Cybersecurity is a bit like that classic joke about two hikers and a bear. As a bear approaches the pair, the first hiker frantically digs a pair of sneakers out of a backpack and puts them on in a hurry.
“What are you doing? You can’t outrun a bear!” exclaims the second hiker.
“I don’t have to outrun a bear,” replied the first hiker. “I just need to outrun you.”
In an information security context, this means being harder to breach than the next target, which motivates bad actors to pursue softer targets. That’s how Tim Callahan set up his presentation at the 2017 RSA Conference titled, An Aflac Case Study: Moving a Security Program from Defense to Offense. Mr. Callahan is a senior vice president and CISO for the supplemental health insurance carrier.
Defining an Offense in Cybersecurity
Every company is vulnerable, which is why phrases like “assumed breach” have entered the security lexicon. A good offense is about both making the act of a breach as challenging as possible – and being ready to respond if in fact the organization is comprised.
It’s also important to define what an offense in cybersecurity does not mean. Mr. Callahan does not advocate for measures such as a “hack back“. This is where, for example, if a company is attacked, it might in turn attack the source – or perceived source.
Hacking back, he says, is fraught with risk for several reasons. These include the fact that most businesses simply don’t have the intelligence to have comprehensive situational awareness. A hacker might use a server that runs a life-support device as a proxy. If that company responded by attacking that server, it might unknowingly put lives at risk.
The Four Pillars of a Cybersecurity Offense
Enterprises need four pillars to design and implement what Mr. Callahan calls a “preemptive environment”. Those components are:
- An effective intelligence program
- A good analytics system
- An environment that keeps the “fight far” from the core business
- The right team
He walked through each pillar as follows:
1) Threat intelligence. Security analysts need multiple sources of information. In Mr. Callahan’s view, this means gathering internal threat data and augmenting it with several classes of external sources. To that end, he breaks threat intelligence into three categories:
- Internal sources. This includes traffic, log files, appliances and even employee behavior. The behavioral difference means being able to distinguish between a clumsy user attempt to retrieve a lost password and brute force effort to crack one.
- External sources. This category includes open source information, association memberships, vendors, and even government sources. He spoke highly of the Automated Indicator Sharing service, a public-private partnership sponsored by the Department of Homeland Security (DHS).
- Dark web. The dark web provides the opportunity to monitor forums frequented by bad actors for information you can use to proactively protect the enterprise. Mr. Callahan says Aflac subscribes to services for this information, rather than having his own employees canvas the chat rooms. These services have helped discover stolen credentials for sale and even helped gather information about a planned deliberate attack on Aflac, which enabled the company to make changes to avert it before it happened.
2) Security analytics. Security analytics is an enabling technology that allows analysts to ingest vast sums of seemingly disparate data and find connections that are hard to detect with a human mind. It’s able to take the internal sources of data and correlate it with external sources of information. In this way, Aflac has been able to develop a confidence score that triggers a machine to take action – to block and exploit a hole, for example.
The challenge with this approach, according to Mr. Callahan, is it’s at odds with conventional IT change management processes. This is why a confidence score based on internal and external sources is so important. Aflac has been able to master this – with “almost heroic” results from just a five-person analytics team. Those results include:
- Two million connections blocked with only 12 false positives
- Average of 90 threat actor campaigns maintained
- More than five million indicators of compromise maintained
3) Fight far. By “fight far” Mr. Callahan is referring to building layers of security in order to keep the cybersecurity battles “away from your core.” The closer the fight is to the core business, the less margin there is for error. The far fight is about putting multiple obstacles in-between those core systems and the avenues of approach a hacker might take in an attempt to gain entry.
The far fight for Aflac begins all the way out in cloud with “blackholing”, which he describes as working with an ISP to shed any traffic “that can’t be good.” The depth also includes multiple firewalls, anti-virus, and quarantine that continuously reduce the threat. Inside the firewall, Aflac maintains IPS, sandboxing, an experimental program with deception and decoy tools – and of course HIDS. Slide #9 of his presentation contains a graphical illustration of the far fight Mr. Callahan describes.
4) Staffing and building the team. It’s no secret there’s a cybersecurity skills gap. Mr. Callahan cites data from research firm Frost & Sullivan which suggests 1.5 million cybersecurity jobs will go unfilled by 2020.
This is a challenge he’s experienced firsthand at Aflac. He says his hiring – about 30 new employees per year – is limited purely by the ability to find the right experience and skill sets. To that end, he’s improvised and offered several ideas to work through the challenge of a talent shortage.
- Recruiting military and veterans. Mr. Callahan noted veterans have the core instincts to protect sensitive information. This in combination with the fact he finds this group “very trainable” makes veterans an ideal source of talent. It might help also that Mr. Callahan himself once wore a uniform, and that the Aflac headquarters is located in Columbus, Ga., which is close to a sprawling military community of Ft. Benning.
- Relatable skills. Sometimes skill sets from other functional areas are a good match, as well. For example, a data scientist can be even better suited to a security analytics role than experienced security personnel. Mr. Callahan points out you can train a data scientist on the security threats to look for, but they often inherently have a better aptitude for the important task of data interpretation.
- Grow from within IT. He also discussed “re-purposing” employees from other IT specializations. He has found network engineers have the right aptitude for security. There’s an advantage to the fact, network engineers already know the IT environment and corporate culture.
He was careful to point out the importance of cultivating and maintaining some existing leadership and experience to successfully tap talent from these other areas and train them properly.
* * *
Mr. Callahan’s session was recorded and is freely available online without registration. His entire presentation runs about 45 minutes and is well worth making the time to listen or watch.