Page 1

CISO

SURVIVAL GUIDE TIPS & TRICKS FROM TOP SECURITY EXPERTS

GISEC 2017 SPECIAL

04 06 08

Raising the security bar A blueprint for tactical defence Upping the ante

10 12 14

A new approach to threat protection

Six things you need to know about IoT security Why IAM implementations fail

PUBLISHED BY


CONTENTS

In the hot seat The role of chief information security officer is not what it was five years ago. According to those who find themselves in the role, that’s not necessarily a bad thing. It used to be that CISOs were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates and cleaning spyware off of infected laptops. True, that’s still the role some CISOs find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing the programme that balances acceptable risks against the unacceptable. With a number of high-profile security breaches making headlines of late, organisations are increasingly realising they must beef up their security teams or risk catastrophe. Compared to just a few years ago, CISOs now face a wide array of risks and responsibilities that have significantly increased the complexity of their role, says Matt Comyns, global co-head of the cybersecurity practice at Russel Reynolds Associates. Leading companies recognise that their ability to confront rising cybersecurity risk is driven by the talent of their CISO - and that companies lacking this talent will become increasingly vulnerable. While strong technical skills are ‘table stakes’ for success, core leadership and general management competencies make the best CISOs stand out from the crowd. Overall, Comnys says successful CISOs tend to have the following skill sets in common: • Business acumen and analytics • Creativity and innovation • Business-to-business communication • Relationships, influence and presence • People leadership

04 06 08 10 12

CISOs are distinguished by their ability to define a vision, secure support for that vision with the board and the C-suite, marshal the resources and talent required to translate that vision into reality, and engage the broader employee population to become champions for information security.

TIPS & TRICKS FROM TOP SECURITY EXPERTS

14

Raising the security bar A blueprint for tactical defence Upping the ante A new approach to threat protection Six things you need to know about IoT security Why IAM implementations fail

CISO SURVIVAL GUIDE

3


INTERVIEW MALWAREBYTES

Raising the security bar Christopher Green, regional director, Malwarebytes, gives us a lowdown on the threat landscape and what his company is showcasing at GISEC this year.

How do you see the threat landscape

they will be able to adapt their ransom

seen repeatedly over the last couple of

evolving this year?

demands to match their victims. The

years, failing to do so can cause serious

This year ransomware is likely to

intentions of attacks are also likely to

damage to a brand’s reputation, finances

continue to be a massive force

become more personal. In addition to

and – as in the case of Yahoo! –

threatening consumers and businesses

encrypting files, ransomware attackers

company valuation. All too often security

alike. Since ransomware rose to

will soon be threatening to post data

strategies are not as robust as they

prominence as the malware of

or information on social media, or to

could be, with solutions implemented

choice for cybercriminals it’s been

expose it in an equally destructive way.

on an ad-hoc basis, which means

relatively indiscriminate. However,

4

cohesion and visibility across systems

throughout 2017 we expect

What kind of fundamental strategies

suffers. This fire-fighting approach can’t

that targeted ransomware attacks will

would you recommend for CISOs to

continue. Not only does it increase a

become the new norm. If an attacker

keep pace with rapidly evolving attacks?

business’ vulnerability, but it also makes

can recognise the difference between

CISOs today need to be in a position

implementing new technologies a

an enterprise and a consumer target,

to react quickly to threats. As we’ve

headache and slows down innovation.

CISO SURVIVAL GUIDE

TIPS & TRICKS FROM TOP SECURITY EXPERTS


Cybersecurity is certainly creeping up the boardroom agenda for businesses, but it still has a long way to go. Until a serious security incident occurs, protecting the company’s networks is mostly seen as an expensive and resource-intensive process that consumes the budget and offers little ROI. Instead, CISOs need to make a

Marketing, HR, legal and other

Christopher Green, regional director, Malwarebytes

concerted effort to position of security

business functions are all seen as

as a business enabler, rather than a cost

critical. Most organisations would

centre. With this attitude, security can

recognise that they couldn’t function

What products and solutions are you

be seen as a function that underpins

without staff or customers, but fewer

showcasing at this event, and how can

the organisation and allows it to be agile

recognise the same can be said of

CISOs benefit from these?

and innovative without fear.

security. So, while we are starting to see

At the show, we will be showcasing our

cybersecurity rise up the boardroom

Endpoint Security solution, which is an

agenda, we still have a long way to go.

endpoint protection platform that uses

The pace of change in security is rapid, and that’s likely to continue. The businesses that re-think their security

multiple technologies to proactively

positioning now and have flexible, scalable

What is the primary focus of your

protect computers against unknown and

and adaptable systems in place will be

participation at this year’s GISEC?

known threats, including ransomware.

the ones that find themselves in the best

The Middle East has some of the

This multi-stage attack protection is

position, no matter what comes next.

largest malware infection rates in the

important as it provides companies of

world. Since 2012, every country in

all sizes, across all industries, around the

Do you think cybersecurity is now a

the region has had at least double the

globe the ability to stop cybercriminals

boardroom agenda for enterprises in

number of infected systems than the

at every step of the attack chain.

the region?

global average. That’s an extraordinary

Cybersecurity is certainly creeping up the

statistic and shows just how critical the

benefits CISOs in a number of ways.

boardroom agenda for businesses, but it

right security protection is.

