Cyber:Secured Forum 2019 rehash

A discussion about connecting cyber and physical security
 - 
Wednesday, September 4, 2019

DALLAS—About a month ago, Cyber:Secured Forum made its way to the Lone Star state and now with the pumpkin spice latte (PSL) trend well on its way in early September, it’s time to grab one and reflect on cyber and physical security. The following are some key points and trends gleaned from the forum by various industry professionals that will help open and navigate discussions into the cyber and physical security worlds. 

Discussion topic #1: IoT, convergence and supply chain risk

As supply risk management changes with the convergence of production and logistics with IT systems, software and networks, and cybersecurity becomes a critical risk factor, understand and mitigating risk becomes a requirement for businesses’ survival. However, the landscape is overrun with dynamic threats and vulnerabilities, leaving business grabbing the latest and seemingly greatest technologies in an effort to stay safe. 

“Businesses are integrating technologies they don’t know how to use,” Mark Weatherford, global information security strategist, Booking Holdings, said, opening up the forum with his keynote. “It’s harder to develop people and processes, so businesses are spending money on technology instead.” In fact, Weatherford said that an average organization manages more than 55 security products. But, with such a high number of security products and the lack of people and processes to properly operate them, businesses are actually hurting themselves. 

“Companies are spending the money” to train people, develop effective and efficient processes, and invest in the right security technology “are experiencing positive effects on security in which “positively affect their ‘Security Poverty Line,’” Weatherford said. (Security Poverty Line is a concept created by Wendy Nather, head of advisory CISO services, Duo Security, defining how difficult it is for organizations to build effective security program when they lack the resources to make it happen). Companies must “understand their Security Poverty Line, segment their environments and have good patch management programs.” 

Weatherford noted that insider threats — naïve and malicious employees — are the number one issue and then there’s everyone in between to be concerned with. He also mentioned, “physical security people wouldn’t spit on the IoT guy if he was on fire.” It’s time for physical and cyber security professionals to simply get over it and come together for the good of companies, people and ultimately, the world. 

Key takeaways from Weatherford

“It’s impossible [for companies] to know all their suppliers because companies don’t know who supplies the suppliers and on down the chain, but knowing 100 percent of ‘critical suppliers’ is really good,” he said. To manage supply chain risk, Weatherford offered the following: 

  1. Establish a Vendor Risk Management (VRM) program. Map your supply chain and identify most important vendors. Identify sub-tier suppliers with critical IT components or embedded software. Know what information or IT systems vendors can access. Review vendor personnel practices. 
  2. Integrate security team into the procurement process, vendor assessments and vendor management. 
  3. Conduct regular briefings on the threat environment and track reporting of and remediation of all vulnerabilities. 

“One of the scariest things about IoT right now is privacy,” Weatherford explained, “because so much of our private information is being shared that we don’t even know about.” To security IoT, Weatherford addressed the following: 

  1. Security must be the focus to ensure security requirements are incorporated into the product lifecycle. 
  2. Encryption is critical and raises the bar for cyber criminals. 
  3. Always change default passwords…ALWAYS.
  4. At the IoT product manufacturers level, privacy policies should clearly define how collected consumer data will be used.
  5. Regulation via government legislation is necessary because market forces will not fix the issue. 

“We need to formally and proactively consider the following challenges for security convergence [between cyber and physical security]: culture; language; adversary; perception; experience (physical security professionals tend to have a more linear career path than IT security); and budget (physical security traditionally CAPE funded with decades-long equipment life-cycles; IT security more OPEX-minded, with equipment refreshes taking place during the three-five year range).”

Discussion topic #2: monetizing cybersecurity 

For security integrators to monetize with cybersecurity, Steve Mains, PhD, CEO, TechMIS, LLC, suggested offering managed security services that provide long-time security for clients and a recurring revenue stream for integrators. Understanding the threats companies face, and knowing the products and services that mitigate those threats is key. Common threat categories security integrators who desire to offer cybersecurity solutions include: unauthorized entry – phishing, penetration of web-facing sites and IoT-stepping; data exploitation – ransom, theft, surveillance and data manipulation; and recovery. 

