CloudChat Interview Series
A CISO’s View: From the Trenches
Dr. John Johnson, Global Security Strategist, John Deere
CipherCloud’s Dr. Chenxi Wang interviews Dr. John Johnson, Global Security Strategies for John Deere
Question: In the face of the recent data breaches, many CISO’s today are getting a big budget for incident response. A $20 million budget is not unheard of. Everybody is thinking they might be breached at some point. Most of the budget is spent on doing tabletop exercises, retaining external forensics firms and preparing for the impending reality that is a data breach. Are people giving up on prevention? What are you doing on prevention?
John D. Johnson: This is a good topic. You’re seeing a lot of incident response. Red teaming, trying to find things that you inject and I think that if you look at Anthem, you look at Target, this is a good approach to prevent the same thing that happened yesterday or the same thing that happened to the other guy. I don’t know this is the long-term best approach. It’s not the total solution to preventing against tomorrow’s attack and tomorrow’s threats.
Question: Is this because security practitioners are jaded by the failed promises of prevention products in the past?
Johnson: I understand that. Incident response is great if you have good incident detection. If you don’t have a program that’s mature, you’re going to have a lot of security events coming in and you’re going to miss things. In the short term, it’s like signature-based AV. If you know what it is you want to protect against, you can really look for it. Block it. Respond to it. Ultimately we need to build out the preventative and the proactive part. A lot of our focus today is still perimeter-based.
I heard a statistics in the keynotes that in the Verizon breach report, only 1% were detected by SIEM. I have to wonder if CSI Cyber were focusing on the sexy incident response, building up the SOC. These are necessary. It’s important that we’d be able to respond, but it’s also important that we have complete visibility. We have companies who are building up incident response, putting millions of dollars into it. Yet they have really no visibility into the interior of their network because they’re relying on logs from firewalls, IDS’s, all egress points.
(Interviewer: Do you have a SIEM or multiple SIEMs?)
We’re building our maturity and have a SIEM and have a SOC that we’re building up. We are investing in that area, like you said. I do see across the industry that this is something the board understands. They see IT security, information security as board-level issues. If you have the maturity and you’re a bank, you’re probably ahead of the curve. If you’re behind the curve, it’s probably because your IT security is seen as an IT function.
Question: How is cyber security relevant to John Deere’s business?
Johnson: It’s publicly known that John Deere is involved in precision farming. We are gathering information from our equipment and other sensors in the field. I’m sure that will only increase in the future because there’s a huge market to deliver an analytics product to our customers so they can be more efficient and profitable.
Question: I have a car that has an IP address and a browser. The car’s location can be tracked at any given time. All the smart equipment out there can be tracked, including vehicles, cellphones and other devices. As a CISO, how do you manage the proliferation of information? How do you manage information that is going to the cloud and getting on mobile devices? What’s the first step? Second step?
Johnson: Organizations need to have a life cycle for data, for information at their company. They need to understand from the collection of data, machine data, information that might come in from the customer manually, all this data that gets aggregated, they need to have a strategy for what they collect, why they collect it, and how they protect it as it travels and as it’s used and when they get rid of it. You may find that keeping data around too long can be a liability.
Question: Many pay attention to data gathering, but few talk about the last mile of the lifecycle of data – safe erasure of data. When I finish a contract, for instance, with a cloud provider, they may still have my data in some parts of their infrastructure. Do I have assurance that data is being destroyed in a timely manner? In a manner I’m confident with? How do you deal with this issue?
Johnson: It is a very different situation when you go from storage inside to storage in the cloud. I highly recommend companies put together a process to evaluate risk. This involves looking at risk events that include IT security, but also that include legal and compliance issues. We operate globally. Companies that are global have to be concerned about, “How do I manage the data? How do I manage personal data for my customers?” in Europe and around the world. It’s not just a North America problem. There are a number of risks.
