OPAQ Cloud Named Best Network Security Solution by Gov Security News

We are pleased to report that the OPAQ Cloud platform was recently named best (Platinum) Network Security/Enterprise Firewall solution in the 2017 GSN Homeland Security Awards for cybersecurity excellence.

The Awards are hosted by Government Security News (GSN) to recognize excellence and leadership in the Cyber Security and Homeland Security sectors. Winners were selected based on a combination of technological innovation, ability to address a recognized government IT security need, and flexibility to meet both current and future needs. Category winners were ranked with Platinum, Gold and Silver designations.

The OPAQ Cloud is tailored to meet the unique needs of State and Local governments, which face the same sophisticated security threats, like ransomware, as larger federal agencies, but tend to lack the resources and technical experts to adequately protect their networks.

The massive WannaCry cyberattack that infected computers in at least 150 countries several months ago is a good example. In the aftermath, many State IT officials said they often don’t have enough money to effectively fight sophisticated cyber threats. And the scale of that attack made them even more concerned.

Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO) went on the record to say: “This is a big wake-up call because it is cyber disruption. States and local government need to address this because it’s a serious threat. We have urged states to take action immediately.”

There are many security products that try to do some really great things for state and local governments. However, many products and management systems are isolated and do not talk to each other.

This is why automation and orchestration are becoming a game-changing necessity for state and local governments. Leveraging automation can help state and local governments effectively detect and respond to threats at speed. This is what the OPAQ Cloud is designed to do — and it’s why we were honored with the GSN Homeland Security Award.

To find out more about the GSN Homeland Security Award, see the announcement. To learn about the OPAQ Cloud and the benefits of security-as-a-service visit https://www.opaqnetworks.com/solution.

Elastic (formerly ELK) Stack v. SIEM: Which is the Right Choice for Your MSSP

When you have to respond quickly to organizational or compliance directives from clients, in addition to the cyber security threats and risks that your organization faces every day, it can be difficult to gauge how effective you are in doing so.

When configured correctly, both security information and event management (SIEM) solutions and the open source Elastic stack can give you the information you need to assess the threats facing your organization and develop a strong response. But would one of the two solutions work better for your organization?

SIEM vs. Elastic in Time and Cost

The main advantage of using Elastic is that less time is required in order to deploy, in comparison to the standard SIEM solution. In most cases, the deployment time for a SIEM is somewhere between 14 and 18 months.

Aside from time, cost is also a factor worthy of consideration, as Elastic often requires a smaller up-front investment to set up, as it is open source technology. With a typical SIEM costing $1.2 million on average, many small and mid-size organizations are turning to the Elastic stack, as the more cost-effective option.

The Advantages of SIEM

The great advantage of a SIEM solution is that it is purpose-built to quickly look across all your security data to detect incidents you wouldn’t have otherwise and streamline incident response. Once you have completed the lengthy set up process, the technology can monitor the most important threats facing your organization and give you the data you need to track and respond to them.

However, there is the risk of overwhelming the technology with a large number of rules and oversight requirements, meaning the performance of the SIEM system can suffer. The time to manage these rules can weigh heavily on a managed security team as well.

SIEM systems also come with a host of pre-built analytics that aim to help quickly generate threat event detections.  The danger here is that the generic correlations are prone to false positives until tuned properly.

The Advantages of Elastic

Knowing how your system works is just as important as having the right tools. The search capabilities of the Elastic stack offer great flexibility, allowing you to analyze data for your clients from a range of security tools in a central location. As you explore Elastic, you will need to spend time crafting a dashboard for your clients, establishing the metrics you want to use, and ensuring a smooth flow of data from your sensors through to your results dashboard.

This process should leave you with a good understanding of how your security system works to protect your clients’ organization against cyber security threats. The danger with Elastic is that it is mostly up to you to define the security model correctly and to understand sensors.  It will take a deeper understanding of security architecture in order to get started.

More than Just a SIEM

More than just a SIEM, Elastic can be a valuable tool for your entire Security Operations, Analytics and Reporting workflow.

The challenges that MSSPs face can often be condensed into two critical questions: how can we grapple with the security data that we generate for our clients, and how can our tools rapidly adapt to changing business needs?

In search of answers to these questions, more and more MSSPs are turning to data intelligence solutions  which include tools for data analytics and visualization.

