[An interview with Noord InfoSec Dialogue upon my return from Blackhat 2017]
Despite the meteoric rise of cloud-based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organisations. The biggest misconception of cloud is that it is less secure than on-premise capabilities. A recent global study by BT revealed that 76% of large organisations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However, according to Gartner, the reality is “most breaches continue to involve on-premises data centre environments”.
Understandably cloud has religiously been a major topic at Noord InfoSec Dialogue and there is no shortage of experts addressing the most pertinent issues when we meet this coming October.
We spoke with Zscaler’s CISO for EMEA, Chris Hodson, following his return from Black Hat’s Las Vegas convention.
NJ: Chris, you’ve just returned from Vegas where, in theory, the objective of attending is to learn to get better at stopping the bad guys. In terms of trending consensus at the event, who are the bad guys in 2016 and how are they attacking?
CH: Well broadly speaking, I got perspective into three areas. The area I think is most pervasive across industries is what we call cyber-crime-as-a-service. By that you would have a top tier of cyber equipment or if you would create let’s say the latest most wonderful or weird strain of ransomware, and we are actually seeing those bad guys in a very service orientated model where they are offering that on the dark web to other criminals to use and consume in the same way we consume services.
So in the same way we would have a use for Netflix or Spotify we are seeing that same service based model for cyber-crime. So these guys are actually leasing let’s say the denial service infrastructure or ransomware infrastructure and either agreeing a percentage of profit with another cyber-criminal or just leasing the service for a short period of time.
I think another area and it probably for me is a more interesting and novel area is “the weird and wonderful ways we are exploiting the internet of things”. We have a lot of conversations in our industries about how IoT devices are not being built with security as a core, functional requirement. We’re seeing security as an after-thought in a lot of these systems.
The third kind of area is called exploitation of trusted security mechanisms – and generally I am talking about mobile here – but things like evasion or escaping from sound boxes or trusted process isolation systems and how in security we have this assumption that a technology such as sandboxing is infallible – on this subject, there was a really interesting talk on ‘Demystifying the Secure Enclave processor’ which walked through the architecture of the Apple IoS trusted partition.
I think there’s a message to take away, there’s no such thing as 100 percent security and we have to bear in mind that it’s always going to be this game of cat and mouse. I appreciate this sounds rather contrived and almost rhetorical but it’s true for every mechanism that we implement. We’re seeing the bad guys out there looking for mechanisms to escape that particular control.
NJ: What do you see as the key challenges for CISOs at the moment and going forward?
CH: They’re kind of similar. There are two areas and they tie into each other – Visibility and regulation. So the visibility side of it, back five, ten years ago we as CISOs or security leaders we kind of controlled the ‘how’, the ‘where’ and the ‘what’ of our environment.
So ‘how’ being the devices that we used, like corporate laptops we issue, Blackberrys, etc. We knew where they were connecting, typically a corporate network, and we were using off the shelf applications or developed in-house.
The challenge we have now is visibility because all of those tenants have changed. Now we have to make provisions for IoT. We have users connecting to the server for cloud services. The CISO can only protect what can be seen.
If you don’t have visibility of your data assets and your intellectual property, as a CISO you have a very hard time having any form of visibility or any form of assurance that you know where your data and your corporate assets are.
The other point on visibility is encryption. Encryption provides a fantastic benefit for organisations and for end users from a confidentiality and integrity perspective but we’re seeing advanced threats now. The majority of advanced threats are coming into encrypted means and those encrypted means are presenting visibility for the CISOs.
The other side of it, is the fast pace of regulation. As a CISO we have a number of requirements in different industry verticals in the way of regulation. We now have things to consider like general data protection regulation. The goal posts are moving at such a rapid pace.
NJ: Coming back to you now Chris, you’re passionate about technology, you’ve had senior security roles across Retail – Tesco and Waitrose and Financial Services – Lloyds and VISA. Now with Zscaler, what keeps you up at night and what is top of your information security agenda?
CH: We’re seeing the crime or cyber-crime as a service culture growing and it’s a lucrative industry. Because of that the incentives for bad guys to keep ahead of the good guys, has never been more important. I think the thing that hits home is the speed the bad guys are moving.
It requires us to think about security in a new way and the whole concept of having signatures. I am not one of those security guys who says ‘the concept is legacy and we shouldn’t be doing it’. I disagree. I think signatures are very good for known malware and blacklist types of things and we have a requirement now to commit some of the more behaviour analysis capability that we are seeing out there. Performance-wise, signatures are the least expensive protection mechanism and are always prudent against known-bad. The issue we have in 2016 is that the bad guys are morphing malware at such a pace that signatures in isolation cannot protect against a persistent adversary. We need a layered defence. When we see something we’ve not seen before, let’s not assume it’s ok because it comes from a reputable location; let’s look at the behaviour of the binary – run it in a sandboxed environment and only then make a call on if it’s good or bad.
