Showing posts with label Rafal Los. Show all posts
Showing posts with label Rafal Los. Show all posts

Tuesday, January 08, 2013

Learn How a Telecoms Provider Takes Strides to Make Applications Security Pervasive

Transcript of a BriefingsDirect podcast on how perimeter security is no longer adequate to protect enterprise data that resides in applications, and how one services provider is taking a different approach.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion on IT innovation and how it’s making an impact on people’s lives.

Dana Gardner
Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike.

I'm now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief Security Evangelist at HP Software. Welcome back, Raf. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Rafal Los: How do you do?

Gardner: And where are you coming to us from today on your travels?

Los: We're in beautiful Nashville, Tennessee, the home of Opryland and country music. We're sitting right here at HP Protect, from HP Protect 2012, Day 2.

Gardner: We have a fascinating show today. We're going to be learning how the telecommunications industry is tackling security, managing the details and the strategy -- that’s both the tactics and the strategy simultaneously -- to an advantage and extending that value onto their many types of customers.
We definitely are at the time and place where attacks against organizations have changed.

With that, allow me to please introduce our guest, George Turrentine, Senior IT Manager at a large telecoms company, with a focus on IT Security and Compliance. Welcome, George.

George Turrentine: Thank you.

Gardner: I'd like also to point out that George started out as a network architect and transitioned to a security architect and over the past 12 years, George has focused on application security, studying vulnerabilities in web applications using dynamic analysis, and more recently, using static analysis. George holds certifications in CISSP, CISM, and CRISC.

George, many of the organizations that I'm familiar with are very focused on security, sometimes at a laser level. They're very focused on tactics, on individual technologies and products, and looking at specific types of vulnerabilities. But I sense that, sometimes, they might be missing the strategy, the whole greater than the sum of the parts, and that there is lack of integration in some of these aspects, of how to approach security.

I wonder if that’s what you are seeing it, and if that’s an important aspect to keeping a large telecommunications organization robust, when it comes to a security posture.

Attacks have changed

Turrentine: We definitely are at the time and place where attacks against organizations have changed. It used to be that you would have a very focused attack against an organization by a single individual or a couple of individuals. It would be a brute-force type attack. In this case, we're seeing more and more that applications and infrastructure are being attacked, not brute force, but more subtly.

The fact that somebody that is trying to effect an advanced persistent threat (APT) against a company, means they're not looking to set off any alarms within the organization. They're trying to stay below the radar and stay focused on doing a little bit at a time and breaking it up over a long period of time, so that people don’t necessarily see what’s going on.

Gardner: Raf, how does that jibe with what you are seeing? Is there a new type of awareness that is, as George points out, subtle?

Los: Subtlety is the thing. Nobody wants to be a bull-in-a-china-shop hacker. The reward may be high, but the risk of getting caught and getting busted is also high. The notion that somebody is going to break in and deface your website is childish at best today. As somebody once put it to me, the good hackers are the ones you catch months later; the great ones, you'll never see.

That’s what we're worried about, right. Whatever buzzwords we throw around and use, the reality is that attacks are evolving, attackers are evolving, and they are evolving faster than we are and than we have defenses for.

They are evolving faster than we are and than we have defenses for.
As I've said before, it’s like being out in a dark field chasing fireflies. We tend to be chasing the shiny, blinky thing of the day, rather than doing pragmatic security that is relevant to the company or the organization that you're supporting.

Gardner: One of the things I've seen is that there is a different organization, even a different culture, in managing network security, as opposed to, say, application security, and that often, they're not collaborating as closely as they might. And that offers some cracks between their different defenses.

George, it strikes me that in the telecommunications arena, the service providers are at an advantage, where they've got a strong network history and understanding and they're beginning to extend more applications and services onto that network. Is there something to be said that you're ahead of the curve on this bridging of the cultural divide between network and application?

Turrentine: It used to be that we focused a whole lot on the attack and the perimeter and trying to make sure that nobody got through the crunchy exterior. The problem is that, in the modern network scenario, when you're hosting applications, etc., you've already opened the door for the event to take place, because you've had to open up pathways for users to get into your network, to get to your servers, and to be able to do business with you. So you've opened up these holes.

Primary barrier

Unfortunately, a hole that's opened is an avenue of an attack. So the application now has become the primary barrier for protecting data. A lot of folks haven't necessarily made that transition yet to understanding that application security actually is your front row of attack and defense within an organization.

