The future of cybersecurity

He says this is a conservative figure, as he has seen reports estimating its cost to be as high as US$575 billion.

The only numbers that he can relate to these figures are the GDP of whole countries, he states. This means cyber criminals stole more than the GDP of Austria, Thailand, Denmark, South Africa and New Zealand, with its $201 billion GDP.

.

“That is more than twice New Zealand’s GDP that is lost to cybercrime,” says Sikking, who spoke at the recent CIO100 event in Auckland and Wellington.

His presentation focused on the number one business technology trend discerned from this year’s CIO100 report – confronting the escalating security threat.

He points out security continues to be a top five CEO concern and for the past few years, and is now trending at number one.

“Security impacts everything we do, from driving here in your car today, choosing an airline or even deciding who is going to make your coffee, let alone the decisions about sharing your personal information online,” he states.

“Security underpins the future views we have of our organisations, our country and even globally; from supporting agile economies, fast IT and the Internet of Everything… we have to get security right for these visions to come to fruition.”

He says how organisations leverage security across trends like cloud and mobility, will define how they will benefit from changes in the business technology environment, and differentiate themselves from the competition.

Related: New Zealand Defence Force CIO Victor Vae’au talks about cyber and the new warfighting domain.

The key issue is that security is still seen as a roadblock rather than an enabler, he states. “CIOs still struggle to get the money and resource commitment to deliver against the needs of the organisation.”

He underscores the need to change the views on how organisations view cybersecurity.

“We have to now assume there is a level of compromise in our organisation.”

Page Break

Figures from the annual bear this out. Ever year, Cisco asks a selection of global organisations from the Fortune 500 to monitor their internet traffic for known malware.

He says 100 per cent of those organisations that were monitored, reported having some level of compromise already, they were testing positive for malware.

“Every one of those large Fortune 500 companies have traffic going to known malware or command and control sites, which is scary.”

Moreover, the report finds the gap is widening from when an attack occurs and when the organisation actually detects the compromise.

It has always been days to weeks to detect a compromise, but this continues to trend from weeks to months, he states. This is in line with current software patching data, where many applications remain unpatched for months and years. The average patch cycle for organisations is around 55 days, whereas the attackers take an average of six days to release exploit code for a new vulnerability.

He says Cisco sees around 1.5 million intrusions – every single day – into its network and systems.

To combat these attacks, he says the internal security team assigns 50 per cent of its members to focus on the top 5 per cent of threats, the “nasty stuff, advanced malware and persistent threats”.

He says the rest go after the day to day activities like antivirus and patching, and of simply “keeping the lights on”.

Sikking underscores the need to engage security early on in any project.

“Security is a people, people, people; process and technology issue,” he states.

It is important to add context to your security decisions, he states. “Who and what is on your network? Who is talking to whom? What time of day? What network are they on? What are they talking about? Is it a valid business application?”

Related: CISO to CIO: David Kennedy of Orion Health</b>

“Organisations need to understand how communication flows across their networks, how files are propagated across the network and if they happen to be malicious, who has the potential to be infected.”

Sikking calls this “understanding the trajectory of data through the network”.

“By combining all the contextual information as well as event based data, we can see how an infection has entered the network, basically who was ‘patient zero’ and then pivot on that information to understand who could be infected next,” he states.

Virtual patching of these vulnerabilities is providing a window of opportunity for the organisation to correct the root cause and vulnerabilities that expose the network and systems.

“Ultimately this is all about blocking the unknowns” he states. “As an industry we have been pretty good at blocking the known stuff, like viruses and worms.”

But how do we go and discover these unknowns threats? “The only way to do that is to move into behavioural analysis.”

“We must augment the traditional antivirus and malware tools to understand malicious behaviours, looking at the point in the ‘attack chain’ where malware goes to contact the command and control servers or start to exfiltrate data.

‘Although this is a long way down the attack chain, the malware authors are very adept at bypassing our traditional protection mechanisms like firewalls and antivirus.”

.

Leveraging platfoms is the only way to be able to maintain any advantage over the attackers, he states.

“The first platform is to use the entire network as a sensor,” he states. “Use that to understand what is going on in your network so you can leverage the network as an enforcement point.”

The second platform is globalised information sharing of threat intelligence. “Organisations can’t do this alone anymore,” he states. “They need real-time updates of current threats and be able to dynamically change their posture to mitigate the threat impact.”

Sikking turns to the five principles in the Cisco Security Manifesto as a guide:

First is that security must be considered a growth engine for the business. “It should never be a roadblock or hassle that undermines user productivity and hinders innovation.”

Second, that security must work with existing architecture and be usable. Organisations should not have to change the way they do business to accommodate new security technologies.

Third is that security must be transparent and informative. Users need to know how they can do what they want to do safely instead of bypassing security as they do their jobs.

Fourth is that security must enable visibility and appropriate action. “We have to have visibility in our network – so they can see traffic and also assets that make up the network.”

Fifth, security must be viewed as a people problem. “Cyber criminals are exploiting people’s trust,” he states. “We need security to be transparent to the user, but when we do need to interject, we need to be informative.”

For instance, a user who tried to access a phishing attack using a fake Paypal email will be told: “You were blocked going to that site because it has been compromised and is now serving malware.”

He says organisations are doing pretty well on managing the processes and technology side. “We still have a long way to go and we must never forget how people factor into our transformation.”

He points out the latest Cisco Security Capabilities Benchmark Study finds 91 per cent of organisations have an executive with direct responsibility for security.

But he states the security leadership in networked organisations need to ascend higher - to the boardroom.

Boards need to start asking tough questions about security controls, including how quickly the enterprise can detect and remediate any compromise.

CIOs need to be prepared to answer these questions from the board including: “What else should we know?”

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.