Final Thought

For most mid-size organizations, the significant cost of setting up, maintaining and license costs of commercial SIEM solutions is difficult to bear, leading them to seeking the expertise of MSSPs. In order to avoid these same costs, MSSPs that have the resources available, can often benefit from using the Elastic stack while enjoying the significant benefits of flexibility and quick-turn around on results.

When you choose to use Elastic stack, setting up and learning about the technology is an initial investment that should swiftly pay dividends as you roll the solution out to multiple clients.

Why we Pivoted to a 100 Percent Channel Sales Model

Today we announced the OPAQ Channel Partner Program and the completion of our transition to an indirect sales model. There are a number of reasons for this change.

First, many midsize enterprises look to service providers to deliver security services. These organizations struggle to protect themselves from cyber threats due to the shortage and high-cost of skilled IT professionals, the growing sophistication of attacks, and the complexity of managing multiple security products and services. These challenges spiked demand by midsize enterprises to outsource their security. According to Gartner, Inc., services will make up over half of all security spending, at $57.7bn in 2018. Meanwhile, spending on security outsourcing services will total $18.5bn, an 11 percent increase from 2017.

Second, both midsize enterprises and service providers struggle with the upfront expense and complexity of acquiring, configuring and maintaining multiple hardware and software security products from different vendors.

For many midsize enterprises, the capital cost of implementing a Fortune 500-grade security infrastructure, not including the human resources to manage it, is overwhelming. Meanwhile, service providers that want to offer managed security services face a similar dilemma, only from a scalability and profit margin standpoint. The traditional hardware/software model requires they purchase products, install them at the customer site(s) and then manage the infrastructure.

Many of the partners’ midsize enterprise customers require complete outsourcing while others prefer a co-managed or self-managed approach. And our partners know which model best suits the customer. We have invested significant time and resources in the development of our “single pane of glass” approach.

This enables partners to deliver end-to-end network security across their customers’ distributed infrastructures — including data centers, branch offices, mobile and remote workers, and IoT devices. The OPAQ 360 portal, a web-based interface, enables our partners to centrally provision, configure and manage an unlimited number of customer sites and policies remotely. Our Partner Portal also makes it simple for partners to go to a single place in order to access training, sales support, deal registration, and other resources that are essential in helping them to accelerate time-to-value.

According to one of our channel partners, Tom Turkot, vice president of client solutions for Arlington Computer Products, “The OPAQ Cloud is a game changer.”

You can read today’s announcement here: OPAQ Channel Partner Program Press Release. Or for information about the OPAQ Channel Partner Program visit: https://opaqnetworks.com/partner-program.

KPI v. KRI v. KCI: Key Cyber Security Indicators

Companies that have spent significant resources and money on managing their cyber security environment understandably want to know the results of all this expenditure. As such, it is important for Managed Security Service Providers (MSSPs) to be able to provide customers with some visibility into those results. However, results only tell you half the story. For instance, they may demonstrate that there was a breach, but, without significant forensic effort, will not necessarily provide the sequence of events or failures which led up to the compromise.

Organizations are complex and have many performance measures. Most have designated key performance indicators (KPIs) at various levels of the organization, which business management agrees are the most important metrics to monitor. They are designed to be leading indicators of business performance. Key risk indicators (KRIs) are similar in that they are leading indicators; however, rather than signal performance, they signal increased probability of events that have a negative impact on business performance. Then there are key control indicators (KCIs), that are closely related to KRIs in that they measure the effectiveness of risk controls.

Business managers use KPIs to show where things are going well or poorly and KRIs to indicate when the probability of the latter is increasing. KCIs are a measure of how well risks controls are performing. MSSPs can, and should, do the same using security data which is commonly available for most of their clients.

More on KPIs, KRIs and KCIs

You may hear these terms used interchangeably; however, they are distinctive and should be treated differently in order to make them understandable.