As a starting point, security integrators should help clients “identify the data they have and what specific data they should be protecting,” Mains said. Then, working into unauthorized entry, “train people, including the IT department about cyberattacks/threats and what to do and not do; send threat simulations to the most gullible people in an organization on a regular basis; perform pen testing on client’s systems; offer anti-virus but take it up a notch so that if someone in an organization accidentally clicks a URL, the software rolls the system back a couple of nanoseconds to prevent malicious activity.” Offering each of these as a service can easily become monthly recurring revenue. 

For data exploitation, offer network segmentation and data encryption services. “Data encryption makes it difficult [for organizations] to use data because it must be decrypted,” Mains explained, “but, if the data is that valuable [to an organization] encrypt it.” To protect precious data, organizations have to sometimes give up ease of use. 

Mains quoted a JP Morgan stat that 80 percent of cybersecurity companies will be out of business in 18 to 24 months and recommended integrating vetted cybersecurity sub-contracting experts into security sales and project teams as the lowest up-front investment to offering cybersecurity to clients.

“PSA has a list of cyber integrators with the vetting done for you,” said Mains. However, for those security integrators who want to go rogue, make sure your vetting process includes a thorough dive into the cyber integrator’s background, including but not limited to validating their offering by using it yourself and determining their line of credit. Once the vetting process is complete, identify potential clients and start selling. 

Key takeaway from Mains

“Going to the cloud is not a security strategy,” he said.  

Discussion topic #3: how to protect and secure video data

The production of video data is literally exploding with the adoption and use of IoT devices, video analytics and artificial intelligence while at the same time, the demand for video data is at an all-time high, according to Brandon Reich, senior director of surveillance products, Pivot 3. Think about all the sensors in play generating data and being transformed into usable information and it’s not such a farfetched notion that the International Data Corporation (IDC) estimates 41.6 billion connected IoT devices including machines, sensors and cameras, generating 79.4 zettabytes of data in 2025

Reich offers the following tips to consider when deploying and using video surveillance and the data it produces: 

  • Performance: make sure the infrastructure is able to ingest all the data coming in without any loss. 
  • Resiliency: protect systems against data loss and downtime because hardware failure will occur. In fact, “hardware is three times likely to fail when used for video data,” Reich said. 
  • Scalability: video systems almost always get larger so must scale storage, compute and bandwidth without disruption. 

To achieve these three goals, Reich mentioned two solutions available today: NVRs and enterprise storage, both of which present their own set of challenges. With NVRs, cameras only have access to resources inside the physical boxes themselves and enterprise storage is built specifically for IT on big, complex, proprietary hardware that requires highly paid people to manage them. To overcome these challenges, Reich recommended a hyperconverged infrastructure for video software-defined data centers built for specific applications. It’s a low-cost, off the shelf hardware that leverages software offering resiliency, sustained performance, scalability and workload consolidation. 

Presenting with Reich was David Stevens, chief solutions evangelist and architect, Hytrust, who said, “78 percent of organizations are planning to up their cybersecurity spend in 2019,” in addition to increasing their cloud usage. When determining which cloud storage provider to partner with, Reich said to make sure the provider understands the particular deployment to determine if it’s realistic to move data to the cloud and determine which system functions can be moved to the cloud. 

Key takeaway from Reich and Stevens

Know and understand the shared responsibility model when it comes to the cloud. With this model, the cloud provider is responsible for keeping the network up and running, and providing a place for data storage, but they are not responsible for what happens to that data. 

Discussion topic #4: convergence

Threats and breaches tend to target organizations’ IT infrastructures; therefore, a unified, collaborative security strategy that incorporates the convergence of cyber, IT and traditional security teams is a must. It leads to faster response times and more effective incident management, which in turn keeps an organization holistically protected. 

