Gerald Beuchelt is the Chief Information Security Officer for LogMeIn, responsible for the security, compliance, and technical privacy of LogMeIn’s products and corporate assets. In his prior role, Gerald was the Chief Security Officer for Demandware, responsible for security and was also the Acting Chief Privacy Officer and Data Protection Officer for Demandware’s German subsidiary. Gerald was also a Principal Information Security Engineer at Mitre, with a focus on information assurance and identity management and applying these technologies in the context of complex government environments. He worked closely with technical standards communities, business partners and suppliers, as well as senior representatives of Mitre’s government sponsors. Gerald is on the board of directors for the National Cyber Security Alliance. He is also a member of the InfraGard Member Alliance Boston chapter’s board of directors and the IT Sector Chief, as well as national subject matter expert for InfraGard. Gerald volunteers as chairman of the Information Security Advisory Committee of Burlington, Massachusetts. Gerald holds a Master of Science degree in Theoretical Physics.
When joining any new company and trying to build the security program, it’s important to listen and seek to understand the business’ goals and objectives. At the end of the day, we're not doing security for security’s sake or because it's cool or because somebody told us to. We're implementing security controls and policies in a commercial setting – or in any setting – for a purpose. We want to support the business. We want to drive more business. We want to grow the company. We want to create a reputation with customers of trustworthiness.
Fully understanding the business motivators for the company is critical. You need to understand and embrace the corporate organizational goals, mission, and the short- and long-term objectives the organization wants to achieve. It’s with this information at hand, you can then develop your own strategy to support these initiatives.
For example, when I joined Demandware, the company had just gone public a few months prior pushing for a shift in priorities and strategy – one of which was the desire to provide the SOC2 report to customers. The ask (and need) was urgent, leaving my first order of business to make sure we were able to fulfill these contractual obligations and support the goals of the business. First, I assessed their security organization and determined I needed someone who could help organize all the compliance-related work and audit enablement that goes into a project of that scale. So that's where we started. We built the organization and team as we moved forward and took note to other areas we needed to work on, and hiring the right talent to fulfill the need.
As you build out your security program, start from the core deliverables that you need to focus on first, identify and prioritize your gaps, and you can fill those as you go.
The Criticality of Aligning Stakeholders
Companies are starting to realize that skimping on security will eventually get you into trouble. However, I think people generally can’t properly assess the likelihood of risky events. The typical response, or mentality almost innate to most human beings is: “This would never happen to me/us.”. We either overestimate the risk by orders of magnitude or completely underestimate the probability. People have a hard time properly predicting the likelihood of something happening, and that is a challenge that still gets in the way today in security organizations.
Today, many of the more mature security programs are focused on driving security from a risk-based perspective. Understanding where you shine, where you're not so good, the overall risk to your company, and alignment to business strategies, gives you a much better chance to be heard and given the resources to build a security program that is meaningful to your stakeholders.
An old adage that I think fits the industry well is that “a good compromise means all sides are equally unhappy,” and I think that's really what we need to strive for. We cannot have perfect security; it would either not be supportive of corporate goals, be too expensive, or both. In parallel, we cannot completely ignore some of the risks and threats we are seeing in today's environment. Finding the right middle ground is the key here. Modern day risk-based analysis tools can give make it much easier to make some of these calls.
The Ultimate Security Challenge: Malicious Insiders
An important distinction should be made between the unintentional insider, the complacent insider, and the malicious insider. The unintentional person is someone who accidentally clicks on a phishing email and makes a mistake. The complacent person isn’t necessarily working within the framework that everyone agreed to but isn’t necessarily intentionally working against it.
Then there is the malicious insider, which is one of the hardest problems to solve for in security. Solving this problem is incredibly difficult - you essentially have to go into the psychology of people to understand if you’re dealing with a disgruntled employee or someone who lost loyalty to the company and wants to capitalize on the opportunity.
Determining the right level of technical and security awareness, monitoring, and controls your organization will spend for depends on how you define your threat profile and what you want to protect against. If you truly want to protect against a motivated attacker with sufficient funds and deep insight into your organization, then you’re going to need to spend a lot of money on tools, put forth a lot of effort on developing proper processes, and most importantly, provide rigorous training for your employees to help identify and report anything they deem suspicious. You’ll also need to check your employees’ activity, intentions, running baseline analysis, and effectively doing background checks to figure out their true motivations. This is incredibly challenging and goes way beyond what most small and medium businesses would ever consider. Even for larger enterprises and governments, it can be quite difficult to manage and defend against malicious insiders.