Aside from the obvious benefit of

Malwarebytes’ Endpoint Security

still has a long way to go. Until a serious

To combat this, Malwarebytes

protecting against malicious threats, it’s

security incident occurs, protecting the

recently launched in the UAE. It’s critical

scalable so every endpoint is protected

company’s networks is mostly seen as

for businesses in the region to have the

however fast and to whatever size a

an expensive and resource-intensive

right advice and protection to combat the

company grows. What’s more, it’s easy to

process that consumes the budget and

ever-increasing number of threats they

manage and deployment is streamlined

offers little ROI. Having a CISO present

are battling. We’ll be partnering with some

so the IT team’s time is minimised and

at the board meeting is progress, but

of the region’s most respected resellers

even systems without Malwarebytes that

without the backing of the entire room,

and distributors to ensure thousands of

are vulnerable to cyberattacks can be

it’s a constant up-hill struggle to make

companies are protected and malware

easily secured. It’s a one-stop shop for

any meaningful difference.

infection rates fall significantly as a result.

enterprise endpoint protection.

TIPS & TRICKS FROM TOP SECURITY EXPERTS

CISO SURVIVAL GUIDE

5


INTERVIEW CTM360

A blueprint for tactical defense Based in Bahrain, CTM360 offers a comprehensive cyber threat management service offering, which enables enterprises to leverage the power of collaborative security to address the ever-changing landscape of cyber-attacks. Mirza Asrar Baig, founder and CEO of the company talks about the concept of ‘offensive defensive’ and the importance of threat detection and response to combat the new breed of attacks.

6

CISO SURVIVAL GUIDE

TIPS & TRICKS FROM TOP SECURITY EXPERTS


How do you see the threat landscape

How important is it for regional

evolving this year?

enterprises to have an incident

It will keep evolving in line with the past

detection and response mechanism

trends with the frequency of attacks that

in place?

emerged over the last couple of years

It would be one of the most important

exponentially increasing, ransomware

parts of the comprehensive and holistic

being the leader of the pack. Next, we

enterprise security architecture and

will also witness entirely new forms of

most organisations have it. The first

attacks where the stealing of computing

issue to be addressed, is to fill in the

power would be a base. An example of

current gaps and the next issue is

that is now visible in the use of botnets

to differentiate between the incident

for mining Bitcoins.

response inside the network and the

A major new twist would be the periodic divulgence of the treasures of zero day vulnerabilities through Wikileaks, by various self proclaimed vigilante hacking groups. As the same

offensive defense incident response Mirza Asrar Baig, founder and CEO, CTM360

attacker’s territory.

information would also end up in the hands of cybercriminals, it would be a

Do you think

race between the good and bad guys.

cybersecurity is now a boardroom

The goal of IT security is enabling end users in a secure manner, information security focuses on securing cyber assets, while cybersecurity is about detecting and neutralising cyber-attacks in the cyberspace.

in cyberspace. This second part requires a reach across the globe to neutralise attack infrastructure that may be distributed across multiple

What kind of fundamental strategies do

agenda for

you recommend for CISOs to keep pace

enterprises in the

with rapidly evolving attacks?

region?

There are two main strategies that I

I believe cybersecurity

am proposing for enterprise security.

has been a board

Firstly, we need to distinguish between

room agenda since

the functions of information security,

the Shamoon

IT security and cybersecurity. The

incident of Aramco

goal of IT security is enabling end

in August 2012.

users in a secure manner, information

However, it seems

security focuses on securing cyber

to be at the bottom of everyone’s priorities,

whatever function of security we can.

assets, while cybersecurity is about

being pushed up temporarily in reaction to an

With time, the ability to capture data

detecting and neutralising cyber-

internal impact or a major impact news. The

from logs and forensics is growing and

attacks in the cyberspace. You may

issue is not within the board, but rather the

hence we have another heap of ‘Big

be able to compare this to the police,

security industry has been unable to prove

Data’. It is simply not possible to parse

military and intelligence agencies.

enterprise security as an investment and a

through data in a semi-automated

Secondly, ‘offensive defence,’ where the

business enabler. Currently, due to ‘WannaCry’

manner, take remediation actions and

cybersecurity team will adopt predictive

ransomware, the opportunity is there once

run configuration and filters to mitigate

practice and even hunt for threat vectors

more for us to make security an investment

an imminent threat, hence AI is the

that are in a very early stage inside the

with it being on top of the agenda.

only answer.

