The “unresolved” Issues in Cyber security.

Trying to solve " Unresolved” issues in cyber security is my passion now and I try to practice and evangelize this. This keeps me going, not the traditional CISO stuff. This is how I also try to contribute to the body of knowledge of cyber security . Let me flag some of my perceived “Unresolved” issues in cyber security and seek your valuable comments on this.

1.?????? Visibility and responsibility in cloud still not transparent

2.?????? Supply Chain Attack – A Damocles Sword over our head

3.?????? Attribution of an attack- Too elusive

4.?????? Existential dimensions of Cyber Risks.

5.?????? ?Evolving security Skills

6.?????? What makes security work in an organization

?Visibility and responsibility in cloud still not transparent

These two issues in the cloud have been there from the very inception when cloud computing came to the existence in 2009 or so. SalesForce may be the first company to deliver application over Internet in 2009. Cloud architecture, offerings etc. have since been evolved to cater to the need of large and varied enterprises but with the growth of the cloud technology, the problem of visibility and responsibility have become more complex.? Though the regulations around data privacy and security have solved many issues but they also have in a way contributed to the opaqueness of cloud. Let me give some examples

?1.?????? Very difficult to identify a perceived abusive IP in a multitenant environment, even if it is your neighbor in the cloud.? No cloud provider will disclose the coordinates of an IP because of privacy reason. They are required to follow some legal and regulatory requirement, which is also fair.

2.?????? How to differentiate between the usual and unusual activities of the cloud providers inside the cloud. It may sometimes create some noise, which will remain unexplained for some time, and that “Sometime” sometimes becomes very costly.? Tenants have no visibility on the management plane and that creates the opaqueness.

3.?????? Moving workloads to the public cloud means losing many of the controls you had on-premises. Cloud providers do not grant customers direct access to shared infrastructure, and your traditional monitoring infrastructure will, in many cases, not work in the cloud.

4.?????? ?If previously it was sufficient to use a network tap to mirror traffic and feed it into monitoring tools, in the cloud this is not an option. You also cannot deploy intrusion prevention systems (IPS) to filter traffic in real time. Basically, you cannot access data packets moving in the cloud and the information contained in them, which dramatically decreases visibility.

5.?????? The containerization in the cloud infrastructure has actually made it more difficult for security from a visibility perspective. The opaque components used in the containers have potential supply chain implications too.

6.?????? The shared responsibility model in the cloud sometimes becomes nobody’s responsibility. Many businesses operate with the false belief that once they migrate their workloads to the cloud, Cloud Security Providers (CSPs) are automatically responsible for their data security. In fact CSPs do implement security, but not to protect the tenants but to protect themselves from the tenants.

?The solution like CNAPP ( Cloud Native Application Protection Platform), CSPM ( Cloud Security Posture Management ,CWPP ( Cloud Work Load Protection Platform), CASB ( Cloud access security Broker)? etc. try to solve some of the above problems? but? these do not seem to be ?sufficient. Subjects like?? Tenancy Rights, Know your Tenant ( KYT) etc.? should get more evolved and matured in coming years to address these issues.

?Supply Chain Attack – A Damocles Sword over our head

A supply chain attack, which is also known as a third-party attack, trusted attack, value-chain attack or backdoor breach, is when a cybercriminal accesses a business’s network via third-party vendors or through the supply chain. ?Cybercriminals can target the weaker link in a company's supply chain network. This could be a supplier, vendor, a customer or a ??popular third-party software library. ?Attack like “Solar Wind” would not have been discovered had it not affected a cyber security company like “ Mandiant”.? In the current scenario of such diverse digital supply chain, there is no silver bullet to prevent such attacks.? This is a systemic issue and have to be addressed at the environmental level. Some of the de-risking measures which come to my mind are follows

·???????? Consolidation of security solutions to reduce the trusted attack surface

·???????? Use of Software composition analysis ( SCA)? to discover? vulnerabilities in the open source components? ( Please note that SCA will not detect? either zero day vulnerabilities or ?for that matter? vulnerabilities in ?many? software libraries).

·???????? Fortify end point security controls to detect anomaly.

·???????? Improve the efficiency of cyber defense for better situational awareness in detection and containment of threat.

·???????? An efficient vendor Risk management strategy to understand the security posture of third-party vendors/partners.

·???????? Access to cyber intelligence for proactive detection of?? Indicator of attacks ( IOA)

We need to learn how to live with supply chain cyber threat. Adaptability and continuous improvement are key in navigating this evolving landscape.