  • Key performance indicator (KPI): Shows how the business is performing based on the goals and objectives leadership has set as well as the progress that is being made toward those goals. For security operations, this metric might be used in an effort to resolve open items or tackle a backlog of unresolved security investigations.
  • Key risk indicator (KRI): Measures the company’s level of risk, and how its risk profile changes over time. An example for security operations is to use metrics that measure the severity of threats and vulnerabilities being reported by sensors. Another example is  to look for places in the security defensive chain events that are happening (e.g. end-point-based events are more “risky” than firewall or WAF events). Finally, make sure you have a good understanding as to business-role the assets involved play. Security events that occur on critical assets present more risk than those on noncritical ones.
  • Key control indicator (KCI): Indicates how much control a company has over its environment and its level of risk, or how effectively a particular control is working. Putting this in context with IT security operations, a question to ask is whether you have the necessary controls across all areas of the business – for example, the NIST Cyber Security Framework functional areas (identify, protect, detect, respond and recover). Knowing that these functions have sufficient coverage throughout your defense in depth (devices, applications, networks, data and users) gives you a degree of confidence in your controls.

How to Use These Metrics

The interplay between the performance, risk and control metrics is the key feedback that an organization needs in order to be confident that investments in cyber security are appropriate. Now that we have defined the appropriate use for the individual metrics, let’s see some examples of how to apply them:

  • Risk is the probability of bad things happening applied to the business cost of it happening. You can calculate an estimate of the probability by looking at the number, place (where in the defense in depth model) and severity of events measured by sensors. For the impact, or real cost, look at which hosts are involved. Are they where the crown jewels are kept, or more of an extra store-room full of old furniture? Faced with so much data, organizations can be afflicted with “analysis paralysis,” so simplify these measures into risk metrics everyone can understand.
  • Performance metrics are meant to show how efficient an organization is at accomplishing its mission. In cyber security, the mission happens to be risk mitigation. So performance is how well you manage your backlog of open security cases, time to resolution, etc. with respect to the staff and systems you have. There are significant parallels to customer support metrics in this category.
  • Controls mitigate risks and enable performance. In cyber security, technical (security sensors) and process controls are your bread and butter. They also generate the data that drive risk metrics and allow you to optimize performance. Compliance measures are your friend here. Measure your degree of coverage against a framework such as NIST CSF.

Generating the metrics here seems like a daunting task at first. But, once you start simplifying and categorizing the measures, you will find that you can come to a reasonable set quickly. Then you need to automate their calculation. With experience, you will learn whether you’ve chosen the right KPIs and KRIs, and you can make adjustments as necessary. Getting started can be a challenge for MSSPs, but it’s 80 percent of the battle.

The most important thing to remember is that the statistics coming out of your cyber security systems are not KPIs, KRIs or KCIs. They are just data. Decide what risk performance, risk or control measures you need in order to clearly explain metrics of security operations to the business you support.

Test these on business managers to make sure they resonate, adjust and go again. The more consistent and transparent your measures, the more confidence your clients will have in their security investments.

Putting KPIs, KRIs and KCIs into Practice

On one hand, you have a large amount of security data – the proverbial big data problem. On the other hand, you need actionable output – a list of what to do now to transform your clients’ security programs into a high performance business driver. Metrics will guide your path to success, but generating consistent and reliable information security metrics is hard. So here are a few steps to get you started.

Step 1: Understand your Coverage, Operations, and Compliance Challenges

Security operations involves a set of functions being performed across a set of assets. The NIST Cyber Security Framework (CSF) provides a core list of the functions and the Cyber Defense Matrix from OWASP does a fine job of aligning those functions against a representative set of assets. Categorizing the deployed security products or processes in your client’s environment within the matrix will establish coverage and identify gaps in the program’s architecture.

Operationalizing the matrix by collecting, identifying and assigning the output data from your security products to each cell in the matrix shows evidence of operations and serves as your first step in addressing the ‘big security data’ problem.  Gaps between what you thought you had deployed and what actually shows up as evidence of operations will provide you with an immediate ‘to-do list’.  

Applying a control framework (such as CIS Top 20, GDPR, or FFIEC) adds depth to each of the intersections by mapping specific security controls to both deployed security products and your client’s assets.  The resultant overlay identifies gaps in your compliance effort and your second ‘to-do list’.  When combined with your operational to-dos, the entire list can be mapped to a 30, 60, 90-day plan of action with key milestones. Wash, rinse and repeat for each of your lines of business or departments, and you now have a path for your journey.