But the bad guys are working so quickly and they have the same tools that we have. They’re testing all of their systems, all of their malware.
The thing that keeps me up at night is the speed at which the bad guys are looking at exploiting technology and things like IoT. Another piece is how security is not being built into these technologies.
NJ: Zscaler has proven its mettle, having won awards, featured consistently in Gartner’s quadrants – for those unaware, tell us what Zscaler can do for an enterprise client?
CH: Our CEO Jay Chaudhry sums it up very well, he says Zscaler is there to put a perimeter around the internet because the internet is largely where organisations are doing business these days. Data centre architecture is not providing the appropriate protection. We make sure that your good stuff doesn’t go out, fundamentally be that by DLP controls etc. Or, we make sure that the bad stuff doesn’t come in. I’m also really excited today to talk to you about Zscaler Private Access. We’re changing the way the world thinks about secure access to business applications. I call this a ‘VPN gamechanger’. No more concentrators, gone are the requirements for provisioning network level access to your internal environment. VPNs were historically complicated to setup, costly and difficult to change. No more! With ZPA, we are allowing application-level access to your applications, on-prem or in the cloud. By leveraging our Zscaler cloud, at no point does the user require inbound network access to the application. ZPA is more secure, faster to provision, effortless to deploy and all with a lower TCO!
Because we’re native-cloud, we don’t have to worry about back calling of traffic in the data centre, we are protecting all your users anywhere on any device and that’s speaking entirely openly that’s the primary reason I think I came across to Zscaler.
You are just seeing this growth of cloud. Cloud is absolutely anywhere and I think something I used to talk about in my previous role and it doesn’t just apply to a retail organisation, it applies to any organisation, CISOs I talk to and the progressive CISOs are agreeing that if you’re an organisation that sells tins of beans or you’re a law firm who deals with litigation or legislation – why aren’t you leaving security to the professionals in the security space? It’s becoming a commoditised world where you buy these services rather than trying to support and maintain them in house at high-cost.
NJ: As a CISO, what would you describe as the ultimate measure of success?
CH: The modern CISO now, we’re expected to have a number of different tools within the toolkit. Not just to be a technologist but also to have the political savvy to go into a boardroom and be able to articulate what are fundamentally very esoteric concerns, but be able to explain those to people who aren’t technologists, who are largely concerned about profit being their bottom-line and brand reputation.
We sort of see two CISOs, or two parts to being CISO. We have the very technical track, then you have the guys in the business, who’ve come through the project management routes. There are pros and cons to both. It’s the characteristics more than where they’ve come up from in my opinion. There has to be an understanding of technology, there has to be a passion for security. When you’re looking at what’s appropriate or what your view of a comprehensive cyber security framework, you have to have the ability to think like the bad guy in my opinion. You should have an enthusiasm and a passion for the industry you’re working in. I think when I consider an ultimate measure of success, this is another example of where I think you need that passion. And it’s a confidence, an assurance that you have a layered set of controls, that you have a defence and in-depth architecture. The reason I say that, we churn it out all the time, that you will be breached, it’s now about ‘when’ and not ‘if’. I think we all agree with that, it’s about minimising the impact time to recovery.
So the ultimate measure of success is for you to be able to go into the boardroom and give the assurance that you’re as prepared as you can be for any eventuality, but also feel confident that you’ve explained to your executive board that no security platform or framework is infallible. And if we are going to lose data or have an attack, we can be as prepared as possible for that attack. We have to let them know that we’ve done what we can and we will recover in as professional and expedient manner as possible. The ultimate measure of success is being prepared.
NJ: We’re seeing at Noord InfoSec and across the information security space really, how much more open CISOs and leaders are being. Do you think this change in attitude is reflective of an advancing threat landscape?
CH: We are seeing a consensus that security should be non-competitive. I think if we keep working on this view that we can’t be 100% protected, let’s work on the view that you will be compromised at some point in time. It’s imperatively important that we have threat intelligence and the way that we have this is seeing security as a non-competitive attribute of an organisation. There will be times when we have commercially sensitive information that you don’t want to share. It makes sense to collaborate instead of being the next big name on the hit list. So I agree with you, there is an increasing openness and I whole heartedly welcome that.