Attribution of Cyber Attack- Too elusive

Attribution of cyber attack is difficult. There is no direct technology solution which can address this issue too. This create a serious expectation mismatch among the stakeholders and many time CISOs become victim of such a situation. The problem of attribution has grown over the years and is directly proportional to the proliferation of Technology. Forget about attribution outside the organization, it is a difficult task to attribute threat inside the organization too. Fighting “Invisible Army” has always been a very difficult task, be it in cyber world or in corporate life!. This “Attribution constraint” should rather be part of the over all cyber defense strategy without worrying too much about this. This is again a systemic issue and needs the collaboration of multiple global stakeholders viz. Govts, Law enforcement authorities, regulators and corporations.?

Existential dimensions of Cyber Risk

While organizational models for handling cyber risk vary across institutions, several shortcomings are commonly observed. The most basic has been a lack of clarity in how the lines-of-defense concept should be applied. This concept, as developed by financial institutions to manage risk in the regulatory environment, clearly delineates three lines—business and operations managers, risk and compliance functions, and internal auditors.

In CISO-centered approaches to cybersecurity, the CISO team is responsible for all roles across the lines of defense. The team might identify the cyber risks, decide on the investments in mitigation, design the technical and nontechnical security controls, manage the resources needed to implement controls and operational initiatives, and determine how risk-reduction efforts should be measured and reported. The same function (and sometimes the same person) will thus perform or direct all risk-identifying and risk-reducing activities and then certify whether the activities are working.

?Although matured and regulated companies are gradually becoming aware about the existential dimension of Cyber Risk, yet it is still considered as a technology risk. Defending Business is different from protecting servers. Defending a business requires a sense of Value-at-Risk-?? the skill, which is mostly lacking with the CISOs . CISOs and CIOs should integrate their vantage points more deeply into enterprise risk processes in collaboration with the CRO. To implement this approach, an integrated operating model needs to be carefully plotted. Friction among the functions drives up costs, wastes resources and impairs alignment around “Enterprise-wide strategy to reduce Cyber-Risk”. This area is still evolving and unresolved.

Evolving Cyber security Skills

The skills which are very relevant for cyber security professionals/ CISOs 5 years before has become obsolete now and the skill which is relevant today may become obsolete in the next 5 years too. In my opinion currently, there is no industry consensus on the skill requirement for cyber security professionals and CISOs too. Government, Academia and other organizations are working in silos to define the requirement but it may not cater to the need of the Industry unless there is a consultative and collaborative approach to it. Except for some basic fundamental skills which should be constant, all others are variable and that is why a continuous collaboration is needed to mark the skills to the market. “Skill” is an essential component for setting the existential dimensions of cyber risks too. I am a strong believer of “Business Centric Cyber Security”. There is no respite for CISOs from not knowing business lingo.

What makes Cyber security work in an organization

Having spent almost 2(two) decades as a regulator, I am passionately convinced that “What” is? equally important? as “ How”. For example “ How a bank runs?” and? “ What Makes a bank run?” are equally important and? should? be known to the relevant people. ?The same philosophy I? am just trying to apply to cyber security i.e? “What make cyber security work in an organization?”.? Let me put some of my open-ended thoughts in this regards

1.?????? Technology is not the panacea for all security challenges.

2.?????? ?There is no Technology solution for a management problem. Not all issues in cyber security are necessarily related to Technology.

3.?????? Although Laws and Regulations are important drivers for cyber security, yet we cannot infer that regulated entities are relatively more secured that non-regulated ones.

4.?????? ?The concept of Boolean does not work in cyber security. The entire process of cyber security is how efficiently one manages the trade-offs associated with this.

5.?????? A “No exception” environment is a utopia. This gives a false sense of security

6.?????? Attacks/ Incidents are bad? but sometimes? act as a necessary evil- may be at the cost of the? CISOs

And finally? a quote from one of my all time favorite book viz “ Beyond fear” by Bruce Schneier

“There is no such things as absolute security. It’s a human nature to wish there were, and it’s human nature to give in to wishful thinking. But most of us know, at least intuitively, that perfect, impregnable, completely foolproof security is a pipe dream, the stuff of fairy tales, like living happily ever after”.

Wishing?you and?your family a very happy, healthy and prosperous?New Year 2024.

[Views expressed here in this article are my personal views and should never be construed as the views of my employer. Nothing in this article is generated by Chat GPT but rather created independently to provide original thoughts]

?