Step 2: Measure your Efficacy 

With security products and processes deployed and more on the way as you move down your path, it is time to measure the effectiveness of each action and ensure its alignment with the business.  Recall that operationalizing the matrix served as the first step in solving the big data challenge by categorizing the data and applying business context through the assets in the matrix and each line of business or department.

Enriched with this context, the security data can now be normalized and analyzed to produce key metrics, or as we called them earlier, KPIs, KRIs and KCIs. Examples include the speed of new threats or vulnerabilities for KRIs, the treatment of symptoms or root causes for KPIs, or the reduction defensive workload for KCIs.

With metrics in place, each to-do on your journey can be seen as a resultant change in one or more metrics. What’s more, the value of fixing operational to-dos or implementing a specific control can be measured and communicated specific to the business context it affects. At each milestone on the journey, thresholds for metrics can be set to determine success or identify needed adjustments in the plan.

Final Thought

It’s all about the journey. A successful information security program is not an end-state, but a continually monitored and adjusted compilation of people, process and technologies. Mapping the program’s functions with your client’s assets and required controls provides you the steps needed to mature your program while metrics will keep you honest about how well the program is performing.

Closing the security skills gap with online education

ka_0011-2Ryan Corey is President and Co-founder of Cybrary, Inc., an online security training and education provider. Cybrary provides free access to security courses, along with learning tools and an enterprise training product.

 OPAQ: Describe business needs for security training today and how/why online courses are a good fit for meeting them?

RC: Technologies are shifting so fast, and attack surfaces are expanding so fast that it is tough to keep up with it all. Equipping personnel with the right skills is critical. Research has shown that companies retain their people when they continually train them, but the tech and IT security training landscape is problematic. The traditional model is to send people on a one-week course, where they cram in lots of material at a cost of $3,000 to $6,000. The industry would certify people in whatever course they took, and that’s another $300 to $1,000 for the test. It’s also inaccessible: if you are not close to a major metropolitan area then you have to travel. And if a company doesn’t sell enough seats in a course, then the course might cancel. That’s inconvenient. It became obvious when companies like Pluralsight and Linda started having massive success that online became the preferred way to do training. You can do it at your own pace, and it’s much more affordable. Microbursts of learning are what seems to work best for most people.

OPAQ: From looking at your user base and most popular courses, what trends do you see that correlate to security education and/or security needs?

RC:  Concepts like the DOD 8140 directive for federal government and pen testing are popular with consumers and on the enterprise side, incident response and threat intelligence. The enterprise product, which is the paid side of the business and includes full access to all the learning tools, is seeing 20-30% revenue growth monthly. Yet we also know that so many security teams are not getting training, and it’s surprising.

OPAQ: In what cases are online learning not an appropriate match for security professionals?

RC: People tend to go to classrooms when there is pressure to learn something in a specific time period, when they need mentorship, or hands-on training. I think where online falls short is in the accountability aspect, but you can design courses with gamified concepts to help keep people engaged. It’s like going to the gym on a regular basis. Sometimes you don’t see what the reward is going to be, so maybe you won’t go.

OPAQ: Aside from training and education, what else is critical to closing the security skills gap in this country?

RC:  The final piece is assessment. Let’s say a stay-at-home mom who used to work in IT wants to go back to work after being at home for five years. She’d like to work in cyber but she’s got no experience. So even if she goes and takes a $5000 course for a week, that’s still not enough, and getting a two-year degree is really not convenient and it’s expensive. That is very high friction. That’s the same for someone just starting out.  A degree is not useful without experience. If an individual takes online training and does an assessment, that puts them through real world scenarios and gives scores for their performance. There is a company called Cyberscore that offers tech assessments for system administrators. Coding challenges are another way to do this. The point is, people need a transparent way to show that they are technically proficient in a security skill to the employer.

Good Security Depends Upon Automation, Analytics and Outsourcing

Joshua Margolin is Principal Analyst at Clutch. He received his BA in Business Communications from the University of New Hampshire, and his MA in Technology & Entrepreneurship from Georgetown University.

OPAQ: Which are the hottest areas within the security tech sector right now in terms of customer demand and innovation?

JM: To set the stage, companies worry most about whether they will be too late in implementing security technology. Another important consideration is the job market, because there isn’t enough cyber security talent to go around. Companies don’t know where they stand from a risk profile standpoint and once they do, many aren’t sure how to address it. There’s going to be less of a demand for security consultants and analysts because more companies will defer to automation solutions for detection, monitoring, privileged access and transparency. The fact that you can subscribe to security services in the cloud means that you don’t need to hire a team of experienced analysts. Our recent survey indicated that 70% of large companies will invest more in cybersecurity technology over the next year.

