coffee at Dunkin' Donuts is a different experience than ordering at Starbucks
- The people are some of the friendliest we've encountered during our travels
- Edgar Allan Poe's statue down the street from the Hynes tied in nicely to our conference theme
Thank you to those of you who made it to SecureWorld Boston. If you're looking for an event near you, please visit our Events page and register today.