It means that you have to now move into an area where applications not only can defend themselves, but are also free from vulnerabilities or coding flaws that can easily allow somebody to grab data that they shouldn't have access to.

Gardner: Raf, it sounds as if, for some period of time, the applications folks may have had a little bit of an easy go at it, because the applications were inside a firewall. The network was going to be protected, therefore I didn't have to think about it. Now, as George is pointing out, the applications are exposed. I guess we need to change the way we think about application development and lifecycle.

Los: Dana, having spent some time in extremely large enterprise, starting in like 2001, for a number of years, I can't tell you the amount of times applications’ owners would come back and say, "I don't feel I need to fix this. This isn’t really a big risk, because the application is inside the firewall.”

Raf Los
Even going back that far, though, that was still a cop-out, because at that time, the perimeter was continuing to erode. Today, it's just all about gone. That’s the reality.

So this erosion of perimeter, combined with the fact that nothing is really internal anymore, makes this all difficult. As George already said, applications need not just to be free of bugs, but actually be built to defend themselves in cases where we put them out into an uncertain environment. And we'll call the Internet uncertain on a good day and extremely hostile on every other day.

Turrentine: Not only that, but now developers are developing applications to make them feature rich, because consumers want feature-rich applications. The problem is that those same developers aren't educated and trained in how to produce secure code.

Los: I think nothing illustrates that point better than looking at the way we built legacy applications in extremely large enterprises that were introduced by a fantastic technology in 1976-1977 called the Rack app. It was really well built for the applications of the time, maintaining data access and authentication at a reasonable level.

Then, some of the applications continued to be built and built and built and built over time. We decided, at some point that we make them accessible “outside the firewall.” We slapped the web interface on them and blew all those controls out. So something that was once a solid technology is now a dumb database where anybody can access it, once they get back some spaghetti code in HTML.

Turrentine: The other thing is that too many organizations have a tendency to look at that big event with a possibility of it taking place. Yet hackers aren’t looking for the big event. They're actually looking for the small backdoor that they can quietly come in and then leverage that access. They leverage the trust between applications and servers within the infrastructure to promote themselves to other boxes and other locations and get to the data.

Little applications

We used to take for granted that it was protected by the perimeter. But now it isn’t, because you have these little applications that most security departments ignore. They don’t test them. They don’t necessarily go through and make sure that they're secure or that they're even tested with either dynamic or static analysis, and you are putting them out there because they are “low risk.”

Los: The lesson learned is that organizations that have 500, 600, 1,000, 1,200, or 2,000 applications in the corporate space have to make a decision on what’s going to be important, what they are going to address, what they are going to let fall behind. There are a certain number of apps you can review, a certain number of assessments you can do, and everything else just has to fall away.

What you've just highlighted is the extreme need to understand, not just the application as a singular entity, but interconnectedness, data interchange, and how data actually flows.

Just because you are developing a marketing app over here, that app may be no big deal in a vacuum, but because of server consolidation, virtual machines (VMs), or the cloud-computing environment you are deploying it to, it now shares space with your financial system.

You have to know that, when you're doing analysis of these things. And this actually makes it a necessity that security people have to have these types of analysis skills and look just past that one autonomous unit.
The fact is that many developers are going to take the low path and the easiest way to get to what is required and not necessarily understand how to get it more secure.

Turrentine: It may actually be more diverse than that due to the fact that there may be an intermediary system that both the non-secure app and the “risky” app talk to, and just by the fact that they are interconnected, even though it's not a direct interconnection, they are still exposed.

Gardner: Let’s chunk this out a little bit. On one side, we have applications that have been written over any number of years, or even decades, and we need to consider the risks of exposing them, knowing that they're going to get exposed. So is that a developer’s job? How do we make those older apps either sunsetted or low risk in terms of being exposed?

And on the other side, we've got new applications that we need to develop in a different way, with security instantiated into the requirements right from the get-go. How do you guys parse either side of that equation? What should people be considering as they approach these issues?

Turrentine: I'm going to go back to the fact that even though you may put security requirements in at the beginning, in the requirements phase of the SDLC, the fact is that many developers are going to take the low path and the easiest way to get to what is required and not necessarily understand how to get it more secure.

This is where the education system right now has let us down. I started off programming 30 years ago. Back then, there was a very finite area of memory that you could write an application into. You had to write overlays. You had to make sure that you moved data in and out of memory and took care of everything, so that the application could actually run in the space provided. Nowadays, we have bloat. We have RAM bloat. We have systems with 16 to 64 gigabytes of RAM.