TIPS & TRICKS FROM TOP SECURITY EXPERTS

ISPs and Hosts. Is it a good idea to automate security? Well, we do not have a choice and need AI to eventually automate

CISO SURVIVAL GUIDE

7


INTERVIEW NANJGEL SOLUTIONS

Upping the ante

Jude Pereira, founder and CEO, Nanjgel Solutions

Jude Pereira, founder and CEO, Nanjgel Solutions, explains why companies in the region must automate their security processes and adopt a framework-based approach to fend off breaches. How do you see the threat landscape

sanitise digital activity in real-time

the first party to be reprimanded is

evolving this year?

flowing in and outside the organisation.

the top management, not a junior

Cyber-attacks has taken a front

engineer at the bottom. This shift is

stage in the news, social media and

What kind of fundamental strategies

political discussions in 2016. Hillary

do you recommend for CISOs to keep

Clinton’s Presidency Campaign,

pace with rapidly evolving attacks?

What is the primary focus of your

Ukraine power grid attacks, the cyber

The complexity of solving threats is

participation at this year’s GISEC?

bank heist where hackers stole $81

increasing and human beings are

Security automation would be our

million from the Bangladesh National

needed to compensate for the lack of

primary focus at this year’s GISEC.

Bank’s account at the US Federal

automation. The problem is that there

We have now enabled our Condor

Reserve, 500 million breached

are so much manual processes, which

watch framework to be automated and

accounts from the Yahoo incident

is why I always say security should be

respond against the latest threats in

and the distributed denial of service

automated, and not fragmented. My

machine speed .

(DDoS) attack on Dyn that crippled the

simple advice to the CISOs is: Now that

Internet for several hours are some of

the war is against incredibly fast bots

What products and solutions are you

the most high profile attacks we have

and machines, security automation

showcasing at this event, and how can

seen last year.

would be the only key to success.

CISOs benefit from these?

Moving forward, organisations

8

very important.

We are showcasing cyber threat

wishing to get ahead of the

Do you think cybersecurity is now a

intelligence platform from Looking

cybersecurity challenges in 2017 must

boardroom agenda for enterprises in

Glass, incident response from IBM,

ratchet up their cyber defense with

the region?

multi-authenication solutions from Easy

an unprecedented level of inspection

Security is indeed a boardroom

Solutions and endpoint management

and speed. A level that not only adapts

game now, and CISOs are directly

technology from Forescout.

to new threats, but also is trusted by

responsible. Before, they didn’t even

leading government agencies and

know what devices or policies they

is a cybersecurity framework which

defense departments around world

had. Now the top is getting hammered.

has built in accountability, analytics,

to detect, dissemble and thoroughly

If a company is impacted by a breach,

and automation.

CISO SURVIVAL GUIDE

The highest value CISCO can get

TIPS & TRICKS FROM TOP SECURITY EXPERTS


DATACENTER SECURITY AUTOMATION

Incident Response Threat Intelligence Security Information & Event Management Database Security Network Access Control Next-Generation APT Insider Threat Prevention Next-Generation Endpoint Protection 21ST - 23RD MAY 2017 DUBAI WORLD TRADE CENTRE

Dubai Tel Fax Email

: +971 4 4330560 : +971 4 4537281 : sales@nanjgel.com

Abu Dhabi Tel : +971 2 6226301 Fax : +971 2 6226302 Web : www.nanjgel.com www.nanjgel.com


INTERVIEW BARRACUDA NETWORKS

Husni Hammoud, GM, Barracuda Networks Middle East & Turkey

A new approach to threat protection Husni Hammoud, general manager, Barracuda Networks Middle East and Turkey, explains how his company can help enterprises detect, protect and recover from ransomware attacks.

How do you see the threat landscape

the scene on a daily basis, forcing

Do you think cybersecurity is now a

evolving this year?

organisations to stay on top of their

boardroom agenda for enterprises in

Cyber threats are constantly evolving,

game in order to survive. And, perhaps

the region?

which requires that consumers be

more importantly, everyone is a target—

Yes, cybersecurity is now a topic of

especially vigilant in preventing such

not just the largest of organisations.

discussion at the majority of board

attacks. Security analysts predict

meetings, according to a recent NYSE/

prevention strategy is to effectively

Veracode survey. It is no longer just an

sansomware per quarter with no signs of

act on known threats and information.