Another top category is Internet of Things (IoT). Large enterprises have a lot to gain by integrating IoT into their core business. On the consumer side, we are seeing more of these devices all the time – from smart home and car technology to wearables. Companies need to determine whether or not they should invest money in endpoint protections considered outside the traditional realms of interaction.

OPAQ: What types of customers are becoming more interested in cloud or outsourced security services and how do you think this market will evolve?

JM: It makes sense to outsource these activities, especially for smaller companies because it’s so expensive to staff your own team of security experts. Yet before you spend money with any vendor, it’s worth the investment to hire a threat intelligence agency. These companies audit internal data and practices while considering the wider marketplace, all in an effort to determine what threats would most likely be encountered. Companies easily fall into the illusion that technology is the panacea. Not every business requires the same degree of security or even the same approach. It’s also important to remember that at least half of a company’s needs can be addressed by sound policy and effective training. For many companies, hiring a SaaS provider or two is sufficient. With larger project scopes, a MSSP is ideal because they will integrate several complementary SaaS products and manage the vendor relationships.

OPAQ: Both Gartner and IDC predicted earlier this year, 7-8% growth in IT security spending worldwide. How do companies best decide how to use a bigger budget?

JM: It will first depend on what internal expertise they have out of the gate. Any company that has a CSO or CIO has experience and networks to help figure this out. What’s difficult is when a company has no internal IT to rely on. This leaves them at the mercy of vendors’ salesmanship. They might be driven by the fear factor or they might misallocate budget to bring a contractor in-house. This only drives the costs way up. It might offer more peace of mind when compared to outsourcing but then the company is limited by the expertise of any single person. There’s a lot more to gain by tapping into wider talent pools.

OPAQ: Are developers and engineers having a hard time staying abreast of threats and developing the right solutions to counteract new threats and recover from them?

JM: The market for malware and ransomware is booming. There are a lot of talented people out there with malicious intent. These actors are often well financed by corporations or governments and they will find a way in; it’s only a matter of time. Technologists and engineers on the good side are always going to be chasing down the black hat actors. It’s better to be adaptive and react in the nick of time, all made more possible than ever thanks to advances in predictive analytics and artificial intelligence. That’s where the new frontier is for cybersecurity.

Considering Compliance in the Cloud

Gates Marshall is Director of Cyber Services at CompliancePoint. He has many years of experience in information security consulting with expertise across secure architectural design, vulnerability and penetration testing, OWASP, forensics, incident response, GDPR, FISMA, MARS-E, and cryptographic control design and implementation.

OPAQ: What exactly do we mean these days by “cloud compliance” versus other security and compliance topics?

GM: In some respects, there is not a big difference between on-premise and the cloud. HIPAA or PCI standards don’t make special exceptions for the cloud. The rules apply the same everywhere. There are also some cloud-specific compliance solutions out there like CloudeAssurance or CSA Star Certification, which allow organizations to achieve a quantifiable rating on compliance. Yet for a lot of things, being compliant in the cloud is not much different than having a data center somewhere or a colocation provider.

A significant problem is that when people sign on with a cloud service provider (CSP), they sometimes think they are outsourcing the due diligence aspect of compliance. Google, Microsoft and Amazon have a number of certifications, but these are to certify their own services. They are not certifying that their merchants and other customers are compliant in any specific client-level implementation.

OPAQ: There are some differences, though, right?

GM: The way you can configure systems in the cloud is different than a traditional on-premise installation. For instance, take PCI DSS, which is a fairly prescriptive standard for merchants. It calls for having a separate demilitarization (DMZ) zone from your LAN to isolate and protect credit card data with a firewall. CSPs may support other mechanisms, like AWS security groups, to facilitate a similar functionality; however doing so still doesn’t meet all of the compliance requirements for a DMZ.  So organizations are using these new cloud services, but they are missing some of the requirements as relates to architecture controls and/or logical segmentation.

OPAQ: How would you describe the level of security and compliance support at the major cloud providers?

