Exploring the complexity of modern cyber attacks
by Mirko Zorz - Monday, 17 February 2014.
James Holley is an Executive Director at Ernst & Young LLP. In this interview he discusses the complexity of modern cyber attacks, the challenges involved in maintaining a growing security architecture, cyber attack drills, and much more.

He'll be speaking about targeted cyber attacks at ISACA's North America CACS conference in April.

What are the main challenges in balancing a growing security architecture with emerging threats, while at the same time justifying ROI to the management?

There are at least two primary challenges to balancing a growing security architecture against emerging threats.

The first is that emerging threats are developed and deployed very rapidly, while almost any new element of the security architecture generally takes much longer to put in place, generating a window of risk where an emerging threat initially has no corresponding security component to address it.

The second is that new elements of the security architecture typically impact users and business processes in some manner. A practical example of this impact is a three-pronged security project that removes users from local administrative groups, requires password vaulting for all accounts with elevated privileges, and deploys application whitelisting in an effort to counteract the emerging threat of phishing attacks. Users, including server administrators accustomed to having local administrative privileges, must adapt to the new security environment. Likewise, some automated business processes that require accounts with elevated privileges must also be adapted to use the password vault. These changes have an impact on administrators and users that must be addressed in the planning phase of the architecture project.

Justifying ROI for information security can be a challenge. Information security is, in fact, a business problem, not an IT problem. The information security team should develop an information security strategy aligned with the companyís business imperatives and the various IT programs designed to support those business imperatives. A well-executed information security program should also deploy a security architecture that enables business focused outcomes (i.e. enabling the company to research and develop new products, to expand in existing markets or enter new ones, or to attract new customers) in secure ways.

But that is not enough. Because users are both the target of advanced attacks and the first line of defense, the information security strategy should include components designed to modify userís behaviors, enable risk-aware behaviors and require risk-aware decision making, all while driving compliance with law and regulation. These are the components of the ROI calculus for information security.

The number and complexity of cyber attacks continues to rise and the information security industry is playing catch-up. Do you think we'll ever be ahead of the bad guys?

Attackers have always had an advantage. They have to be right onceódefenders have to be right all the time. And the window of risk defined above when an attacker can deploy some new attack technique or capability ensures attackers will continue to have an opportunity at a point in time when capable defenses have not yet been developed or deployed.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th