Los: Just to run the operating system.

We've gotten careless

Turrentine: Just to run the operating system. And we've gotten careless. We've gotten to where we really don’t care. We don’t have to move things in and out of memory, so we leave it in memory. We do all these other different things, and we put all these features and functionality in there.

The schools, when they used to teach you how to write in very small areas, taught how to optimize the code, how to fix the code, and in many ways, efficiency and optimization gave you security.

Nowadays, we have bloatware. Our developers are going to college, they are being trained, and all they're learning is how to add features and functionality. The grand total of training they get in security is usually a one hour lecture.

You've got people like Joe Jarzombek at the Department of Homeland Security (DHS), with a Software Assurance Forum that he has put together. They're trying to get security back into the colleges, so that we can teach developers that are coming up how to develop secure code. If we can actually train them properly and look at the mindset, methodologies, and the architecture to produce secure code, then we would get secure applications and we would have secure data.

Gardner: That’s certainly a good message for the education of newer developers. How about building more of the security architect role into the scrum, into the team that’s in development? Is that another cultural shift that seems to make sense?
It's just a reactive move to the poor quality that’s been put out over the last couple of years of software.

Los: We can probably see some of that in the culture that’s developing around the DevOps movement. To some extent, it's just a reactive move to the poor quality that’s been put out over the last couple of years of software, the reactive move by the smart people in the software development industry to build tribes of knowledge and of intelligence.

It goes all the way up and down the development and software lifecycle chain, from the person who makes requirements happen formally, to the people who write the source code, to those who package it, test it, deploy it, monitor it, and secure it.

It’s a small agile group of folks who all have a stake in, not just a piece of the software development lifecycle, but that software package in general. Whether they own 1 or 10 pieces of software or applications, it’s almost immaterial. That ownership level is the important part, and that’s where you're going to see maybe some of the changes.

Turrentine: Part of it also is the fact that application security architects, who I view differently than a more global security architect, tend to have a myopic view. They're limited, in many cases, by their education and their knowledge, which we all are.

Face it. We all have those same things. Part of the training that needs to be provided to folks is to think outside the box. If all you're doing is defining the requirements for an application based upon the current knowledge of security of the day, and not trying to think outside the box, then you're already obsolescent, and that's imposed upon that application when it’s actually put into production.

Project into the future

You have to start thinking further of the evolution that’s going on in the way of the attacks, see where it’s going, and then project two years or three years in the future to be able to truly architect what needs to be there for today’s application, before the release.

Gardner: What about legacy applications? We've seen a lot of modernization. We're able to move to newer platforms using virtualization, cutting the total cost when it comes to the support and the platform. Older applications, in many cases, are here to stay for quite a few number of years longer. What do we need to think about, when security is the issue of these apps getting more exposure?

Turrentine: One of the things is that if you have a legacy app, one of the areas that they always try to update, if they're going to update it at all, is to write some sort of application programming interface (API) for it. Then, you just opened the door, because once you have an API interface, if the underlying legacy application hasn’t been securely built, you've just invited everybody to come steal your data.

So in many ways, legacy applications need to be evaluated and protected, either by wrapper application or something else that actually will protect the data and the application that has to run and provide access to it, but not necessarily expose it.

I know over the years everybody has said that we need to be putting out more and more web application firewalls (WAFs). I have always viewed a WAF as nothing more than a band aid, and yet a lot of companies will put a WAF out there and think that after 30 days, they've written the rules, they're done, and they're now secure.
A WAF, unless it is tested and updated on a daily basis, is worthless.

A WAF, unless it is tested and updated on a daily basis, is worthless.

Los: That’s the trick. You just hit a sore spot for me, because I ran into that in a previous life and it stunk really bad. We had a mainframe app that had ported along the way that the enterprise could not live without. They put a web interface on it to make it remotely accessible. If that doesn’t make you want to run your head through a wall, I don’t know what will.

On top of that, I complained loud enough and showed them that I could manipulate everything I wanted to. SQL injection was a brand-new thing in 2004 or something, and it wasn’t. They were like, fine, "WAF, let’s do WAF." I said, "Let me just make sure that we're going to do this while we go fix the problem." No, no, we could either fix the problem or put the WAF in. Remember that’s what the payment card industry (PCI) said back then.

Turrentine: Yeah.

Los: You could either fix the problem or put mitigating control WAFs into the slipstream and then we were done, and let’s move on. But it’s like any security control. If you put it in and just leave it there, tune it once, and forget that it exists, that’s the data that starts to fail on you.

