The CISO as the Man-in-the-Middle

Synopsis: The CISO has become the new Man-in-the-Middle, increasingly caught between the Executive World  where they must effectively connect security to the business, and the more familiar Technical World where the CISO must continue to effectively communicate in terms of controls and benchmarks…

If you’ve been working in or around the IT security field for any amount of time, you are probably quite familiar with the term “Man-in-the-Middle” (MitM) as it relates to a method of attack.

What I’m even more interested in these days is an emerging typology, the new Man-in-the-Middle - or what I like to describe as being the “MitM Redux - and in this context we are not referring to an attack method, but instead applying the term to describe a role that is becoming all the more common.

Security practitioners and infosec students who have crammed for the CISSP and GISP certification exams understand MitM to be a type of crypto attack that is usually explained by using the now ubiquitous characters Alice, Bob, and Mallory.

In the parable, Alice thinks she’s communicating privately with her friend Bob, but in actuality the malicious Mallory has secretly inserted herself in the middle of the conversation and is effectively eavesdropping on them, and in some instances she is able to also modify some the messages as she relays them between the two unwitting conversants.

The Man-in-the-Middle attack at one point in time was considered to be quite innovative, but not so much today. Would-be miscreants who want to utilize the technique can now simply buy the components “off the shelf” to carry out such an attack by employing ready-made toolkits like Ettercap, dsniff, and Mallory (a creative use of the classic MitM character’s name).

As interesting as they are, the goal of this discussion is not to further examine Man-in-the-Middle as an attack, but instead I seek to expand the terminology to describe the new CISO, who has become the real Man-in-the-Middle, increasingly finding him or herself caught between two very different worlds.

The first of which is the Executive World, where they need to be able to connect security to the business by practicing the soft art of Influence Without Power when speaking to a new audience in terms of critical business functions, of how security risks translate into business risks, of profit/loss considerations, and EBITDA – and if you know what the abbreviation means, then you are most likely already an MitM CISO.

The second and more familiar world is that of the Technical, where the CISO must continue to effectively communicate in terms of the attack surface, of incident management, of controls and control objectives, of CIS benchmarks, and network defense testing.

Many security and business analysts have attempted to qualify the dynamics of this evolving role for the new CISO, but in my honest opinion none have done a better job at it than the authors of a study conducted by IBM’s Center for Applied Insights, aptly titled “Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment” (the detailed results of which can be downloaded here at no cost).

The IBM report offers up some excellent data and provides some useful findings, some examples of which I found particularly interesting and included:

  • The Focus is Shifting Towards Risk Management: “In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues.”
  • The Archetypes are Real: CISOs and security leaders can be grouped into archetypes which include Responders, Protectors and Influencers, and each persona has a very distinct modus operandi in regards to working with and through their organizations. The report does a great job of not only fleshing out these different archetypes; it also provides keen insight into how one can morph from one archetype to the others.
  • A Shift in Focus from the Local to the Global: “In general, the role of information security will be moving away from specific risks to global risks. The role will be much larger than it used to be,” the authors noted.
  • Measures Really Matter: Think of this as gaining insight from the process of obtaining metrics, and not just from the numbers themselves. “Although metrics can be a challenge to define and capture, that should not deter organizations from implementing them. Measurement may be imprecise at first but will improve over time – and the process itself can drive valuable insight,” the report states.

I saw a lot of reports last year on the evolution that is defining the role of the new CISO, but this report is by far the best in show.

In the most general of terms, it illustrates the choice most all CISOs will face:  Whether to continue being the “middleman” who translates up the chain and manages down through the organization while never really getting to land on one side or the other, or instead being more like the innovative CIOs and CFOs who before them had struggled to assume their rightful place at the strategy table, but only after mastering the soft skills required for executive leadership.

I think most CISOs will opt for the latter of the two choices, and it is up to those of us who call ourselves security “vendors” and “professionals” to assist them in making this important transition.

Tripwire is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Staying Vigilant

Once internal controls have been tightened, financial institutions must remain vigilant and keep an eye on activities going on inside and around them. Logs from critical systems carry vital information that could prove effective in preventing security incidents. For instance, monitoring activities like user logons, failed logins, password access, password changes, attempts to delete records and other suspicious activities could help identify hacking attempts, malicious attacks, DoS attacks, policy violations and other incidents. Monitoring network activity to establish real-time situational awareness is essential to enterprise security.

Of course, not all security incidents can be prevented or avoided. Nor can privileged password management thwart all cyber security incidents. However, too many security incidents occur as a result of lax internal controls — poor password management, in particular — and those violations can certainly be prevented. It’s time for IT organizations to take the bull’s eye off of the financial community networks and data and enforce some enterprise-class password protection.

ManageEngine is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24th – 26th April 2012 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk