How to be a successful CISO without a 'real' cybersecurity budget
by Todd Bell | CSO
Many new CISOs are stepping into the role for the first time in a company and no formal budget exists.
A CISO who just started a new job for one of the top 10 cable companies in the US recently lamented how he does not have a cybersecurity budget to purchase tools from FireEye, Palo Alto Networks, and Cylance like his peer CISOs get too.
He further stated that even with a very limited budget, he can still solve cybersecurity problems and reduce enterprise cyber risk with a “back to the basics” approach for security controls, baseline the environment, and adjust security architecture for his corporation.
When we hear this common theme from CISOs, we typically think this is an “open source” shop that has to get everything for free in order to have a cybersecurity program. The irony is he was not leaning towards “open source” tools, but applying layered security across the enterprise to reduce cyber risk. All without a true cyber budget.
Over the years, I have learned a very important lesson about cybersecurity; most cybersecurity problems can be solved with architecture changes. While that may seem easy on the surface, it actually is not. When you have to work with a “flat” network and many applications that rely on ancient firewall rules, it is not easy to speak with the CIO and ask to rearchitect the enterprise without hearing some bemoaning.
I have been very fortune to work with many Fortune 500 companies that allow me to experiment with different architectural ideas that require some very clever convincing/selling of how it will benefit the business. I had developed an architecture method free to share that uses some very abstract ideas but actually works. Here are the foundation fundamentals of the Bell Security Enterprise Architecture method that I developed:
- Stop fighting the malware game. Learn to co-exist in a malware-infested environment with a zero-trust model. Time to treat the internal network as if it were the Internet.
- Stop focusing on the latest and greatest tools from the hottest vendors; because more tools are not stopping security breaches, they only slow them down.
- Focus on the critical systems that matter for data protection (systems with PII data, Social Security number data, and credit cards, intellectual property, etc.). Do your best with the rest of the company environment, but don’t put your career on the line with battles that don’t matter.
- Use the virtualization concept to overlay your desired security architecture into your existing enterprise architecture without moving any systems within your company. Keep everything intact. Create a “security zone” around an existing server with sensitive data that becomes isolated from the rest of the internal network. Do this for each sensitive data server.
- The security zone consists of a low-cost firewall in front of the server with very few rules/ACLs. The security zones communicate with each other through point-to-point encryption. Other connections for monitoring server health/status go through non-encrypted communications through the security zone firewall.
- Part of the architecture method is to create a virtual “network overlay” using the security zones to compartmentalize sensitive data for existing systems instead of migrating them into a traditional security enclave/VLAN and to avoid disrupting the business. Moving systems will break the applications due to existing firewall rules. Security zones will communicate via VPN or TLS between each other through a protected encrypted tunnel. We no longer care what is happening to the rest of the network outside of a security zone.
- Utilizing a “jump-box” in front of each sensitive data server will track all access and recommend using two-factor authentication for each security zone for additional layers of security before accessing a critical server. The jump box will log and control all access to each security zone.
- If possible, devalue stored sensitive data through encryption/tokenization methods for data at rest. As a minimum, recommend application level encryption, not database encryption. This keeps a database administrator from looking at sensitive data.
- Stop storing encryption keys on the same servers performing encryption and use the slit-key method of storing keys on different servers with file directory permissions.
- Also consider splitting data if possible. The data needs to be joined for usage (Aka: table joins via encryption). Be cognizant of performance issues and latency.
- Use asymmetrical network routing to the Internet by splitting network traffic and reduce the threat of malware packet sniffing since 50% of the data is missing.
- Start encrypting in memory due to RAM memory scrappers with custom applications. Using encryption/decryption keys and temporary storage of sensitive data in RAM is unsafe. Malware is already scrapping the memory spaces. Research “TRESOR Linux kernel patch” or CryptProtectMemory.
The benefits of this architecture method:
- Fewer battles with the CIO and business operations
- You appear as a more flexible CISO and viewed as “business friendly”
- Low cost, leverage what is already free within your enterprise
- Better cybersecurity posture with reduced cyber risk
- Keep existing architecture in place without overhauling the business and having to hire outside enterprise architects
The aforementioned architecture method is one of many ways to implement a successful cybersecurity program when a budget is not where it needs to be in your organization.