Gardner: I think there is even more impetus now for these web interfaces, as companies try to find a shortcut to go to mobile devices, recognizing that they're having a hard time deciding on a native interface or which mobile device platform to pursue. So they're just "webifying" the apps and data so that they can get out to that device, which, of course, raises even more data and applications in this field for concern.

Los: I liked that word, "webifying."

Tactics and strategy

Gardner: So let's get back to this issue of tactics and strategy. Should there be someone who is looking at both of these sides of the equation, the web apps, the legacy, vulnerabilities that are coming increasingly to the floor, as well as looking at that new development? How do we approach this problem?

Turrentine: One of the ways that you approach it is that security should not be an organization unto itself. Security has to have some prophets and some evangelists -- we are getting into religion here -- who go out throughout the organization, train people, get them to think about how security should be, and then provide information back and forth and an interchange between them.

That’s one of the things that I've set up in a couple of different organizations, what I would call a security focal point. They weren’t people in my group. They were people within the organizations that I was to provide services to, or evaluations of.

They would be the ones that I would train and work with to make sure that they were the eyes and ears within the organizations, and I'd then provide them information on how to resolve issues and empower them to be the primary person that would interface with the development teams, application teams, whatever.

If they ran into a problem, they had the opportunity to come back, ask questions, and get educated in a different area. That sort of militia is what we need within organizations.
I've not seen a single security organization that could actually get the headcount they need.

I've not seen a single security organization that could actually get the headcount they need. Yet this way, you're not paying for headcount, which is getting people dotted lined to you, or that is working with you and relying on you. You end up having people who will be able to take the message where you can’t necessarily take it on your own.

Gardner: Raf, in other podcasts that we've done recently we talked about culture, and now we're talking organization. How do we adjust our organization inside of companies, so that security becomes a horizontal factor, rather than group oversight? I think that’s what George was getting at. Is that it becomes inculcated in the organization.

Los: Yeah. I had a brilliant CISO I worked under a number of years back, a gentleman by a name of Dan Conroy. Some of you guys know him. His strategy was to split the security organization essentially uneven, not even close to down the middle, but unevenly into a strategy, governance, and operations.

Strategy and governance became the team that decided what was right, and we were the architects. We were the folks who decided what was the right thing to do, roughly, conceptually how to do it, and who should do it. Then, we made sure that we did regular audits and performed governance activities around it's being done.

Then, the operational part of security was moved back into the technology unit. So the network team had a security component to it, the desktop team had a security component to it, and the server team had security components, but they were all dotted line employees back to the CISO.

Up to date

They didn’t have direct lines of reporting, but they came to our meetings and reported on things that were going on. They reported on issues that were haunting them. They asked for advice. And we made sure that we were up to date on what they were doing. They brought us information, it was bidirectional, and it worked great.

If you're going to try to build a security organization that scales to today’s pace of business, that's the only way to do it, because for everything else, you're going to have to ask for $10 million in budget and 2,000 new headcounts, and none of those is going to be possible.

Turrentine: I agree.

Gardner: How would we describe that organization? Is there a geometric shape? You hear about T or waterfall or distributed, but how do we describe the type of organization you just described for our security?

Los: An amoeba, or to be more serious, more like a starfish really. If you're looking at the way these organizations are, you have the central group and then tentacles that go out to all the other components of it. I don’t have a flashy name for it, but maybe security starfish.
Any time you move data outside the organization that owns it, you're running into problems.

Gardner: George, how would you describe it?

Turrentine: I don’t know that it would be a single organism.

Gardner: More of a pond water approach, right?

Turrentine: Yeah.

Gardner: Moving to looking at the future, we talked about some of the chunks with legacy and with new applications. What about some of the requirements for mobile in cloud?

As organizations are being asked to go with hybrid services delivery, even more opportunity for exposure, more exposure both to cloud, but also to a mobile edge, what can we be advising people to consider, both organizationally as well as tactically for these sorts of threats or these sorts of challenges?

Turrentine: Any time you move data outside the organization that owns it, you're running into problems, whether it’s bring your own device (BYOD), or whether it’s cloud, that is a public offering. Private cloud is internal. It's just another way of munging virtualization and calling it something new.

But when you start handling data outside your organization, you need to be able to care for it in a proper way. With mobile, a lot of the current interface IDEs and SDKs, etc., try to handle everything as one size fits all. We need to be sending a message back to the owners of those SDKs that you need to be able to provide secure and protected areas within the device for specific data, so that it can either be encrypted or it can be processed in a different way, hashed, whatever it is.

