This year’s Cyber Security Summit: Boston was a tremendous success. It was rewarding to see so many business leaders, cyber experts, government officials, and thought leaders in one place, all dedicated to advancing the security of our cyber environment.
The event’s mission is to connect C-Suite and Senior Executives responsible for protecting their companies’ critical infrastructures with innovative solution providers and renowned information security experts.
Parsed out, this meant that the event offered up a lot of valuable insights into the state of cyber security, an exhibit floor filled with leading solution providers demonstrating the latest products and services, and much practical advice on a multitude of security and compliance-related topics.
Threat Stack was honored to be a Gold Sponsor. We were also an exhibitor, and Sam Bisbee, our CSO, was well received for his contribution to one of the main panel discussions.
As usual with these gatherings, there was far too much going on to give a full recap here. However, I do want to focus on some of the highlights from the “Compliance Nightmare” panel, because it reminds us that we should never forget the basics.
The Compliance Nightmare: No One Gets Extra Points for Spending More to Pass an Audit
The Compliance Nightmare panel, moderated by John Knies, Chief Information Security Officer, CenturyLink, focused on compliance and security, and was convened to discuss the challenges of meeting security compliance issues as well as the key imperatives of keeping enterprises and their endpoints continuously patched, secure, and compliant in today’s volatile world.
I’ve singled out four questions from the discussion, along with related key points from the panelists:
Question #1: Why are so many companies in the news today because of security breaches?
There are many answers, but when you focus on compliance and security, it comes down to the fact that compliance and security aren’t the same thing.
If you focus on achieving compliance without having a fundamental understanding of the data and structures that need to be protected, you run the risk of leaving yourself wide open from a security point of view. And this is being illustrated again and again in many of the public data breaches that we’re hearing about.
Compliance and security can work together, but it’s essential to identify what is required from a security perspective because passing an audit does not translate into being secure.
As Sam Bisbee pointed out, compliance can be met, but unless there’s also a genuine effort to translate security policies into action, real security won’t be achieved. Organizations need to put controls in place to monitor all their data, because people outside of security won’t do it.
Question #2: Why do we see so many tools, but still have so many successful attacks?
Having a big arsenal of tools does not equate with effective security. And there’s no sense buying another new tool unless you have a fundamental and comprehensive security strategy in place.
If you lack a security strategy that is based on a risk and requirements analysis and also includes end-to-end operational planning, adding tools is not going to solve your underlying issues. On the other hand, it will almost certainly add to existing problems such as gaps in coverage, unintentional overlaps, lack of connectivity, and ever-deepening operational pockets and silos.
Once again, Sam brought a heavy dose of common sense to the discussion when he pointed out that so many vendors are focused on the next big “Hollywood thing”. And too few people are taking the time to focus on basics. In point of fact, most attacks are not advanced, so making sure that the fundamentals are taken care of is essential for protecting against them.
“There are record-breaking DDoS attacks out there for sure, but vendors are bringing ‘nation state level’ solutions to problems that most organizations just don’t have. You need to address the fundamentals first.”
Again, organizations need to take a holistic approach, develop a comprehensive security strategy, and then get into the nuts and bolts of bringing together and putting into play the right people skills, security-focused policies and processes, and appropriate technologies.
Question #3: What are the top things we should know and do in order to be compliant and secure?
According to the panel, here some of the things you should be doing to ensure that your organization is both compliant and secure:
- Remember that compliance and security are not the same thing. Compliance does not equal security and can actually be the enemy of good security. Rather it should be a byproduct of a good security program. If you look at compliance requirements alone, you have probably not thoroughly analyzed your security requirements and identified each area where data and systems need to be protected in your organization.
- Another way of stating the previous point is don’t rely on your auditor. Compliance frameworks are not aligned with your organization to ensure security.
- Define the way that people actually work in your organization. This will lead to stronger security than a compliance framework will by itself.
- Identify tools that are specific to your organization’s security needs, and reduce the number of point solutions as much as possible. They can leave gaps in protection, be difficult to manage, and you’ll find that it’s difficult to aggregate data from multiple tools into a single, meaningful picture that you can quickly take action on. You need tools that provide a single source of truth, and you need to be clear about where the data is that you need to protect.
- Be surprised less. Ensure that you have visibility throughout your infrastructure and can act on anomalies that require investigation.
Final Words . . .
The Boston Cyber Security Summit delivered a wealth of information on how to protect highly vulnerable business applications and critical infrastructure from cyber attacks.
At Threat Stack, we understand that companies need to capitalize on the business benefits of cloud infrastructure and automation in order to compete, and we are committed to helping them do that securely. As such, we were extremely pleased to be part of the Boston Cyber Security Summit. As illustrated above, a strong security program starts with the basics, which includes having visibility into what is happening within your infrastructure and knowing when anomalies require further action.
If you’re interested in learning more about Threat Stack’s intrusion detection platform, please sign up for a demo.