As you think about your threat landscape, understanding who the threat actors are that you want to protect yourself against should be the input into what kind of control mechanisms you decide to put in place.
Is Anything Internal Anymore?
I don’t think there’s anything purely internal anymore. Especially during COVID-19 and the various lockdowns and restrictions that we have in place. For example, at LogMeIn, we have 4,000 offices now – every single employee home office – and there really isn’t an internal network that could provide an adequate level of protection. Employees have to be able to connect from anywhere at any given point in time (circling back to business goals and objectives). Back in March, Security leaders who thought that VPN was the best solution for everything have seen the scalability limits of that approach. I think companies that have been more aggressive in terms of adopting SAS and zero trust approaches have had a somewhat easier time adjusting their business processes to a rapidly changing environment.
As long as you rely on the special privilege associated with the presence on a particular network or physical presence in a particular area, your scalability and agility suffer a lot. I think the right approach to solving these kinds of problems is to treat every network as a hostile network. There is no inside protection.
Obviously, you have firewalls around your environment and don't let everybody in, but this only slows down the adversary – doesn’t stop it. The appropriate protection against adversarial activity requires that your sensors, tools, and Sec Ops teams are capable of detecting noise made by the adversary and eradicating them. Just relying on firewalls as the only way to protect yourself is a dangerous and slippery slope. At the end of the day, if somebody does sneak through the front or side door, and establishes a beachhead within your perimeter, a lateral movement becomes incredibly easy.
The line between internal and external assets has been blurred over time, especially with connectivity and mobility. Employees are now bringing their laptops home and have access to VPN on their personal tablets and smartphones. Accepting the change in how we work will only benefit organizations in the long term, and leaders need to think critically about how they're going to approach this change.
There is no internal network that is special – or truly internal anymore.
Words of Advice
In closing, below are some words of advice that I live by in our industry.
Communication starts with listening,
Context matters a lot.
Building durable relationships with stakeholders is the most important thing you can possibly do if you want to be successful in our line of business.
[post_title] => Aligning Stakeholders, Protecting Against Malicious Insiders, and the Reality that Nothing is Purely Internal Anymore
[post_excerpt] => When joining any new company and trying to build the security program, it’s important to listen and seek to understand the business’ goals and objectives.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => aligning-stakeholders-protecting-against-malicious-insiders-reality-that-nothing-is-purely-internal-anymore
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-14 10:05:22
[post_modified_gmt] => 2021-04-14 10:05:22
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=19705
[menu_order] => 473
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
)
[post_count] => 1
[current_post] => -1
[before_loop] => 1
[in_the_loop] =>
[post] => WP_Post Object
(
[ID] => 19705
[post_author] => 83
[post_date] => 2020-09-01 07:00:14
[post_date_gmt] => 2020-09-01 07:00:14
[post_content] =>
Starting and Growing a Cyber Security Program
When joining any new company and trying to build the security program, it’s important to listen and seek to understand the business’ goals and objectives. At the end of the day, we're not doing security for security’s sake or because it's cool or because somebody told us to. We're implementing security controls and policies in a commercial setting – or in any setting – for a purpose. We want to support the business. We want to drive more business. We want to grow the company. We want to create a reputation with customers of trustworthiness.
Fully understanding the business motivators for the company is critical. You need to understand and embrace the corporate organizational goals, mission, and the short- and long-term objectives the organization wants to achieve. It’s with this information at hand, you can then develop your own strategy to support these initiatives.
For example, when I joined Demandware, the company had just gone public a few months prior pushing for a shift in priorities and strategy – one of which was the desire to provide the SOC2 report to customers. The ask (and need) was urgent, leaving my first order of business to make sure we were able to fulfill these contractual obligations and support the goals of the business. First, I assessed their security organization and determined I needed someone who could help organize all the compliance-related work and audit enablement that goes into a project of that scale. So that's where we started. We built the organization and team as we moved forward and took note to other areas we needed to work on, and hiring the right talent to fulfill the need.
As you build out your security program, start from the core deliverables that you need to focus on first, identify and prioritize your gaps, and you can fill those as you go.
