OpenGov speaks to David Barton, former Chief Information Security Officer at Forcepoint LLC (Mr. Barton is a former CISO of Forcepoint, as of re-publication date of 27 October 2017; the interview was originally published on 21 November, 2016). Mr. Barton has over 20 years of experience in security leadership roles across a variety of industries including telecommunications, healthcare, software development, finance, and government.
Mr. Barton presents the lay of the land for cybersecurity in a wide-ranging discussion. He talks about the risks from IoT, insider threats, ransomware and three different types of external threats. He also explains User Behaviour Analytics and Defense in depth approach as measures for building a comprehensive and robust security system.
Can we start by talking about the cybersecurity landscape in the public sector in the US?
In the US the threats are consistent with the rest of the world. And it is not just the public sector, it is all sectors. We are seeing upticks in malware, ransomware, insider threats. When I talk to my colleagues around the world, we see the same threats. We are facing the same issues.
In the public sector, you might have some data that is more attractive to the adversary than in the private sector. Public sector probably has more people-oriented data in areas such as healthcare and national identifiers versus the private sector, where you are dealing more with intellectual property. But both are facing the same threats.
The difference that I see is in the level of maturity of organisations in different parts of the world. It’s not the threats that are different. It is the maturity of the security organisations in responding to those threats.
The organisations in the US or Europe might be more mature, compared to firms or agencies in South America or Asia. But I see increased investment in security, which means the maturity of those organisations is improving.
What are the factors which determine the maturity of an organisation with regards to security?
Maturity boils down to a heightened sense of awareness.
During the last 5 years, the number of giant attacks or breaches we have experienced in the US has driven probably more investment per capita than you see in South America or Asia. Incidents like the leakage of the nuclear submarine in India recently, 22,000 pages of technical documents, would increase investment over time.
What are the cybersecurity concerns when it comes to Internet-of-Things (IoT) and Smart Cities?
Probably the best way to describe it is imagine you are on a two-lane highway and there’s one car every minute. Now on that you have gone from two lanes to eight lanes and on every lane you have cars bumper-to-bumper, rush-hour traffic. The cops will have a difficult time finding the drugs in the one car because of all the other cars around.
IoT is adding so many cars to the network that it is going to be more difficult to find the bad guys in all the noise. The second thing is that most IoT companies aren’t focused on security.
There have been instances of video baby monitors in the US being hacked. Now the bad guys are watching you walk around your house. Privacy concerns get trampled into the dust, when bad guys go and steal video from your nanny cam.
Smart Cities need to do due diligence upfront to make sure they are deploying IoT devices that have security baked into them. They have to avoid buying the cheapest traffic camera.
It makes the lives of our citizens easier but on the flip side if you don’t think about it and do it right upfront, you are introducing risks.
Insider threats seem to be huge concern at the moment. Can you tell us about them?
Two years ago, insider threats were not talked about anywhere. This year, everyone is talking about it. The challenge you face as a practitioner is trying to decide who’s an insider. Is it someone that works for you? Is it someone who has access to your network?
You have multiple categories of insiders. You have people who unintentionally do bad things. They make mistakes. That might be preferable to the malicious insider, who is trying to take your data.
In our conversations with colleagues around the world, we have encountered people getting jobs in companies for the sole purpose of stealing data.
Once a bad guy gets into your network, he or she appears to be an insider. So, I don’t always differentiate between someone outside your network or inside because they both look the same. The challenge that we have is understanding the behaviour are they exhibiting. Is that behaviour normal and reasonable for their job?
When I think about ransomware or Advanced Persistent Threats (APTs), I think the only way to stop those in the future in understanding behaviour. Because they all exhibit some form of behaviour and when it is outside of the norm, then we can take action.
How is user behaviour tracked and analysed?
It is all about User Behaviour Analytics or UBA. It is one of the buzzwords we are going to hear a lot in the coming days. That’s a function of understanding the behaviour of the user and when the behaviour changes to outside of the norm, then taking action.
For true UBA, you need to build a baseline, what does your normal day look like. If you build that over a period of 15-30 days, you figure out what the normal is and when the behaviour changes, you can generate alerts or take appropriate action.
