Why a CSO is Crucial for Large Enterprises: A Response to CIO Insight Article

The following is commentary on excerpts of an article posted on March 11, 2014 by Jack Rosenberger of CIO Insight: The Complicated Relationship Between CIO and CSO’s. An interview and discussion with Eric Coles, a Sans Institute Faculty Fellow.

A lot of people were surprised when Beth M. Jacob, Target's CIO, resigned last week, following the fallout from the retailer's massive data breach. What are your thoughts about these events?

Eric Cole: When a major event like this occurs, someone needs to be held responsible for the negligence. Therefore, it is not surprising that someone was blamed for the breach. What was surprising, however, is that security was a responsibility of the CIO. The fact that a large organization did not have a separate CSO, who is a peer with the CIO, is most concerning about this story… (read more) 

What Eric Cole so aptly points out is the CIO office in no replacement for the CSO function. Each office has separate and distinct functions in life. The CIO’s primary purpose in life is the reliability and availability of business and computer systems, while to CSO’s job is to protect those systems from outside intruders and inside threats. CSO’s require products and systems that provide the greatest network visibility that offer near real-time data to respond accordingly to detected threats. CIO’s don’t necessarily need these types of system to be effective leading to the divergent responsibilities of these two offices.

What should Target have done to prevent the data breach or mitigate its impact, but didn't?

Eric Cole: First and foremost, organizations of any size, especially one the size of Target, need to have an executive that is responsible for security... Second, there should have been a more keen focus on both the infrastructure and device security.  From an infrastructure perspective, better segmenting with proper boundary defense would have reduced the impact of one system having full visibility into the entire network… Organizations cannot protect what they do not know. If the organization had more carefully tracked and secured the devices on its network, it could have better managed the impact of the breach.  (read more) 

Having the proper perspective on network security is critical. Once hardened, perimeter defenses are only one piece of the overall security puzzle. By leveraging NetFlow, actionable insight is available, which reduces the time from the problem onset to the resolution of the problem.

Combining flow-based monitoring with anomaly detection provides enterprise-wide visibility into known devices on the network, hosts and network behaviors, adding contextual information so actionable decisions can be made more rapidly with a high degree of confidence that actions will have a demonstrable impact to thwarting attacks. Providing in-depth insight into the internal environment, StealthWatch identifies, track and secure endpoint devices, such as POS devices, so security professionals have the necessary tools to manage and secure where and when necessary.

Target had a CIO, but not a CSO. How might the lack of a CSO have contributed to Target's data breach?

Eric Cole: … There needs to be a communication path from the engineers to the CEO, and the CSO is that channel. Without a CSO, the proper security communication does not make it to the executives... (read more)

A recent study conducted by the Ponemon Group found that 80% of CEO are in the dark about cyber-attacks against their company. While Billions of $’s of intellectual property is being stolen from companies each year, and 68% of companies indicate a breach is imminent, only 50 % of companies measure incident response activities. Creating the linkage between the functional security group and the executive office is critical to driving communication and intelligent decision-making. The StealthWatch System delivers actionable intelligence to organization so attacks can be identified, evaluated and responded to quickly and effectively. 

In terms of cyber security threats, what worries you the most?

Eric Cole: What worries me the most is that organizations are still looking for the silver bullet to solve all security problems. It does not exist. To protect themselves, organizations must focus on the core areas of security. The Critical Controls is a great starting point... (read more)

By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers pervasive network visibility to fulfill a number of the recommended controls, including targeted threat detection and improved incident response.

StealthWatch addresses four of the 20 Critical Controls:

13: Boundary Defense: By monitoring lateral movement within a network StealthWatch offers multi-layer blocking, emerging threat detection and targeted threat detection. In conjunction with other security measures, StealthWatch helps form an effective barrier to intruders.

14: Maintenance, Monitoring and Analysis of Audit Logs: Being able to collect, manage, and analyze audit logs of events that occurred can help organizations detect, understand, and recover from an attack. StealthWatch uses advanced, proprietary algorithms to facilitate the collection and analysis of data and make it manageable and easily consumable.

18: Incident Response and Management. Using NetFlow, StealthWatch allows enterprises the ability to discover and eradicate threats and recover from a breach in an elegant and effective manner. Without effective incident response organizations are doomed to suffer breaches and be either unaware they have occurred or follow ill-timed and ineffective procedures resulting in data exfiltration, financial loss and potentially negative publicity.

19. Secure Network Engineering: Closing the seams in any network is exceedingly difficult, and managing engineering best practices don’t always close the gap in disparate systems. Implementing flow-based policies minimizes the opportunity to infiltrate networks by providing essential policy alarm and alerts.

Learn more about how Lancope's StealthWatch System fits into the SANS Critical Controls here.

Mr. Cole surfaces some very salient points, and lends perspective on the attacks retailers (and other organizations) are under. As the rate and severity of attacks escalate, organizations need to look beyond basic network security requirements and any industry security standards such as PCI Data Security Standards.

Organizations need to be forward leaning in their security implementations. Lancope’s StealthWatch provides retailers with an effective and economical way to get comprehensive network visibility so that they can take control of what’s happening inside their organizations, detect suspicious data transfers, and create audit trails that enable them to investigate activity that might have occurred in the past. These capabilities are a crucial ingredients in a comprehensive security defense for retail organizations.