IT issue, a policy or compliance issue –

slowing well into 2023.

Utilising solutions such as next-

it is a corporate risk issue.

According to an Osterman

generation firewalls, endpoint security

Forrester, states that CEOs are

Research sponsored by Barracuda

and secure email gateways—is important

now mainly held responsible for data

Networks, Phishing and ransomware

in order to reduce the expensive and

breaches – a shift from it solely being

are very serious threats that can

time-consuming analysis and effort of

the responsibility of the CISO.

cause enormous damage to an

advanced threat detection and mitigation.

organisation’s finances, data assets

Detection. Organisations must

and reputation. Both phishing and

have detection points that span all the

ransomware are increasing at the rate

access vectors (email, Web etc.). This is

of several hundred percent per quarter,

especially true given the explosion of the

a trend that will continue for at least the

attack surface with mobility, and cloud

next 18 to 24 months.

computing presenting access points

Barracuda is well-positioned to provide the necessary protection with

The stakes are very high and getting it wrong has significant consequences, including: - Brand damage due to customer loss - Loss of competitive advantage due to corporate espionage - High cost of responding to a breach

into the enterprise. Mitigation. Finally, organisations need

What is the primary focus of your

it’s portfolio of security products, that

to be able to effectively—and quickly—

participation at this year’s GISEC?

are all protected with its ‘Advanced

mitigate any detected intrusions. The

The middle east market is focused on

Threat Protection’ technologies, that will

goal is to remove the threat. Timely

cyber security and web security which

remove all known and unknown threats.

mitigation should help stop an attack

made Barracuda participate in GISEC

before it results in a breach.

this year as this is platform fully focused

What kinds of strategies do you

10

Prevention. The goal of a successful

an average of 200 new variants of

Repetition. Securing the organisation

on cyber threats and IOTx. We are going

recommend for CISOs to keep pace with

is more of a journey than a destination. For

to showcase Barracuda Web application

rapidly evolving attacks?

this entire process to be effective within an

firewall, which helps you to secue your

The cyber threat landscape is constantly

evolving environment, organisations need

apps on-premise and in the cloud,

evolving with new attacks (malware,

to place emphasis on the significance of

next-gen firewalls and Barrcacudea

spam, URL-based attacks) entering

an ongoing threat assessment mentality.

Essentials for Office 365.

CISO SURVIVAL GUIDE

TIPS & TRICKS FROM TOP SECURITY EXPERTS


90 SECURITY BREACHES! %

OF ORGANISATIONS SUFFER

*

digital readiness in the face of ever-changing risk. By 2020 our digital footprint will be larger than life and fully mobile, requiring more security than ever before**.

With CARM your customers can: blocking their path Protect their core business and achieve compliance without compromising agility Keep one step ahead of evolving threats Adopt a universal, end-to-end cybersecurity approach that addresses post-breach

What is CARM? CARM – Cyber Attack Remediation & Mitigation – is Exclusive Networks’ unique cybersecurity solution framework, supporting organizations on their journey to address changing risk in the digital world. * Source: 2015 Information Security Breaches Survey Technical Report, HM Government * IDC, The Digital Universe in 2020

For more information: www.exclusive-networks.com/ae Call us:+971 4 3757612 Exn_Me

Exn.Me

Exclusive Networks ME

Exn_me


INSIGHT IOT

Six things you need to know about IoT security It’s in every company’s best interest to ‘do’ IoT correctly, which means ratcheting up security measures for protecting data and bringing better services.

Successful IoT offerings rely on the

penetration testing. Keep in mind that it’s

Transparency matters

perception of benefit they can deliver

better to fold security into the product

Good transparency principles aren’t

to businesses and consumers while

development cycle, rather than bolting it

exclusive to IoT, but require understanding

creating a proportionate foundation of

on after the fact.

that privacy threats in an IoT system are

security, trust, and data integrity. There

unique and require transparent disclosure

are ways IoT technology can reduce data

Proactively manage IoT security

security risk while improving customer

operations remotely

experience in a connected world.