I had a discussion yesterday about supply chain risk. Cloud is part of today’s supply chain. Let’s say we’re going to a cloud company and a cloud company then subcontracts and that subcontractor subcontracts. They can attest that they’re compliant and they’re following anti-bribery and other global compliance issues, but how are their subcontractor and the third and fourth and fifth iteration, how are those administrators manage and secure access to our data?
Question: A CISO of a large pharmaceutical company said they did an internal audit of their enterprise applications, and found that 34% of them made calls to AWS cloud. He had no idea these applications are using the cloud or what those calls consist of, what data is being sent out. Are you concerned about those things?
Johnson: There are things you know and things you don’t. If you want to make informed risk decisions, you need to have knowledge, visibility, and information. You need to know about your assets, applications and users. You need to understand your data. Typically there is at least that 5 to 10% data that’s really sensitive and important to the company…you need to have it classified.
You need inventories. To the same degree, you need to know what’s going on in your network. Companies that don’t look under the rock are going to find, when they turn that rock over, they’ve got threats in their network they weren’t aware of. They’ve got traffic going in and out they weren’t aware of.
(Chenxi: It’s very difficult to look under every rock.)
I’m talking about looking at the egress points at least, and endpoints.
Question: If you have a dollar today, a dollar, where would you invest? Will you invest in end-point security? Will you invest in network security or managing the cloud? Where would you invest? No fractions.
Johnson: I was going to say, “Use that dollar to go buy somebody that’s smart a cup of coffee.” I would be putting my investment today where it gets the most value. That depends on what my goals are. If I know I’m under attack, maybe I would be putting my dollar into identifying and responding to threats. If I have a lot of a data, if my business is looking to the Internet of things…
Maybe it would be on devices. Maybe it would be on the network awareness of what the traffic is. Maybe it would be on network segmentation, more of that.
A security program should be evidence-based. We should have facts. Not fad. Not dogma, as Alex Stamos (Facebook CISO) would put it. The choices we make, there is no single formula. It does vary company by company based on what’s important. Ultimately, it’s about protecting the data. When I put data in the cloud, maybe I want to hold the keys for the data. Then I know I’m managing it and I’m responsible for it. I take a very data-centric approach.
A couple of years ago, maybe five years ago, there were a lot of people looking at MDM for mobile device management. Back then, mobile device management was not terribly mature. It didn’t always work well. Now it’s working great, but investing in device management for mobile devices isn’t where I would spend my dollar. I would much rather spending my dollar on how to protect the data on those mobile devices and have visibility to what people are doing with company data. Where that data is going. Where it’s being shared, etc.
Question: We are in the middle of RSA, the biggest security conference. When you look around the show floor, which new technologies excite you the most?
Johnson: I’m seeing a trend in an abstraction layer in the cloud. If you think about, we understand the castle walls are coming down. The perimeter is eroding rapidly. It already looks like Swiss cheese. All these people have privileged access and they come and do things and often we have issues with logging, accountability, and authentication. Knowing that the person and the device should have the access they’re being granted.
It’s very difficult when I may have multiple cloud providers and those cloud providers often do not have multi-factor authentication. If I have confidential data in the cloud and I’d love to use the cloud, I want to know it’s encrypted and I manage the keys. I’d like to know only the people who should be accessing access it. Trying to protect confidential data in the cloud with static credentials is not the way to go.
Question: The “cloud abstraction layer”, it helps to abstract away the cloud-specific details and give the user organization a logical layer for control. Do you think that’s the way the industry is moving towards?
Johnson: We have to, because the idea that we’re going to back haul all of our traffic to our data centers and then we’re going to build up all this infrastructure over and over…proxies, firewalls, unified threat management, DLP. Yet, when I take my laptop to Starbucks, you no longer know what I’m doing. If I really want to enable anytime/anywhere access, it should be role-based. There should be some strong authentication and there should be a component that’s providing that security layer. It should be in the cloud.