Then, you also need to be able to properly and cleanly delete it or remove it should something try and attack it or remove it without going through the normal channel called the application.

Secure evolution

I don’t think anybody has a handle on that one yet, but I think that, as we can start working with the organizations and with the owners of the IDEs, we can get to the point where we can have a more secure evolution of mobile OS and be able to protect the data.

Gardner: Raf, any thoughts before we close out on some of these pending opportunities or challenges when it comes to moving to the mobile edge and to the cloud and hybrid services?

Los: To echo some of the things our executives have been saying, without sounding too much echo, I agree that every decade or so, we hit a directional point. We make either a hard right or a hard left, or we take a turn as an industry, maybe even as a society.

That does sort of coincide with the fact that technology takes roughly 10 years to understand the full impact of it, once it has been implemented and released, as I read somewhere a while back.

We're at one of those points, as we sit here right now, where many of the people, the kids going through school today, don’t know what a cassette tape is.

When I mention my Zip drive from back in my technology days, they look at me funny. Floppy disks are something they have only heard about or seen in a photo. Everybody texts now. So technology is evolving at a pace that has hit a fever pitch, and society is quickly trying to catch up or pretend like it’s going to catch up.

Meanwhile, enterprises are trying to capitalize on those technology changes, and security has to transform with it. We've got to get out of the dark ages of, "What do you do for the company? "Oh, I do security." No, you don’t. You serve the business, in whatever capacity they tell you to. If you can’t understand that, then you're going to get stuck in those dark ages, and we just won’t go forward. That’s my line of thinking.

We're at the point where something has to happen. Being here, walking through the show floor, and having conversations with people like George, John South, and other people who are leading security organizations throughout the big industry players, and some really small ones, I am hopeful. I think we actually get it. It’s, "Can we scale it and teach others to think this way fast enough to make an impact before it all goes wrong again?"
Enterprises are trying to capitalize on those technology changes, and security has to transform with it.

Gardner: All right. I am afraid we will have to leave it there. With that, I would like to thank our co-host, Rafal Los, who is the Chief Security Evangelist at HP Software. It’s always a pleasure, Raf, thanks so much.

Los: Thanks for having me.

Gardner: And I'd also like to thank our supporter for this series, HP Software, and remind our audience to carry on the dialogue with Raf through his personal blog, as well as through the Discover Performance Group on LinkedIn.

I'd also like to extend a huge thank you to our special guest, George Turrentine, the Senior Manager at a large telecoms company. Thank you so much, George.

Turrentine: Thank you.

Gardner: And you can gain more insights and information on the best of IT Performance Management at http://www.hp.com/go/discoverperformance.

And you can also always access this and other episodes in our HP Discover Performance Podcast Series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on how perimeter security is no longer adequate to protect enterprise data that resides in applications, and how one services provider is taking a different approach. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Tuesday, November 27, 2012

Right-Sizing Security and Information Assurance, a Core-versus-Context Journey at Lake Health

Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.
Dana Gardner

Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike. We're now joined by our co-host for this sponsored podcast series, Chief Software Evangelist at HP, Paul Muller. Hello, Paul, welcome back.

Paul Muller: Dana, it's good to be back. How are you?

Gardner: I'm well. Are you still in San Francisco?

Muller: Still in San Francisco, and it’s another lovely day.

Gardner: Very good. We're also here with Raf Los. He is the Chief Security Evangelist at HP. Welcome back, Raf, how are you? [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Raf Los: I'm well. Thank you.

Gardner: And where are you joining us from today?

Los: I'm in Houston, Texas, today.

Gardner: We have a fascinating show today, because we're going to learn how regional healthcare services provider Lake Health in Ohio has matured from deploying security technologies to becoming more of a comprehensive risk-reduction practice provider internally for its own consumers.

We're going to learn how Lake Health's Information Security Officer has been expanding the breadth and depth of risk management there to a more holistic level, and we're even going to discuss how they've gone about deciding for which risk and compliance services to seek outside providers and which to retain and keep inside, or on premises.

With that, please join me in welcoming our special guest, Keith Duemling. He is the Information Security Officer at Lake Health. Welcome, Keith.

Keith Duemling: Hi. How are you guys doing today?

Gardner: We're doing very well.