GM: They do quite a bit to reduce the burden of compliance. Most of them produce good documentation to declare what we call a service provider controls responsibility matrix.  It shows what the provider is doing around compliance and that helps because it both reduces the burden on the customer and declares where the customer’s remaining responsibilities begin. Security at the large CSPs has improved a lot, for instance with services like Amazon CloudWatch for monitoring. All the major providers now have good auditing capabilities for the management interface and offer multifactor authentication. These developments give customers more confidence in the cloud.

OPAQ: Is security protection in the cloud as good as or better than an enterprise on-premise environment?

GM: We tend to have an affinity toward legacy configurations in the on-premise world.  By that, meaning we set it up and it works and we never change it. It’s security via obscurity. When you go through the transformation process to become a cloud-first organization, you need to fix all those legacy issues that were acceptable in the LAN environment. You can’t be so sloppy. Cloud providers may be less secure than on premise, however, because you’re letting someone else manage the Layer 1 infrastructure. The physical addressing and networking and storage configurations now fall on the CSP. They may have weaknesses that you don’t know about and the customer has to depend on third-party attestations. Hypervisor hopping has been a concern for a while. If a CSP’s hypervisor technology has a flaw, a malicious actor could jump between different customers’ VM guests through the hypervisor. There aren’t any disclosed examples of this happening, but it’s always a risk in a multi-tenant environment.

OPAQ: Yet most if not all of the massive breaches in recent years have been in on-premise environments, right?

GM: While this is true, many of these breaches could have taken place in the cloud. Equifax had a real problem with inventory because they didn’t have visibility into the software that should have been patched. That scenario could have also occurred with a CSP. Vulnerability management is critical in any implementation. Accenture did have an issue in the cloud recently, which could have been disastrous. In October, it was discovered that the global consulting firm had left an AWS S3 storage location unsecured, leaving over 100GB  of customer data accessible without authentication by anyone on the Internet with the correct S3 URL.  The insecure configuration of Amazon S3 could also apply to on-premise technologies.  No matter where your data sits, IT needs to secure the location against exploitable configurations and software flaws.

OPAQ: Do you foresee more regulation in the area of cloud compliance and security?

GM: Yes. The EU’s General Data Protection Regulation (GDPR) has huge potential to change a lot of things in tech. It goes into enforcement in 2018, and may become a global standard for privacy. GDPR applies to any organization that uses the data of people who are in the EU at the time of data collection. Two key principles of GDPR are that companies and organizations should use data minimization to keep the smallest amount of data possible and use consent mechanisms to ensure they’re authorized to hold or use that data. If you have 10 million customer records, but determine that you only need to keep two million records and purge the rest, your risks go down. If a breach occurs, there is less data loss and lower costs to mitigate the impacts of the loss. Information privacy is the next frontier. The large CSPs realize that if they don’t get in front of this, they will lose business. This will require that CSPs look closely at the leading cyber risk rating mechanisms, and adopt one or two of them. I think we’ll also see more CSPs provide guidance on how to meet global data security and privacy requirements in an effort to help customers help themselves.

Meyer: Closing the Cybersecurity Skills Gap with Entry-Level Roles

ka_0011-2 Ean Meyer is a Course Director with Full Sail University, teaching the next generation of engineers about information security. He has experience in PCI, SOX, intrusion detection and prevent systems, information security program management, penetration testing, and social engineering/user awareness training. Ean has a B.S. in Information Security and an A.S. in Computer Network Systems.

OPAQ: What are a few reasons why security skills are lacking in the workforce?

EM: There are two main problems in the higher level discussion about the skills gap. We have focused too much on passing tests and not critical thinking and history and engineering. Information security is about thinking outside of the box: you have to think like a hacker. The second challenge is that academia has a tendency to be behind the curve. In some colleges you  have to pass electric engineering to get into the network security course. That’s a major barrier for people who could be excellent network engineers or security analysts. It doesn’t make sense. I am a big believer that the skills gap can be solved by a trade school and real world education approach. People aren’t going to enter the workforce into environments where it’s all  brand new technology, except for maybe at startups. In large organizations you’re going to have a lot of legacy technology, so teaching the history of that and learning how to deal with those challenges is part of the skills gap issue.

OPAQ: What skills are most needed now?

EM: The top one is security analyst. These are people who can come in and understand the environment quickly and provide value by teaching well-defined processes and when to escalate. There are lots of people from IT fields that know how computer infrastructure works and can be taught additional pieces of process they haven’t been exposed to yet. The second big one is cloud security architect. The cloud is not simply, push a button and it’s all good behind the scenes. For AWS, there are 1500 pages of security documentation. I’m also a big fan of understanding what is going on in social engineering—the con men just trying to trick people. I think security awareness training is a big opportunity. These trainers can help employees understand in plain language the real issues and how to protect themselves.

OPAQ: You recently wrote about a solution to the skills gap, involving the creation of entry-level security roles at companies. Tell us how this can work?

EM: One of the arguments is that you are not a security person unless you are a generalist at the peak of your career. But someone familiar with Microsoft tools could become a security champion. Let’s create roles where someone could evaluate a new vulnerability because they know all of the company’s IT systems. There could be new types of intern programs where someone could be in charge of real projects like patch management allowing them to learn and grow and stay on with the company. Interns are often brought on with no real goal. They aren’t learning or doing much and you aren’t getting much value from them. That intern could have a senior engineer overseeing their work and then you can grow the security workforce. You’ll also learn a lot because the person from the outside will see things you won’t see.

OPAQ: What kind of culture and processes are needed to support the in-house training and development of entry-level roles?

EM: The security analyst doesn’t need to program in C++. You can get a great analyst who can see the alerts on a dashboard and address them. They can learn how to code later, if needed. It’s not necessary to create an HR firewall requiring all these certifications and degrees to get a job in security. Job rotations are another idea. Someone who’s been on the database team for a few years could get invited to work on the security team for a few hours a week. That builds relationships and allows people to move more easily into a security role when there’s a need. I would also encourage directors to worry less about having to replace that database person and consider how that person is bringing institutional knowledge to a security role and can still be a resource to answer questions for the database team. We need to focus more on these cross-departmental relationships.

Acohido: Cyber-insurance is still nascent, yet worth a look

ka_0011-2 Pulitzer-winning journalist Byron V. Acohido is the founder and executive editor of Last Watchdog, a pioneering security webzine. One of the nation’s most respected cybersecurity and privacy experts, Acohido conceived and delivered a nationally-recognized body of work for USA Today, chronicling the frenetic evolution of cybercrime in its formative stages.

OPAQ: Some 32 percent of U.S. businesses purchased some form of cyber liability and/or data breach coverage in the last six months, compared to 29 percent in October 2016, says a survey by the Council of Insurance Agents and Brokers (CIAB). Do you think this growth will continue—and why?

BA: Demand for cyber insurance absolutely will increase at a healthy clip for the foreseeable future. That’s because the value of business data and intellectual property today far outstrips the value of the physical plant. Think about it: we can do astounding things with cloud computing and mobile devices. And yet the business networks that support Internet-centric commerce remain chock full of security holes. Criminals get this, and will continue to take full advantage. Meanwhile, businesses are scrambling to figure out how to deal with data theft, network disruptions and cyber fraud. And we are in the very earliest stages of dialing in insurance to help them offset these emerging exposures.

OPAQ: There are a number of barriers for purchasers of cyber insurance, including: lack of standardization on policies and pricing, difficulties determining risk, difficulty showing attribution when a breach or incident occurs, and so on. Thoughts on these and how should the insurance industry address them?

BA: There’s nothing, really, stopping the industry from taking the first step of standardizing the basic terminology to use in cyber policies. Right now there is none. Standardized language would pave the way for underwriters to begin more assertively partnering with cybersecurity vendors to come up with innovations to measure cyber risks. Insurers could become much more proactive about incentivizing companies to embrace more rigorous security policies and practices. As the pool of lower-risk policyholders grows, the industry could then begin to extend policies to cover specific cyber exposures that today are not routinely covered.

OPAQ: There is risk in buying cyber insurance in terms of mitigating losses. For instance, Target received an estimated $100 million in coverage, which didn’t even cover half of the $290 million it lost. How can companies avoid this sort of outcome?

BA: No company should be relying solely on insurance to eliminate all, or even most, cyber exposures. In the current environment, where hackers probe business networks 24 by 7 by 365, network security should be a top priority for all organizations. It’s a cliché, but true, that there is no silver bullet. The use of layered security technologies remains vital; no less so continually refining and enforcing policies and training employees. A cyber policy can then be thoughtfully purchased to offset the remaining risk.