(Chenxi: That security layer today is actually hybrid because we need some on premises pieces. Critical pieces such as key management. These pieces will work together with cloud controls)
Today it will be. People aren’t going to take their investment and throw out what they have. I am seeing HSMs that are being hosted at places like AWS. Things are moving to the cloud. Eventually a lot of the hybrid will go away. In the meantime, people want to make use of what they have on-prem. For example, a proxy is not just about preventing you from going to a gambling website. It’s about acceleration. There are other benefits as well. Why we have these load balancers and firewalls and all these things. We still live in a castle, but we can’t trust it the way we used to.
Question: Going back to “prevention”, The castle walls are coming down. Investing in incident response means I’m putting in a new alarm system. What will be the next generation of prevention technology? Do you think prevention will be exercised inside a cloud data center, but a user organization will simply focus on governance and let those host my data to worry about prevention?
Johnson: In a lot of cases, we’re moving that direction. From a governance standpoint, I need to know who is doing what, that means real time logs. authentication logs, etc. From an application standpoint, I still need the ability to have logs and certain detailed controls. But, I don’t need to manage IDS. That is going to be ceded to the cloud provider. My responsibility will be to ensure appropriate use and compliance, and I might need some artifacts for that. It’s a journey. It really depends on what you have. If it’s an application, you may have less control. On the other hand, you may want to go to a platform like Azure in the cloud where maybe you maintain more control. It’s a spectrum.
Question: Are the boundaries between SaaS, PaaS, and IaaS begin to blur because often you may want to customize SaaS or add an abstraction on top of infrastructure service. For security, we are moving towards platform-as-a-service because you can customize the things that are living in the cloud.
Johnson: I’d like to emphasize that our job as information security professionals is to take a leadership role in the enterprise. We need to be able to step up, understand what it is the business wants to accomplish. Not just be reactionary. That’s where we need to evolve, from this incident response attitude to being proactive and enabling the business so we understand the risks.
We understand the controls and what’s possible. For instance, you don’t have to have a hybrid Exchange environment anymore. Now I can provide a way I can work with vendors that can allow me to hold the keys. I can go out there and embrace that and my CEO won’t be nervous that his material information is sitting out there, at risk in the cloud.
Audience question: How do you carry role-based access control to the cloud given that the cloud may not have visibility to your organizational roles?
Johnson: That’s important. You need to understand what controls are possible. What you have to work with to have a layer of security. Probably one of the most fundamental aspects of security is need-to-know. In an environment where you don’t have any sensitive data, it’s all public data. It’s data sheets. We don’t necessarily need to log in and know everything. The only reason to log in is for marketing purposes. When you have confidential data, sensitive data, and intellectual property and so on, you want to limit the risk.
The way to limit the risk is to have people get to the data they need to get to and do their jobs. If you co-mingle data and have a huge amount of information and data together, you’ve got a huge risk. Now you’re allowing somebody to access everything. If you allow them to access just what they need to do their job, at least you are limiting that risk. For instance, the role-based piece, we should look at how to implement that in the cloud?
You can try to do role-based controls inside your data center. You can use ADFS or federated identity or SAML, and tie that back to your active directory, LDAP. This abstraction layer in the cloud can also proxy authentication. For instance, if you use ServiceNow and you may have users go to tractor.servicenow.com. Users are redirected to this abstraction layer in the cloud, which is the proxy for authentication. It then applies our role-based information. Of course we have to expose our directory to that. One of the items on my checklist when I work with a SaaS provider is to look at, “Can they utilize our identity stores?” That’s very important. That way we can have the policy in my ID directory to be carried out in the cloud.
Authentication is often more important than focusing on encryption. In the industry, there is an over-simplified view of encryption, that we’re safe because we encrypt the disc or we encrypt the database. But if your credential leaks, that’ll be a big problem.
Interviewer: Thank you so much, John. I love what you said. IT security should take a leadership role and that’s absolutely important.