Keith, let me begin our discussion with a high level, almost a philosophical, question for you. Many people are practicing IT security and they're employing products and technologies. They're putting in best practices and methods, of course, but it seems to me that you have a different take.

You've almost abstracted this up to information assurance -- even quality assurance -- for knowledge, information, and privacy. Tell me how that higher abstraction works, and why you think it's more important or more successful than just IT security?

Duemling: If you look at the history of information security at Lake Health, we started like most other organizations. We were very technology focused, implementing one or two point solutions to address specific issues. As our program evolved, we started to change how we looked at it and considered it less of a pure privacy issue and more of a privacy and quality issue.

Go back to the old tenets of security, with confidentiality, integrity, and availability. We started thinking that, of those three, we really focused on the confidentiality, but as an industry, we haven't focused that much on the integrity, and the integrity is closely tied to the quality.

Information assurance

So we wanted to transform our program into an information-assurance program, so that we could allow our clinicians and other caregivers to have the highest level of assurance that the information they're making decisions based on is accurate and is available, when it needs to be, so that they feel comfortable in what they are doing.

So it's not just protecting information from being disclosed, but it's protecting information so that it's the right information, at the right time, for the right patient, for the right plan of care. From a high level, the program has evolved from simple origins to more of a holistic type of analysis, where we look at the program and how it will impact patient care and the quality of that patient care.

Gardner: It sounds like what I used to hear -- and it shows how long I have been around -- in the manufacturing sector. I covered that 20 years ago. They talked about a move towards quality, and rather than just looking at minute or specific parts of a process, they had to look at it in total. It was a maturity move on behalf of the manufacturers, at that time.

Raf Los, do you see this as sort of a catching up for IT and for security practices that are maybe 20 years behind where manufacturing was?

Los: More or less, Dana. Where Keith’s group is going, and where many organizations are evolving to, is a practice that focuses less on “doing security” and more on enabling the enterprise and keeping quality high. After all, security is simply a function, one of the three pillars of quality. We look at does it perform, does it function, and is it secure?
Raf Los

So it's a natural expansion of this, sort of a Six Sigma-esque approach to the business, where IT is catching up, as you’ve aptly put it. So I tend to agree with it.

Gardner: Of course, compliance is really important in the healthcare field. Keith, tell us how your approach may also be benefiting you, not just in the quality of the information, but helping you with your regulatory and compliance requirements too?

Duemling: In the approach that we’ve taken, we haven’t tried to change the dynamics that significantly. We've just tried to look at the other side of the coin, when it comes to security. We find that a lot of the controls that we put in place for security benefit from an assurance standpoint, and the same controls for assurance also benefit from a security standpoint.

As long as we align what we're doing to industry-accepted frameworks, whether it’d be NIST or ISO, and then add the healthcare-specific elements on top of that, we find that that gives us a good architecture to continue our program and be mindful of the assurance aspect as well as the security side.

In doing so, we're able to implement controls that span multiple compliance elements, so that we are not duplicating our efforts, missing something, or trying to reinvent the wheel. Obviously, we're not the first healthcare provider, and we certainly won't be the last one, to go through the challenges of compliance in the United States -- and how it's ever changing.

Add-on benefits

Gardner: Are there some other ancillary or add-on benefits from your approach? I am thinking of being able to be proactive, rather than reactive, on certain elements of your requirements. Or do you have an ability to compress the amount of time that you can react, so that you can be more real time in how you adjust. What are the other benefits to your approach?

Duemling: One of the other benefits of the approach is that we look at the data itself or the business function and try to understand the risks associated with it and the importance of those functions and the availability of the data. When we put the controls and the protective measures around that, we typically find that if we're looking specifically at what the target is when we implement the control, our controls will last better and they will defend from multiple threats.

So we're not putting in a point solution to protect against the buzzword of the day. We're trying to put in technologies and practices that will improve the process and make it more resilient from both what the threats are today and what they are in the future.

Gardner: Paul Muller, any thoughts about what you're hearing and how this might relate to the larger marketplace that you're familiar with from some of the other clients and enterprises that you're talking to?

Muller: A couple of observations. The first is that we need to be really careful when we think about compliance. It's something of a security blanket, not so much for security executives. I think InfoSec security executives understand the role of compliance, but it can give business leaders a false sense of security to say, "Hey, we passed our audit, so we're compliant."

Paul Muller
There was a famous case of a very large financial-services institution that had been through five separate audits, all of which gave them a very clear bill of health. But it was very clear from some of the honey pots they put in place in terms of certain data that they were leaking data through to a market-based adversary. In other words, somebody was selling their data, and it wasn’t until the sixth audit that it uncovered the source of the problem.