Ideally, companies should be able to

Here are top tips for securing IoT:

remotely push security patches and updates as soon as they’re available

• Personal data collected or generated. • Data actions performed on that information. • The context surrounding the

Justify the business expense of

to prevent vulnerabilities. Updates

collection, generation, processing,

‘embedding’ security

and patches should not modify user-

disclosure and retention of this

As with all technology, IoT security

configured preferences, security, and/or

personal data.

considerations should be embedded

privacy settings without user notification.

in every phase of development, from

Automated (as opposed to automatic)

Embrace edge analytics and minimise

inception to deployment. Everyone

updates increase customer trust

the amount of sensitive data in transit

wants the wondrous new capabilities,

because you do the heavy lifting, while

With IoT applications, as information is

but many balk at the price tag and

still providing users with the ability to

relayed from IoT endpoints to the cloud

operational complexity that goes with it.

approve, authorise or reject changes.

for computation and analysis, there’s

Security becomes an afterthought that

12

related to three inputs:

always a risk of exposure and threat

is addressed at the end of the process, if

Encryption is your friend

of interception. But the current trend

at all. Those same organisations should

Beefing up encryption is also advised

toward moving some computation to

be aware that there are now numerous

in the new IoT Trust Framework. Show

IoT endpoints and transmitting only

legal implications surrounding how an

your customers you care about their

prescribed information reduces the

organisation handles its IoT security.

privacy by ensuring that any support

amount of potentially sensitive raw data

websites used in your IoT service fully

in transit. While the arguments for edge

Test, test, and re-test

encrypt user sessions, from the device

computing generally centre around

As you’re developing your IoT

to the backend. ‘Current best practices

increasing real-time functionality and

applications and services, you need

include HTTPS or HTTP Strict Transport

the savings associated with machine

to conduct continuous internal and

Security (HSTS) by default, also known

learning and AI, mitigating customer

third party vulnerability analysis and

as AOSSL or Always On SSL.’

data exposure is an added benefit.

CISO SURVIVAL GUIDE

TIPS & TRICKS FROM TOP SECURITY EXPERTS


Synchronized Security A revolution in threat protection

It´s time your security solutions started talking. Synchronized Security is a best of breed security system where integrated products dynamically share threat, health, and security information to deliver faster, better protection against advanced threats.

Visit Sophos at B-100, Hall ZABS in GISEC 2017 21st to 23rd May


INSIGHT IAM

Why IAM implementations fail It is easy to overlook identity access management as static infrastructure in the background. Too few organisations treat IAM as the crucial, secure connective tissue between businesses’ multiplying employees, contractors, apps, business partners and service providers.

When organisations fail to properly align

and operational stages. Forecast

Fumbling executive buy-in

business processes and organisational

the number of people needed,

Top executive is crucial in every IT

practices with IAM deployments,

whether the IAM solution will run

programme, but too often IAM fails

security strategies are put at risk. Here

on-premise, for example and what

because backers use vague words like

are some of the biggest missteps

infrastructure expenses are expected.

‘security’ and ‘risk.’ Instead, put IAM

companies should avoid when it comes

Within this plan, a team structure

advantages in quick-win ROI language

to IAM implementations:

should be developed, with an IAM

any executive will recognise - like

‘owner,’ so roles, responsibilities, and

explaining how this initiative will let you

Treating IAM like a project,

accountability standards can be

onboard new employees faster, use new

not a programme

established. Without this philosophy in

applications more flexibly or seamlessly

Organisations treat IAM as a one-and-

place, IAM programmes are paralysed

engage with more overseas partners.

done project, not the type of evolving

by chronic resource shortfalls and are

and adaptive programme necessary

dangerously incomplete.

to actually encompass organisations’

14

Poor communication, period This dooms any programme, but

riskiest asset - their people. Words like

Dictating IAM to end-users

particularly when it comes to IAM

‘checklist’ and ‘end date’ are red flags

Face it, frontline end-users are

because unlike forensics or threat

in IAM meetings, they betray short-

reflexively hostile to change, meaning

intelligence, identity and access seem

term, project-oriented thinking. This

an IAM programme that feels arbitrary

abstract and obscure. In a recent NACD

misstep dooms many IAM initiatives

and foisted upon them will trigger

study, only 15 percent of directors were

right out of the gate.

backlash. Spend time to understand

“very satisfied” with the quality of cyber

end-user stakeholders’ requirements

security information they receive from

Investing too little in IAM

and routine; they’re almost always

their management team. Don’t be a

Project-oriented thinking leads to

perfectly compatible with IAM elements

statistic - IT and security leaders need

shortchanging IAM. You avoid this by

tailored the right way. This deftly

to take their first, best opportunity to set

beginning with a multi-year plan that

avoids complaints about productivity,

the storyline for why IAM is important

breaks up costs into implementation

application support and other headaches.

and its business advantages.

CISO SURVIVAL GUIDE

TIPS & TRICKS FROM TOP SECURITY EXPERTS

CISO Survival Guide - GISEC 2017 Special  
CISO Survival Guide - GISEC 2017 Special