Does Remote Access have a role to play in insider threats?
Remote Access takes you from your home network or your hotel network to being an insider to your work network. The bad guys are doing the same thing. They may or may not be using your VPN, depending on how good they are. Ultimately when they connect to your network, they are looking like they are local. They look like they are down the hall. With remote access, you need to make sure that you have got tools monitoring the behaviour of remote employees, just so you can tell the difference between what normal looks like and and what abnormal looks like.
Ransomware has emerged as a major threat. Can you tell us about it?
I have seen statistics which say that by the end of 2017, ransomware would generate close to a billion dollars in revenue. That’s a huge incentive for bad guys to continue to do it.
A hospital in the US got hit by ransomware and all their patient record systems were encrypted. They had to turn away patients and ambulances on the way to the hospital.
It’s difficult because there is always a human element. Even if we do all the training, they can still click on links or respond to emails.
There are 200 million emails in a minute on the internet. Around 98% is spam, with malicious links and attachments. Your hope for APTs and ransomware is that you have tools in place to detect the behaviour changes and take required action, such as stopping the machine, disconnecting it or anything else, in time to keep that ransomware from going any further.
Tools like privileged account management might also help. If none of your people have admin rights, then ransomware is hard to execute. But without UBA it will be difficult to stop ransomware.
The other challenge is patching. If we are not patching, we will get ransomware. It has to be controlled and delivered by IT admin because users will not do it. Fifteen years ago, there were two worms, Code Red and Nimda. Those are still out there. People at home who own those machines don’t know it and don’t know they have to clean it up.
How do you think security policies can be enforced better and employee compliance improved?
Enforcing policy without technological controls is tough. Every good security program has a component that says we are going to teach our employees, on a periodic basis. We call it security awareness.
Every good program puts out messages on a periodic basis in front of your employees saying don’t click on links, don’t share your passwords, make sure you pull the door shut. You want to get all of these security awareness topics in front of your people every month and you want to hold them accountable on an annual basis to take a computer based training focused on information security.
If you do those things and follow up with controls that monitor behaviour, that block access, that prohibit data from leaving your organisation that you don’t want to leave, I think while you cannot solve everything, you can get close.
What’s your take on data classification and challenges with it?
Data classification is a tough conversation for most companies. First of all, they don’t know where all their data sits. Then they don’t know what’s in that data in most cases. Without a data classification program, you can’t enforce policy. The challenge for every practitioner I know is, where’s the data at and then once I find it, how important is the data.
Once you have a program and you have figured out a classification scheme, how do you then go and programmatically find the data and associate a level with that data.
At Forcepoint, we do some of that work. We have security partners in Asia that help us do that. We run a discovery tool that goes and finds the data. Then with a classification scheme, we tag that data. Once you are able to tag it, then you are able to put controls around it. For example, if this file has credit card data and is considered sensitive, then your security controls can block it.
Companies worldwide struggle with this, even in countries with higher security maturity levels. It is not geography-specific. It’s just difficult to do. But if you become good at it and it becomes part of your everyday process, then the risk profile for your company goes down drastically.
What are the major motivations you see for external cyber hacks and where do they originate from?
For the last 5-10 years, there have been three groups of external threats. The two that we are most concerned about are organised crime and state-sponsored hacking. The third is the hacktivists, the hackers who are trying to change social policy. At the end of the day, organised crime is after your data to make money. State-sponsored hacking is mostly to steal data, to steal intellectual property.
What should governments be focusing on in terms of cybersecurity?
There’s a philosophy in security called ‘Defense-in-depth’. It means that we focus on many different areas to hopefully catch and prevent the bad guy from getting to our data. If all I focus on is the organised crime angle, I am going to miss something. If government only focuses on hacktivists, they might miss organised crime stealing citizens’ private data. If they look at only next generation firewalls and APTs, they could miss something by not looking at log data.
What we should focus on around the world, is getting the security teams, their policies and programs to a higher maturity level. We still may not block everything, because the adversaries are funded, organised and incentivised. But that’s our challenge.