So we need to be really careful. Compliance is actually the low bar. We're dealing with a market-based adversary. That is, someone will make money from your data. It's not the nation-state that we need to worry about so much as the people who are looking to exploit the value of your information.

Of course, once money and profit enter the equation, there are a lot of people very interested in automating and mechanizing their attack against your defense, and that attack surface is obviously constantly increasing.

The challenge, particularly in examples such as the one that Keith is talking about, comes in the mid-sized organizations. They've got all of the compliance requirements, the complexity, and the fascinating, or interesting, data from the point of view from a market-based adversary. They have all of that great data, but don't necessarily have the scale and the people to be able to protect that.

Balancing needs

It's a question of how you balance the needs of a large enterprise with the resources of a mid-sized organization. I don't know, Keith, whether you've had any experience of that problem.

Duemling: I have all too many times experienced that problem that you’re defining right there. We find that technology that helps us to automate our situational awareness is something that's key for us. We can take the very small staff that we have and make it so that we can respond to the threats and have the visibility that we need to answer those tough questions with confidence, when we stand in front of the board or senior management. We're able to go home and sleep at night and not be working 24×7.

Los: Keith, let me throw a question at you, if you don't mind. We mentioned automation, and everybody that I have with this conversation with tends to -- I don't want to say oversimplify -- but can have an over-reliance on automation technology.

In an organization of your size, you’re right smack in the middle of that, too big not to be a target, too small to have all the resources you've ever wanted to defend yourself. How do you keep from being overrun by automation -- too many dashboards, too many red lights blinking at you, so you can actually make sense of any of this?

Duemling: That's actually one of the reasons we selected ArcSight. We had too many dashboards for our very small staff to manage, and we didn’t want Monday to be the dashboard for Product A, Tuesday for Product B, and things of that nature.

So we figured we would aggregate them and create the master dashboard, which we could use to have a very high-level, high-altitude view, drill down into the specific events, and then start referring them to subject-matter experts. We wanted to have just those really sensitive events bubble up to the surface, so that we could respond to them and they wouldn’t get lost in the maze of dashboards.
We wanted to have just those really sensitive events bubble up to the surface, so that we could respond to them and they wouldn’t get lost in the maze of dashboards.


Gardner: Keith, before we go any further, for the benefit of our listeners, please tell us a bit about Lake Health, the size of your organization, the types of services you provide, and even the nature of your organization. Are you non-profit, publicly-traded, that sort of thing?

Duemling: Sure. Lake Health is a not-for-profit healthcare system. We’re about 45 minutes outside of Cleveland, Ohio. We have two freestanding hospitals and approximately 16 satellite sites of different sizes that provide healthcare to the citizens of the county that we’re in and three adjacent counties.

We have three freestanding 24×7 emergency rooms (ERs), which treat all kinds of injuries, from the simple broken fingers to severe car accidents, heart-attacks, things of that nature.

We also have partnerships with a number of very large healthcare systems in the region, and organizations of that size. We send some of our more critically injured patients to those providers, and they will send some of their patients to us for more localized, smaller care closer to their place of residence.

We’ve grown from a single, small community hospital to the organization that we have now.

Career path

Gardner: And how about you? What's been your trajectory in terms of how long you've worked there and the career path that you followed?

Duemling: I've been with Lake Health for a little under eight years now. I started as a systems administrator, managing a set of Windows servers, and evolved to my current position over time.

Typically, when I started, an individual was assigned a set of projects to work on, and I was assigned a series of security projects. I had a security background that I came to the organization with. Over time, those projects congealed into the security program that we have now, and if I am not mistaken, it's in its third iteration right now. We seem to be on a three-year run for our security program, before it goes through a major retrofit.

Gardner: How did you unify all of these different elements under what you call a program for security? What were some of the steps you needed to take? We heard a little bit about the dashboard issue, but I'm trying to get a larger perspective on how you unified culture around this notion of information assurance?

Duemling: We started within the information and technology department where we had to really do an evaluation of what technologies we had in place? What are different individuals responsible for, and who do they report to? Once we found that there was this sprinkling of technology and responsibilities throughout the department, we had to put together a plan to unify that all into one program that has one set of objectives, is under one central leadership, and has its clear marching orders.
We have to improve our relationship with compliance and we have to improve our relationship with physical security.