“Quite simply, converged security is physical security together with cyber and IT security,” Bill Eckard, director, strategic accounts, Verint Situational Intelligence Solutions, explained. But, “cyber means different things to different people: malware, ransomware, dark web, phishing and more.” Then of course, there’s social media. 

“People willingly put information online via social media,” Eckard said, addition that for example, a drug dealer believes if he or she is on social media he or she isn’t physically seen and therefore, can’t get caught. However, everyone is being watched when they’re online. “Google watches you and then based on your searches and what you’re looking at shows a related ad three times to bait you to click on it.” 

Eckard introduced the concept of geo-based social media awareness using geo-fenced surveillance, a virtual area to listen to what people are talking about within that area, and keyword monitoring on social media during live events. “Monitoring social media uses complimentary equipment that increase ROI, as well,” Eckard pointed out, with security integrators in mind. 

To vet potential partners to incorporate social media monitoring into an offering Eckard said to be sure they have experience, a broad portfolio, open architecture, cyber and physical security expertise and are committed to customer success. 

Key takeaway from Eckard

It’s important to listen to the internet and turn to early warning intelligence from cyber data.

Discussion topic #5: what physical and cyber security can learn from each other

It’s becoming impossible to have physical security without cybersecurity and visa-versa; however, each security focus within an organization seem to be pinned against each other, each competing for the same budget. George Finney, CISO, Southern Methodist University, has worked hard over the past five years to integrate his physical and cybersecurity teams which has resulted in a campus-wide lockdown initiative, centralized support, increased response time, improved student experiences, a reduction of crime on campus and hardening of systems against hacking. He shared the lessons he learned along the way: 

  • Blindspots: identify them and actively do something about them; 
  • Information overload: standardize because using too many tools creates too much information which ends up being unusable because unable to process it, put it into perspective and use it. 
  • Technology: needs to work together seamlessly. 
  • Relationships: partnerships define the success of security so take time to build long-term relationships. 
  • Share: to be secure, everyone needs to share the good and bad security experiences. 

“Security is built into our DNA; we prefer to live in communities because it helps create a feeling of safety,” Finney said. To capitalize on community, Finney suggested actively practicing security to keep it top of mind. For example, practice fire drills for physical safety and for cyber safety, send a fake phishing email and if an employee clicks on it, they are required to complete training about phishing and if they don’t click it, no training is needed. 

Key takeaways from Finney

Don’t lead or sell through fear; don’t try to capitalize on tragic events; use hope which motivates people to do something and creates a proactive environment. Also, take time to document all procedures and processes established and cross train all employees.

Discussion topic #6: the cloud and you

For physical security operations, the cloud has reduced maintenance and provisioning time, but back-end practices do not always secure endpoint applications since standards and APIs must be configured securely by consumers. Chris Peckham, chief operating officer, Building Intelligence, highlighted NIST’s CyberSecurity Framework (CSF) and offered best practices to manage the cloud.

To leverage NIST’s CSF in cloud providers, Peckham offers the following: clarify the environment; leverage cloud to monitor security posture; set to automatically detect and analyze; correlate data to identify who, what and how for an incident and develop a recovery plan that restores systems to normal.

Peckham highlighted the major cloud platforms — Amazon Web Services, Microsoft Azure and Google Cloud — stating, “Microsoft Azure allows customers to make a hybrid environment while Google Cloud is used a lot as a third backup.” 

No matter which cloud provider used, best practices ensure proper cloud management. “Use a Bastion host or jump server; constantly monitor your cloud environment; use multifactor authentication; update and patch regularly,” Peckham said. 

Key takeaway from Peckham

Update your system on a regular basis to prevent security gaps.

Editor's Note: My hope with this article is to help security integrators delve deeper into relevant cyber and physical topics, encourage open discussions and present advice from industry professionals. To keep the discussion going, please Tweet me @SSN_Ginger or email me directly at [email protected]