Aligning Stakeholders, Protecting Against Malicious Insiders, and the Reality that Nothing is Purely Internal Anymore

September 1st, 2020

Starting and Growing a Cyber Security Program

When joining any new company and trying to build the security program, it’s important to listen and seek to understand the business’ goals and objectives. At the end of the day, we’re not doing security for security’s sake or because it’s cool or because somebody told us to. We’re implementing security controls and policies in a commercial setting – or in any setting – for a purpose. We want to support the business. We want to drive more business. We want to grow the company. We want to create a reputation with customers of trustworthiness.

Fully understanding the business motivators for the company is critical. You need to understand and embrace the corporate organizational goals, mission, and the short- and long-term objectives the organization wants to achieve. It’s with this information at hand, you can then develop your own strategy to support these initiatives.

For example, when I joined Demandware, the company had just gone public a few months prior pushing for a shift in priorities and strategy – one of which was the desire to provide the SOC2 report to customers. The ask (and need) was urgent, leaving my first order of business to make sure we were able to fulfill these contractual obligations and support the goals of the business. First, I assessed their security organization and determined I needed someone who could help organize all the compliance-related work and audit enablement that goes into a project of that scale. So that’s where we started. We built the organization and team as we moved forward and took note to other areas we needed to work on, and hiring the right talent to fulfill the need.

As you build out your security program, start from the core deliverables that you need to focus on first, identify and prioritize your gaps, and you can fill those as you go.

The Criticality of Aligning Stakeholders

Companies are starting to realize that skimping on security will eventually get you into trouble. However, I think people generally can’t properly assess the likelihood of risky events. The typical response, or mentality almost innate to most human beings is: “This would never happen to me/us.”. We either overestimate the risk by orders of magnitude or completely underestimate the probability. People have a hard time properly predicting the likelihood of something happening, and that is a challenge that still gets in the way today in security organizations.

Today, many of the more mature security programs are focused on driving security from a risk-based perspective. Understanding where you shine, where you’re not so good, the overall risk to your company, and alignment to business strategies, gives you a much better chance to be heard and given the resources to build a security program that is meaningful to your stakeholders.

An old adage that I think fits the industry well is that “a good compromise means all sides are equally unhappy,” and I think that’s really what we need to strive for. We cannot have perfect security; it would either not be supportive of corporate goals, be too expensive, or both. In parallel, we cannot completely ignore some of the risks and threats we are seeing in today’s environment. Finding the right middle ground is the key here. Modern day risk-based analysis tools can give make it much easier to make some of these calls.

Agent of Influence Podcast - Episode 11 - Listen Now

The Ultimate Security Challenge: Malicious Insiders

An important distinction should be made between the unintentional insider, the complacent insider, and the malicious insider. The unintentional person is someone who accidentally clicks on a phishing email and makes a mistake. The complacent person isn’t necessarily working within the framework that everyone agreed to but isn’t necessarily intentionally working against it.

Then there is the malicious insider, which is one of the hardest problems to solve for in security. Solving this problem is incredibly difficult – you essentially have to go into the psychology of people to understand if you’re dealing with a disgruntled employee or someone who lost loyalty to the company and wants to capitalize on the opportunity.

Determining the right level of technical and security awareness, monitoring, and controls your organization will spend for depends on how you define your threat profile and what you want to protect against. If you truly want to protect against a motivated attacker with sufficient funds and deep insight into your organization, then you’re going to need to spend a lot of money on tools, put forth a lot of effort on developing proper processes, and most importantly, provide rigorous training for your employees to help identify and report anything they deem suspicious. You’ll also need to check your employees’ activity, intentions, running baseline analysis, and effectively doing background checks to figure out their true motivations. This is incredibly challenging and goes way beyond what most small and medium businesses would ever consider. Even for larger enterprises and governments, it can be quite difficult to manage and defend against malicious insiders.

As you think about your threat landscape, understanding who the threat actors are that you want to protect yourself against should be the input into what kind of control mechanisms you decide to put in place.

Is Anything Internal Anymore?

I don’t think there’s anything purely internal anymore. Especially during COVID-19 and the various lockdowns and restrictions that we have in place. For example, at LogMeIn, we have 4,000 offices now ­– every single employee home office – and there really isn’t an internal network that could provide an adequate level of protection. Employees have to be able to connect from anywhere at any given point in time (circling back to business goals and objectives). Back in March, Security leaders who thought that VPN was the best solution for everything have seen the scalability limits of that approach. I think companies that have been more aggressive in terms of adopting SAS and zero trust approaches have had a somewhat easier time adjusting their business processes to a rapidly changing environment.

As long as you rely on the special privilege associated with the presence on a particular network or physical presence in a particular area, your scalability and agility suffer a lot. I think the right approach to solving these kinds of problems is to treat every network as a hostile network. There is no inside protection.

Obviously, you have firewalls around your environment and don’t let everybody in, but this only slows down the adversary – doesn’t stop it. The appropriate protection against adversarial activity requires that your sensors, tools, and Sec Ops teams are capable of detecting noise made by the adversary and eradicating them. Just relying on firewalls as the only way to protect yourself is a dangerous and slippery slope. At the end of the day, if somebody does sneak through the front or side door, and establishes a beachhead within your perimeter, a lateral movement becomes incredibly easy.

The line between internal and external assets has been blurred over time, especially with connectivity and mobility. Employees are now bringing their laptops home and have access to VPN on their personal tablets and smartphones. Accepting the change in how we work will only benefit organizations in the long term, and leaders need to think critically about how they’re going to approach this change.

There is no internal network that is special – or truly internal anymore.

Words of Advice

In closing, below are some words of advice that I live by in our industry.

  1. Communication starts with listening,
  2. Context matters a lot.
  3. Building durable relationships with stakeholders is the most important thing you can possibly do if you want to be successful in our line of business.

About Gerald Beuchelt

Gerald Beuchelt is the Chief Information Security Officer for LogMeIn, responsible for the security, compliance, and technical privacy of LogMeIn’s products and corporate assets. In his prior role, Gerald was the Chief Security Officer for Demandware, responsible for security and was also the Acting Chief Privacy Officer and Data Protection Officer for Demandware’s German subsidiary. Gerald was also a Principal Information Security Engineer at Mitre, with a focus on information assurance and identity management and applying these technologies in the context of complex government environments. He worked closely with technical standards communities, business partners and suppliers, as well as senior representatives of Mitre’s government sponsors. Gerald is on the board of directors for the National Cyber Security Alliance. He is also a member of the InfraGard Member Alliance Boston chapter’s board of directors and the IT Sector Chief, as well as national subject matter expert for InfraGard. Gerald volunteers as chairman of the Information Security Advisory Committee of Burlington, Massachusetts. Gerald holds a Master of Science degree in Theoretical Physics.

Gerald Beuchelt

CATEGORY

ARCHIVE

Get In Touch


Contact Us