On Nov. 3, data-protection executives and experts convened at the Federal Reserve Bank of Boston for the 2016 Advanced Cyber Security Center (ACSC) conference. The topic that carried the day was how to strengthen collaborative defense.
“[The ACSC] was very much started as a collaborative enterprise,” William Guenther, chairman of the ACSC, said in his opening remarks. “The bad guys are doing better than the good guys; the bad guys collaborate better informally — and, sometimes, formally.”
Consequently, Guenther noted, enterprises have begun sharing InfoSec threat intel themselves. But, he said, it has not been enough.
“Threat sharing: the notion was that sharing threats and looking at threat indicators and signatures of attackers was a critical part of collaboration and defense,” said Guenther. “Threat sharing alone wasn’t solving the problem, [however].”
And so the conference proceeded, with speakers discussing something elevated beyond mere threat sharing — “collaborative defense.” Sessions throughout the day focused on this topic. Here are four of the most noteworthy takeaways from the conference on improving your collaborative defense posture:
1. Create and Use a Framework
Toward the end of his opening address, Guenther called upon all of the attendees and their organizations to create a template for collaborative practices — and strictly measure their actual performance against their respective templates.
“Do we do those things?” Guenther urged attendees to ask themselves. “And [who] is responsible for it?”
2. Take a Cloud’s Eye View
“Eighty percent of that [cloud] infrastructure may be something that you don’t have visibility into. . . . So how do you know you can trust it?” warned Richard Puckett, vice president of cybersecurity and product & commercial security at GE Digital, in his keynote presentation at the conference, “Beyond Threat Sharing: The Case for ‘Collaborative Defense.'” “You have to think about cloud a little different. It’s not infrastructure you wholly maintain [because] it’s somebody else’s computer.”
Consequently, this requires having a cloud vendor that is willing to work with you instead of pigeonholing you into boilerplate SLAs that don’t answer your specific needs. To this end, Puckett reported that, in Amazon Web Services SLAs, “The standard language is 72 hours” for AWS to issue a ticket.
“So for many of you, running critical [systems], is that acceptable?” said Puckett. “No.”
Of course, collaborating with cloud providers goes beyond negotiating SLAs. It also goes to actual, ongoing collaboration on security — allowing your own people to get a better understanding of how your cloud solution works from the inside.
“We knew we couldn’t do this without the cloud providers themselves,” said Puckett. “It’s fascinating . . . the speed at which these teams come together to solve problems, because once they came together, they had great ideas.”
“We’ve taken people from our operations teams — whether that’s in design, intelligence, security operations — [and] they do a day in the life of a cloud provider,” explained Puckett, “so they know what the challenges and hurdles are in defending that environment.”
Puckett went on to note that this practice is a two-way street involving bringing cloud provider people into your own operation.
3. Let Your Cloud Vendors Audit You
It is common for enterprise customers to ask their cloud providers about how they’ve performed on audits, if not audit the cloud providers themselves. According to Puckett, however, GE has learned that there is extra value to be had in turning the tables on yourself.
“The other thing we did was we stopped treating them like a vendor,” said Puckett of GE’s cloud providers. “We knew they were crucial to our survival . . . so we came up with the concept of a common scorecard. So the idea is [that] they get to measure us just as much as we get to measure them.”
To be sure, if they are doing their jobs properly, vendors — cloud vendors included — are not just selling you a widget or a service; they are selling you a solution. Accordingly, your cloud vendors themselves should be a critical and proactive part of your cybersecurity solution. And a true solution requires hard truths.
“They’re actually turning around and giving us a score,” said Puckett, “and saying, ‘You’re not that good.'”
4. Turn Your Legal and Compliance Teams into Data Security Pros
Discussing barriers to information sharing during the session that followed Puckett’s presentation, panelists spoke often about regulatory and other legal obstacles.
“Oftentimes there are barriers to sharing information post-incident,” said Puckett as he participated on the panel. “At the tail end of it, there may be a lot of reluctance to expose [that information]. There may be regulatory reasons why you can’t talk about it.”
“There will always be regulatory restraints,” agreed co-panelist Michael Darling, a cybersecurity and privacy director at PwC. “But you can anonymize [the data].”
As valuable as your legal and compliance experts are, they can be made more valuable by empowering them with a little education and enlisting them as collaborators on your cybersecurity team.
“We’ve actually spent a lot of time [doing this],” said Puckett of GE. “The better educated your legal teams can be, [the better they] can actually help you tear [those obstacles] down a little bit as a group and get better intelligence.”
Fellow panelist Mike Papay, vice president and CISO of Northrop Grumman, also reported that his own company involves legal teams — as well as external communication teams and even HR teams — to enhance both the cybersecurity and the compliance perspective within Northrop Grumman.
“Maybe there’s an opportunity to engage a forum of HR professionals to talk about information security,” posited Papay as compliance-related workers’ roles were discussed. “So get them involved and talking about information sharing as well.”
Additionally, Puckett pointed out, your legal and compliance teams may well appreciate the opportunity to broaden their horizons and collaborate with people beyond their own silos.
“In May, we brought all of our legal teams together [with our information security people], and I think the lawyers were very excited,” said Puckett.
Then, Puckett quoted the lawyers’ reactions: “This is awesome! We never get to get out of the office!”
Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate communications and data privacy consultant, writer, speaker, and bridge player. Follow him on Twitter at @JoeStanganelli.