4 Key strategies for leveraging AI against cyber threats
Discover four critical ways that AI can be integrated into cybersecurity operations to improve threat detection, enhance threat intelligence, and speed up recovery after an attack.
Read MoreJoining an organisation as its new CISO is a big deal – because you’re faced with an immense web of unknowns. And it’s your job to untangle every delicate thread and create an infrastructure to support it.
At Black Hat MEA 2022, Caleb Sima (CSO at Robinhood) shared his strategy for assessing and securing an organisation. And it starts from the outside in.
“Most of my career has been focused on being an entrepreneur,” Sima said, “and then about halfway through my career I switched it up, and decided that I’m going to become a defender of an organisation. To really sit in the hot seat.”
This means that he’s both been the builder of products, and he’s worked to protect companies that build products. So his perspective on security is based on what he understands to be most important to whatever organisation he’s working with.
Sima calls his model Assume Breach. But how do you take an ‘assume breach’ mentality and transform it into a practical guide for a CISO to solve the problem of walking into a new organisation, with limited resources and perhaps limited time, and quickly developing a system for security?
When you walk into an organisation, you think “Oh my gosh, there’s so much to do, so much attack surface, thousands of endpoints, hundreds of services. And you basically say, where do I start?”
Common strategies include:
Instead, Sima adopts an approach that he calls Walled Garden.
“Look at your parameters from the beginning, and harden from the outside in. Then what you’re left with is a soft, mushy, gooey centre.”
The question any CISO would ask then, of course, is this:
What about the attackers that are on the inside; in the soft, mushy bit?
“When you think about an attacker,” Sima said, “they’re going to want to steal something, destroy something, hold ransom for something, or actually cause chaos.”
“But chaos is very rare — when they just want to create havoc. So an attacker has intent; and when an attacker has intent, this is the advantage we’ve got. If we know what the attacker is going to go after, what they want to do, we have visibility over this.”
When an attacker is on the inside of that hard outer wall, we should know the location of all the things they might want to steal or destroy.
Sima calls those things the crown jewels – and this is where the assume breach model really comes into play. “The attacker has to stumble around trying to figure out where to go.” But you, with detailed knowledge of your organisation, already know where they’re headed. And that’s where you start placing your controls.
So the first step is to identify your crown jewels. And doing this doesn’t mean setting up a security process or a technology that tells you what you should focus on. The best way to do it is to ask your organisation.
“I say: hey, across the company, our mission is to identify and protect our crown jewels. I ask the organisation, what do you think the crown jewels are and where do you think they’re stored?”
“They will absolutely come forward and start listing all of the systems and locations that contain all the critical data. And now what you’ve got is this index or inventory of crown jewels across your organisation, that you then have to prioritise.”
What’s happened, then, is that you’ve narrowed down your focus. Instead of flailing around in the dark trying to gain control over a huge attack surface, you’ve identified what might actually be at risk – and then you can work to monitor those crown jewels, minimise the attack surface surrounding them, and harden that highly focused attack surface.
So when an attacker is inside – in your soft, vulnerable inner network – they’ll come up against critical assets that are hard, comprehensively monitored, and have a minimal attack surface.
Join the newsletter to receive the latest updates in your inbox.
Discover four critical ways that AI can be integrated into cybersecurity operations to improve threat detection, enhance threat intelligence, and speed up recovery after an attack.
Read MoreWe explore four kinds of AI threats that are putting societies at risk: social engineering attacks, deepfakes, automated malware, and weaponized AI systems.
Read MoreNew research reveals that cybersecurity has become an afterthought for many manufacturing and transportation organisations as they rush to embrace new technologies and fresh opportunities.
Read More