Cyber-security needs a new paradigm: Expert

• Cyber-threats grow so quickly, professionals can’t keep up; new ways to address needed
• Machine learning, rethinking architecture, CISO reporting directly to board to be considered

THE pace and sophistication with which cyber-security is advancing in today’s modern world shows no sign of abating, and enterprises and governments will not be able to mitigate against such threats if they do not rethink how they implement cyber-security now, according to a leading security researcher.

Speaking at the Cyber Security Nordic recently, Rik Ferguson (pic), vice president of security research for Trend Micro, argued that current security practitioners like to believe that they’ve invested in the right technology, built the right processes and are managing their information properly.

“Unfortunately the current reality is like this: we don’t like to admit it and want to pretend we’re better than this… but unless we shift the way we do things as a security industry and as security practitioners, and unless we start planning for the future, it [cyber-security] does become an unmanageable ask [of us].”

Held annually in Helsinki, Finland, Cyber Security Nordic is northern Europe’s cyber-security event attracting executives, leading decision-makers and government officials. The conference presents keynotes and panels by international and Finnish experts aimed at discussing problem solving strategies and solutions for cyber-security professionals.

A renowned cyber-security professional who also consults with Europol EC3, Ferguson, who was delivering his keynote on “The future of cyber-security and predictions for 2020,” noted that today’s typical security operation centres (SOCs) are swamped with threat attacks that are almost impossible to sort through and capture all significant threats to an organisation.

Citing an Ovum financial sector survey, Ferguson noted that 60% of respondents say they experience 100,000 or more threat alerts, while a further 27% dealt with 200,000 alerts every day.

“If you had 100,000 alerts, and each alert takes 25 minutes to find out if it’s a false positive or if it’s a duplicate, you’ll have 2.5 million minutes of work to do,” Ferguson pointed out

“Assuming they don’t miss anything, you’ll need a team of 217 SOC professionals working in three eight-hour shifts just to do the [cyber-security] triage.

“That’s why I say you’re [bound to be] missing stuff.”

Ferguson argued that unless enterprises and governments think about what their two-, five- or 10-year plans are, taking into account potential development, stop fighting fires of today, and focus on what’s coming down the line, they’ll never be prepared.

What can be done

Ferguson pointed out that enterprises and governments would need to focus on and invest in three areas of importance for 2020 and beyond.

The first is business oriented machine learning. Ferguson said by and large, companies approach machine learning by asking what vendors can do with the technology and how these vendors can help them.

“It’s a valid question, and you should keep asking it,” he pointed out. “But you’ll also have to ask yourself how you can leverage on machine learning as a technology within your business to make cyber-security more manageable.”

Ferguson added that this is only the first step as enterprises would need to learn that skill for themselves, ideally, to skill up the people they have or invest in those who have the skills.

The second step is to look at how a company can orchestrate its security architecture. One of the major problems facing SOCs today is that they have too many products that don’t interact or inter operate with each other, he argued.

“I think there are an average of 52 different products and interfaces in use in a SOC environment, which is unmanageable.

"Companies would need to either look for a technology or a suite of products that are designed to work with each other or look at a layer which you can build over the technologies and which allows you to orchestrate those tools as one."

Finally, enterprises must invest in autonomous response and machine learning to mitigate against those massively large threats.

“If you don’t allow your machine learning to do that triage for you, to respond autonomously to those events that need to be looked into, and then only surface the rest to your human operators for root cause analysis, you’re never going to get ahead of the mountain of data.”

Conflict of interests?

In an exclusive interview before his keynote, Digital News Asia asked Ferguson who should be the primary person in charge of cyber-security as a whole within an enterprise.

Ferguson said someone such as a chief information security officer (CISO) should normally be the one. But he pointed out that there is often a conflict of interest between a chief information officer (CIO) and a CISO that makes it difficult for the CISO to do his or her job in many enterprises today.

"In many cases, the CISO reports to the CIO, and that's a clear conflict of interest as the CIO has more responsibilities outside of cyber-security," he argued. "Effectively, CIOs decide which technology they are going to use to process information within the organisations including cyber-security.

"[The conflict appears when] you have a person – the CISO – who's effectively responsible for checking if whatever technologies the CIO puts in place are working properly. But at the same time, the CISO is reporting to the CIO. This puts the CISO in an uncomfortable position."

"My view is that a CISO should have the overall responsibility for cyber-security but shouldn't report to the CIO but instead reports to the board of directors."

Ferguson said many CISOs with "Cs" in their name don't seem to have board visibility, and pointed out that many CISOs seem to have a "fake" role at the moment.

"We've reached the stage now where somebody in charge of cyber-security should be reporting directly to the board just like every other ‘C’ position," he argued. "And when you think of the impact on the board when there is a security incident, it's clear they should."

That said, Ferguson warned that CISOs have to learn how to speak the language that the business needs, and cannot be too technical.

"They need to articulate why security needs are important, what the risk impacts are to the business and how to mitigate these risks within their organisations."

Edwin Yapp reports from Cyber Security Nordic, Helsinki, at the invitation of Business Finland, Messukeskus Events & Expo, Finnfacts and F-Secure. All editorials are independent.