The Criticality of Aligning Stakeholders
Companies are starting to realize that skimping on security will eventually get you into trouble. However, I think people generally can’t properly assess the likelihood of risky events. The typical response, or mentality almost innate to most human beings is: “This would never happen to me/us.”. We either overestimate the risk by orders of magnitude or completely underestimate the probability. People have a hard time properly predicting the likelihood of something happening, and that is a challenge that still gets in the way today in security organizations.
Today, many of the more mature security programs are focused on driving security from a risk-based perspective. Understanding where you shine, where you're not so good, the overall risk to your company, and alignment to business strategies, gives you a much better chance to be heard and given the resources to build a security program that is meaningful to your stakeholders.
An old adage that I think fits the industry well is that “a good compromise means all sides are equally unhappy,” and I think that's really what we need to strive for. We cannot have perfect security; it would either not be supportive of corporate goals, be too expensive, or both. In parallel, we cannot completely ignore some of the risks and threats we are seeing in today's environment. Finding the right middle ground is the key here. Modern day risk-based analysis tools can give make it much easier to make some of these calls.
The Ultimate Security Challenge: Malicious Insiders
An important distinction should be made between the unintentional insider, the complacent insider, and the malicious insider. The unintentional person is someone who accidentally clicks on a phishing email and makes a mistake. The complacent person isn’t necessarily working within the framework that everyone agreed to but isn’t necessarily intentionally working against it.
Then there is the malicious insider, which is one of the hardest problems to solve for in security. Solving this problem is incredibly difficult - you essentially have to go into the psychology of people to understand if you’re dealing with a disgruntled employee or someone who lost loyalty to the company and wants to capitalize on the opportunity.
Determining the right level of technical and security awareness, monitoring, and controls your organization will spend for depends on how you define your threat profile and what you want to protect against. If you truly want to protect against a motivated attacker with sufficient funds and deep insight into your organization, then you’re going to need to spend a lot of money on tools, put forth a lot of effort on developing proper processes, and most importantly, provide rigorous training for your employees to help identify and report anything they deem suspicious. You’ll also need to check your employees’ activity, intentions, running baseline analysis, and effectively doing background checks to figure out their true motivations. This is incredibly challenging and goes way beyond what most small and medium businesses would ever consider. Even for larger enterprises and governments, it can be quite difficult to manage and defend against malicious insiders.
As you think about your threat landscape, understanding who the threat actors are that you want to protect yourself against should be the input into what kind of control mechanisms you decide to put in place.
Is Anything Internal Anymore?
I don’t think there’s anything purely internal anymore. Especially during COVID-19 and the various lockdowns and restrictions that we have in place. For example, at LogMeIn, we have 4,000 offices now – every single employee home office – and there really isn’t an internal network that could provide an adequate level of protection. Employees have to be able to connect from anywhere at any given point in time (circling back to business goals and objectives). Back in March, Security leaders who thought that VPN was the best solution for everything have seen the scalability limits of that approach. I think companies that have been more aggressive in terms of adopting SAS and zero trust approaches have had a somewhat easier time adjusting their business processes to a rapidly changing environment.
As long as you rely on the special privilege associated with the presence on a particular network or physical presence in a particular area, your scalability and agility suffer a lot. I think the right approach to solving these kinds of problems is to treat every network as a hostile network. There is no inside protection.
Obviously, you have firewalls around your environment and don't let everybody in, but this only slows down the adversary – doesn’t stop it. The appropriate protection against adversarial activity requires that your sensors, tools, and Sec Ops teams are capable of detecting noise made by the adversary and eradicating them. Just relying on firewalls as the only way to protect yourself is a dangerous and slippery slope. At the end of the day, if somebody does sneak through the front or side door, and establishes a beachhead within your perimeter, a lateral movement becomes incredibly easy.
The line between internal and external assets has been blurred over time, especially with connectivity and mobility. Employees are now bringing their laptops home and have access to VPN on their personal tablets and smartphones. Accepting the change in how we work will only benefit organizations in the long term, and leaders need to think critically about how they're going to approach this change.
There is no internal network that is special – or truly internal anymore.
Words of Advice
In closing, below are some words of advice that I live by in our industry.
Communication starts with listening,
Context matters a lot.
Building durable relationships with stakeholders is the most important thing you can possibly do if you want to be successful in our line of business.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.
