Black Hat: 6 Lessons To Tighten Enterprise Security

How can corporate America cure its information security ills? Take a page from the FBI's terrorism-combating revamp.

That was the pitch made by Shawn Henry, president of CrowdStrike, in his keynote presentation Wednesday opening the Black Hat 2012 conference in Las Vegas. Until March 2012, Henry was the executive assistant director of the FBI, with responsibility for all of the FBI's criminal investigations worldwide, including cyber investigations, the critical incident response group, and international investigations.

After Sept. 11, said Henry, the FBI retooled to better combat "kinetic terrorist attacks--bombs going off, and people getting killed." Doing this meant admitting that terrorists might already be at work in the country, and then finding the best way to help the bureau and other intelligence agencies gather and share better intelligence.

[ Can data analysis apps help catch bad guys? Read more at Big Data Plus Police Work: Good Partners?]

Now it's time for businesses to admit that they also face new types of risks. "Today, with a $500 laptop and an Internet connection, anyone anywhere can attack anyone, anywhere," said Henry. But many senior executives seem to have been slow to catch on to this new state of insecurity. "I still hear from CEOs: why would I be a target? Why would they come after me?" said Henry.

But senior executives must get proactive about combating security threats. To do so, Henry recommends applying 6 lessons learned by the FBI:

1. Assume You've Been Breached.In recent years, forward-thinking CISOs have adjusted their information security perspective. Instead of trying to keep their network 100% secure, they're admitting that preventing every breach is impossible. Accordingly, they need to be able to quickly spot intrusions and then quickly respond.

Unfortunately, not enough businesses have come around to that more progressive way of thinking. "I can't tell you how many times FBI agents are deployed onsite, saying they found data that was breached, because we found all of this company data outside of the network," Henry said. "We sit down with the CISO or COO, and they said it couldn't have happened." But typically, after a bit of analysis, they find that their perimeter security defenses were breached months--and in a few cases, years--before. Of course, because they failed to spot the breach, the business's sensitive information could have been exposed for months or years.

2. Beware Foreign Intelligence Services.Who is best at stealing corporate data? "Foreign intelligence services ... are the most important threat today," said Henry, who said there are dozens of intelligence services with the ability to launch highly sophisticated reconnaissance-gathering operations. When such operations are successful, he said, they put businesses on the opposing side at a disadvantage during negotiations. "It's like playing poker with a marked deck," he said.

3. Get Proactive."If you agree with the premise that someone has breached your network, that they're already in there, then why aren't you looking for them?" said Henry. "We have to constantly be looking for them." But he pointedly stopped short of calling for hack-back attacks, which he said would break the law. Instead, he recommended counterintelligence, such as leaving "decoy documents"--fake intelligence--to fool attackers.4. Keep Important Information Off The Network."One of the things I learned at the FBI is that there are certain types of things we don't put on the network," he said, including information about sensitive investigative techniques or transcripts from court-ordered intercepts. Since keeping super-sensitive information off of the network makes it much more difficult for anyone to steal it, Henry said, "I don't understand why more companies aren't compartmentalizing their data."

5. Change Metrics To Track Breach Response Speed.Today's information security programs should be measured in part by their response speed. "How long after the adversary gets access to my network will I be able to identify and mitigate the threat?" said Henry. "The old information security metric would have been, 'Can we stop the adversary from getting on the network?' And I would say that if your bonus is tied to that metric, there aren't going to be a lot of Christmas presents under the tree this year."

Henry recounted how the bureau made a similar conceptual change when it began measuring how quickly it could respond once a threat was identified rather than simply looking at the number of arrests, indictments, and convictions it won.

6. Increase Intelligence Sharing.Which information security threats have the potential to cause the most harm? Businesses need to answer that question, said Henry, so that they can put their finite resources to best use. To do this, they need better threat intelligence. "We have to be able to prioritize the threats, and more granular intelligence allows you to do that," Henry explained. For real-world threats, such sharing was accomplished in part thanks to the FBI-coordinated National Cyber Investigative Joint Task Force (NCIJTF), which facilitated intelligence-sharing between 18 intelligence and law enforcement agencies.

Now the private sector needs similar ways of sharing high-quality information about information security attacks. To help make that happen, Henry pointed to nascent efforts aimed at sharing the government's threat intelligence with businesses. In either scenario--real-world or online--the goal is the same. "We need to understand who the adversary is," Henry said, "because if we understand who they are, we can take proactive measures."

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)