Inside Track - getting to know the vendors

Editorial Type: Interview Date: 2016-03-01 Views: 4,459 Tags: Networking PDF Version:
Ray Smyth reflects on a recent discussion with Leo Tadeo, Chief Security Officer at Cryptzone and ex FBI Special Agent, Cyber Division

Every time an attacker exercises their craft, they gain more experience. The cyber security industry has responded to this and has evolved over time, but often it seems that we are playing catch-up with the cybercriminals. This is particularly so because perimeter defences have become outmoded and rendered inadequate.

I asked Leo about prevention versus detection. He referenced the insider threat, saying that "Proper logging and forensic capability to establish a clear deterrent was critical." He explained that insiders know the network and need to understand the risk of transgression. I suggested that sophisticated insiders should know they were being tracked. Leo agreed, adding that it was "Awareness of a robust and persistent capability to determine, without doubt, the detail of all user access that was needed."

Having reviewed AppGate XDP in the last edition I understood how this security vendor acts outside of the box, so I asked Leo about what I call the security triad of knowledge, expertise and technology. Leo explained, "Knowledge is essential to understand the network configuration, its ability and its limitations; expertise is needed to deploy the correct tools and create the processes to deliver the desired protection and the technology is needed to deliver all this."

Aware of how large organisations defend themselves, I asked how much smaller organisations could respond to secure their data and networks with limited budgets, shared non-specialised resources and the same threat vectors. Leo agreed, saying "They struggle to develop the expertise to deal with the technical, security and regulatory challenge." But, he explained that while smaller organisations benefited from a smaller attack surface the promise of greater bounty from larger organisations also helped, concluding that "Smaller organisations aren't more vulnerable than large one's because everyone's emphasis must be placed on security and compliance. This is the main determinant of a successful defence posture."

The demise of the network boundary, it is generally agreed, should be augmented, not replaced. Leo explained that whether its "Data leakage, exfiltration, or inadvertent disclosure, the fundamental challenge is to ensure that the right person is accessing valuable data and that it is properly logged and analysed."

Broad brush data collection as in SIEM can result in data overload. The Cryptzone approach is more granular and based on logging the specific user activity that is considered to be important. This makes it much quicker and easier to identify anomalous behaviour.

I was also interested on Leo's thoughts on the government's role in keeping data safe. He explained that, "Government has a number of roles: to affect the behaviour of adversaries by creating a deterrent and disincentive using law enforcement, diplomatic and economic tools." He felt that this has not been that successful, saying "We haven't changed the behaviour of adversaries like Russia, China, Iran or North Korea… there is work to be done."

Continuing, Leo explained that government should establish standards for infrastructure protection such as regulating cyber security standards and establishing base lines for critical infrastructure. There has been progress here, "Financial services have been especially successful. It has placed an enormous burden on companies, but resulted in a level of security that we would not otherwise have had."

To end, I asked Leo what he thought was on the horizon. He thinks that "We will see smaller nation states enter the cyber domain as an accepted part of their military and diplomatic tool set and that this will bleed into regional conflicts". During his time investigating cybercrime with the FBI, he says that nearly all network intrusions took place using valid credentials. "I am convinced that a more robust regime focused around the user would have prevented this, especially when combined with the forensics of lateral movement." NC