Threat Intelligence in Right ContextFireEye's Costanzo Calls for 'Re-Imagining' Security
With growing vulnerabilities and changing cyber threats, CISOs must leverage threat intelligence models to gauge attackers' motives, says FireEye's Rich Costanzo, who calls on CISOs to "re-imagine" security.
All Asian countries are affected by cyber-attacks, although they're rarely disclosed Costanzo notes. "Enterprises do experience data breaches, it's just that there's no regulation in these countries for mandatory disclosure," he says in an interview with Information Security Media Group (transcript below).
Too many organizations take a conventional approach to security that detects threats too late, if at all, and resolves them too slowly, he stresses.
"CISOs must re-imagine security and leverage threat intelligence in the right context to understand attackers' motives," he says. "So, employ a big-picture vigilance, take an active, 'lean-forward' posture that doesn't wait for attacks but anticipates them and even helps 'hunt' for well-hidden attacks without the usual tip-offs."
In this interview recently conducted in Bangalore, Costanzo recommends rethinking old assumptions, revamping tired orthodoxies and taking a new approach via threat intelligence.
He also provides insights on:
- How to leverage various forms of threat intelligence tools;
- An adaptive model to detecting and analyzing threats;
- How CISOs should set their priorities.
Costanzo, who is based in Sydney, is technical director for the FireEye technical and systems engineering team for Australia and New Zealand. He has spent 20 years educating IT professionals and driving thought leadership in security. Before FireEye, he managed the ANZ SE team at Websense.
Security Challenges and Threat Landscape
GEETHA NANDIKOTKUR: What are your thoughts about the evolution of the threat landscape in Asia and the challenges?
RICH COSTANZO: The threat landscape is similar across Asia, including India and Australia, with increasingly sophisticated attacks. Though breaches occur, they aren't reported - there's no regulation on mandatory disclosure. Security awareness is low. However, the Australian government has listed top 35 controls, making it mandatory to deploy them in government enterprises, and opened a cybersecurity cell a few months ago, involving industry experts.
CISOs are challenged by conventional security that detects threats too late (if at all), and resolves them too slowly. It gives a fragmented view, passive and blind to broader threat trends.
Organizations need a flexible, integrated framework offering a far-reaching view of threats, evolving as quickly as conditions do.
NANDIKOTKUR: How do CISOs know when organizations are under threat?
COSTANZO: It's time to re-imagine security. CISOs should understand they are the secondary victims of attacks, that attackers will always look at softer targets.
It demands a fundamentally new approach, rethinking old assumptions and revamping tired orthodoxies, reworking broken models or rebuilding them. The goal is reducing two key metrics: Time to detect and time to resolve.
CISOs must change their mindset, aim to quickly detect attacks and respond forcefully to prevent the worst results: stolen data, costly fixes, tarnished reputations.
Organizations must adapt as attackers change tactics. Their security architecture must be agile, integrated for an end-to-end view of attacks - a full picture of threats.
NANDIKOTKUR: You talk about the importance of threat intelligence to detect threats. How are CISOs leveraging this?
COSTANZO: CISOs must leverage an adaptive model. Security teams have the tools, intelligence and expertise to detect, prevent, analyze and resolve tactics of attackers, but have little knowledge of attackers, their motives, tools or techniques. They don't have a broader view of regional or industry trends and can't anticipate or hunt for threats. They must adopt a big-picture vigilance, with an active, "lean-forward" posture that doesn't wait for attacks but anticipates them -and even helps "hunt" for well-hidden attacks that don't produce the usual tip-offs.
There are three forms of threat intelligence: tactical, strategic and contextual. The best threat intelligence includes information on specific attackers, including their motives, aim, tools and how their attacks unfold. Security teams can then closely monitor specific threats, look for tell-tale markers and bolster defenses. In the adaptive model, intelligence comes from many sources, vetted and harmonized, providing a cohesive account of the most urgent threats.
While tactical intelligence enables them to restrict to malware attacks and not pre-empt larger threats, strategic intelligence helps scale to the next level of understanding and [helps them to] know who's performing the attacks and the motive.
NANDIKOTKUR: CISOs are focusing on developing a PDR (prevention, detection and response) model. What must their focus and priority be?
COSTANZO: About 80 percent of the energies and time are spent on preventing attacks and setting up firewalls or anti-virus. Security teams spend money on signature-based solutions like IDS and IPS, which are only 50 percent effective. CISOs must employ adaptive defense, outlining the capabilities to prevent, detect, analyze and resolve today's threats.
Under prevention, take cognizance of two things: preventing many attacks outright and preventing the worst outcomes of attacks that slip through. Tightly integrated defences block malicious call backs. Endpoint defences can locate compromised systems and quarantine them.
The detection method requires tools beyond signature-based technologies like anti-virus software and even next-generation firewalls. They must cover multiple threat vectors, like Web and email, and see the entire lifecycle of an attack.
For analysis, teams must provide a narrative of the attack, not reams of data. To fill the gaps of security information and event management (SIEM) products, adaptive architectures incorporate enterprise forensics systems and endpoint tools.
Resolving threats requires human insight and action. Adapting speeds it up with tools that collect, curate and correlate data.
Security teams must have a balanced approach and free up funds for new investments. The shortage of cyberskills is a challenge. Sometimes, it [requires gaining buy-in] in the board room regarding new investments. So, [CISOs] must speak the business language, articulating the business value in securing the environment.