• 07/25/2012
    3:20 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Black Hat: 6 Lessons To Tighten Enterprise Security

Opening the Black Hat conference, former FBI executive assistant director says businesses can learn from how the FBI now fights terrorists.

4. Keep Important Information Off The Network. "One of the things I learned at the FBI is that there are certain types of things we don't put on the network," he said, including information about sensitive investigative techniques or transcripts from court-ordered intercepts. Since keeping super-sensitive information off of the network makes it much more difficult for anyone to steal it, Henry said, "I don't understand why more companies aren't compartmentalizing their data."

5. Change Metrics To Track Breach Response Speed. Today's information security programs should be measured in part by their response speed. "How long after the adversary gets access to my network will I be able to identify and mitigate the threat?" said Henry. "The old information security metric would have been, 'Can we stop the adversary from getting on the network?' And I would say that if your bonus is tied to that metric, there aren't going to be a lot of Christmas presents under the tree this year."

Henry recounted how the bureau made a similar conceptual change when it began measuring how quickly it could respond once a threat was identified rather than simply looking at the number of arrests, indictments, and convictions it won.

6. Increase Intelligence Sharing. Which information security threats have the potential to cause the most harm? Businesses need to answer that question, said Henry, so that they can put their finite resources to best use. To do this, they need better threat intelligence. "We have to be able to prioritize the threats, and more granular intelligence allows you to do that," Henry explained. For real-world threats, such sharing was accomplished in part thanks to the FBI-coordinated National Cyber Investigative Joint Task Force (NCIJTF), which facilitated intelligence-sharing between 18 intelligence and law enforcement agencies.

Now the private sector needs similar ways of sharing high-quality information about information security attacks. To help make that happen, Henry pointed to nascent efforts aimed at sharing the government's threat intelligence with businesses. In either scenario--real-world or online--the goal is the same. "We need to understand who the adversary is," Henry said, "because if we understand who they are, we can take proactive measures."

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)


re: Black Hat: 6 Lessons To Tighten Enterprise Security

While I agree with the majority of points that Mr. Henry is making, I find point number 4 to be somewhat short-sighted and quite telling of his background.

In this day and age, access to information, any information from anywhere, is what drives the private sector. Mobile, nimble, quick to react organizations are more apt to survive in business as opposed to those who can't keep up with the break-neck pace.

Organizations are compartmentalizing data, from what I've seen in the field, but having a desk drawer full of folders in the CEOs office under lock and key doesn't that CEO any good when they're working remotely and need access to that information.

Any time data is digitized, it's much more mobile - but it's also much more vulnerable. Businesses have to determine what their level of acceptable risk is when it comes to deciding what can or should be thrown into their document management system and what shouldn't.

Andrew Hornback
InformationWeek Contributor

re: Black Hat: 6 Lessons To Tighten Enterprise Security

I agree with Andrew. The comments of Mr. Hornback appear not to fully appreciate the demands of what it takes to succeed in the private sector today, or what our most important threats are. The private sector moves at warp speed compared to the public.

Much of the piece is relatively "macro", as there are plenty of threats in our existing infrastructure. For example, yesterday I learned that the cloud service we've used, Egnyte, did not just have a vulnerability (which happens) but failed to have even the most basic controls in place and misrepresented their security architecture (and they're supposed to be HIPAA-compliant).

If you can't even rely on a leading cloud service to provide basic security, aren't we spending too much time worrying about the Chinese?