OPAQ: Given these barriers, and any tips for CSOs seeking carrier quotes?

BA: It’s an interesting time to go shopping for cyber coverage. Even though the insurance industry has left many things undone, there is wide recognition of the pent-up demand. The result is that there are many companies competing aggressively to sell policies. In a sense, it’s a buyers’ market. Numerous options are available to get some level of cyber coverage from somebody. The problem, of course, is that the devil is in the fine print. So it is important to find a knowledgeable, trustworthy agent to guide you through the due diligence process.

OPAQ: Finally, what could security vendors be doing to help their customers with cyber insurance – a.k.a. data collection, navigating insurance decisions, partnering, etc.?

BA: The path forward for security vendors, at this point, seems to be much the same as insurance buyers – become knowledgeable about this emerging market and align yourself with smart, trustworthy partners. A few pioneering partnerships between insurance companies and security vendors are out there, and I expect this trend to accelerate over the next few years.

Consistency and Cost Savings from Cloud-Based Security

Bob Brandt is an information security expert, most recently as the Global Security Architect at 3M. While at 3M, he focused on integration efforts for 3M application services across cloud and mobile platforms. Bob also devoted significant effort to improving 3M’s malware protection capabilities. He was on the governing body for several Twin Cities CISO Summits and co-chaired the Twin Cities chapter of the Identity Management Meetup for several years. Follow Bob on Twitter: @bobbrandt.

OPAQ: Which cyber security threats seem to be foiling enterprises today, and the vendors that serve them?

BB: The human factor is still a weak point. There are improvements that could be made to phishing defenses, as that is one of the main channels through which these attacks are successful. Phishers only need a low hit rate to be successful. However, a cloud service can deliver a consistent way of looking at data from all the various usage patterns. For example, every app has a Web version and an app for mobile, and those are distinctly different deployment patterns. All the traffic, whether it comes from a WiFi or wired or mobile network goes through the same cloud service on its way to the application, and this enables companies to provide consistent security. It’s also more cost-effective to secure your applications through a cloud service instead of using several different technologies.

Another key threat where companies are falling down is regarding the privacy, governance and risk around data. If you had controls on the data it wouldn’t matter if someone stole the whole database, because they couldn’t crack open the encrypted data.

OPAQ: If you could start a company in the security industry today, what would be the focus?

BB: I’d probably work on a service that applied and enforced controls on data, such as authorizing people to access data and tracking that. For instance, in a hospital environment, the software would track data on who looked at patient data and when, because there should be very few people doing that. Even those who are authorized should have a reason for accessing your personal data. If the fields are naturally encrypted at the data layer, it would be hard for hackers to use it. Axiomatics and BigID are two of the companies working on this today.

OPAQ: Are there big differences in how midsize to large enterprises should approach security compared with smaller companies? Especially since smaller companies can still have large databases of sensitive information of value to hackers?

BB: First off, I’ll say that the cloud is a great equalizer. I think everyone should use cloud services for security. Large enterprises might have a few experts on staff to keep vendors honest and to customize the solution if needed. Smaller companies might rely more on a managed service provider as they don’t want to pay for IT staff, but on their own, they can’t keep up with changing security needs and threats. The differences are mainly on how to staff for security. The functionality is about the same, regardless of company size, and most of it should run in the cloud. Another advantage of the cloud is if you are running applications in an outside service, your business benefits from the traffic data of thousands of companies. An event like a single packet doesn’t mean much, but across all those companies it does. The cloud providers can see patterns from the data which can result in early detection of the threat.

OPAQ: Security skills are at a premium. How do you think companies should best handle this challenge moving forward?

BB: People still tend to talk mainly about firewalls and hackers, but that problem will be solved. In the future the skills will be less about malware analysis and more related to application security and integration, digital signatures, and connecting clouds securely. If we just built security into transaction APIs, the noise of malware would go down substantially. Increasingly, security is becoming automated. You can get a firewall administrator from a vendor’s solution.

There are threat analytics services which are largely automated and look for patterns in big data sets. These services can tell a customer when an attack might be coming—the kind of analysis that a customer would never be able to see just by looking at its own data.