Then once we accomplished that, we started to do the same thing across the entire organization. We improved our relationship within IT, not just with sub-departments within IT, but then we also started to look outside and said, "We have to improve our relationship with compliance and we have to improve our relationship with physical security."

So we’re unifying our security program under the mantra of risk, and that's bringing all the different departments that are related to risk into the same camp, where we can exchange notes and drive towards a bigger enterprise focused set of objectives.

Gardner: Raf, this sounds a bit like the resiliency concepts that you've been talking about in the past few months. Is what we're hearing from Keith enterprise resiliency or is there a difference that we should appreciate?

Los: No, he's dead-on. At the end of the day, what security is chartered with, along with most of the rest of IT, as I said earlier, is empowering the organization to do its work. Lake Health does not exist for the sole purpose of security, and clearly they get that.

That's step one on this journey of understanding what the purpose of an IT security organization is. Along the broader concept of resiliency, one of the things that we look at in terms of security and its contribution to the business is, can the organization take a hit and continue, get back up to speed, and continue working?

Not if, but when

Most organization technologists by now know it’s not a question of if you’re going to be hacked or attacked, but a question of when, and how you’re going to respond to that by allowing the intelligent use of automation, the aligning towards business goals, and understanding the organization, and what's critical in the organization.

They rely on critical systems, critical patient-care system. That goes straight to the enterprise resiliency angle. If you get hacked and your network goes down, IT security is going to be fighting that hack. At the same time, we need to realize how we separate the bad guys from the patient and the critical-care system, so that our doctors and nurses and support professionals can go back to saving lives, and making people’s lives better, while we contain the issue and eradicate it from our system.

So that's perfectly along those lines, and as you pointed out, I've been hearing a lot about that lately. It's more than just about security, and that's a fantastic revelation to wake up to every morning.

Gardner: Keith, before we go and learn more about how you examine all of the things that you need to do in this program and then perhaps start thinking about what's core, what's context, and how to best source those, I’d like to hear a little bit about the payoffs.

You've been doing this, as you pointed, out for several years. Are there some lessons that you can point to in terms of payback? Clearly, if you are operating well and you've got good data and privacy, that's a reward in its own. But, are there some other returns on investment (ROI), maybe it's a softer return like an innovation benefit or being able to devote more staff to innovation. Maybe you can line-up a few of the paybacks when this goes as it should?
As an organization, we were able to wage that war, for lack of a better term, while the business continued to function


Duemling: I'd probably put forward two paybacks. One is about some earlier comments I heard. We, as an organization, did suffer a specific event in our history, where we were fighting a threat, while it was expected that our facilities would continue operating. Because of the significant size of that threat, we had degraded services, but we were able to continue -- patients were able to continue coming in, being treated, things of that nature.

That happened earlier in our program, but it didn’t happen to the point where we didn’t have a program in place. So, as an organization, we were able to wage that war, for lack of a better term, while the business continued to function.

Although those were some challenging times for us, and luckily there was no patient data directly or indirectly involved with that, it was a good payoff that we were able to continue to fight the battle while the operations of the organization continued. We didn't have to shut down the facilities and inconvenience the patients or potentially jeopardize patient safety and/or care.

A second payoff is, if we fast forward to where we are now, lessons learned, technologies put in place, and things of that nature. We have a greater ability to answer those questions, when people put them to us, whether it's a middle manager, senior manager, or the board. What are some of the threats we're seeing? How are we defending ourselves? What is the volume of the challenge? We're able to answer those questions with actual answers as opposed to, "I don't know," or "I'll get back to you."

So we can demonstrate more of an ROI through an improvement in situational awareness and security intelligence that we didn't have three, four, or five years earlier in the program’s life. And tools like ArcSight and some of the other technologies that we have, that aggregate that for us, get rid of the noise, and just let us hone in on the crown jewels of the information are really helpful for us to answer those questions.

System of record

Gardner: How about looking at this through the lens of a system of record perspective, an architectural term perhaps, has that single view, that single pane of glass, allowed you to gain the sense that you have a system of record or systems of record. Has that been your goal, or has that been perhaps even an unintended consequence?

Duemling: It's actually kind of both. One, it retains information that sometimes you wish you didn't retain, but that's the fact of what the device and the technology are in the solution and it’s meeting its objective.

But it is nice to have that historical system of record, to use your term, where you can see the historical events as they unfold and explain to someone, via one dashboard or one image, as a situation evolves.

Then, you can use that for forensic analysis, documentation, presentation, or legal to show the change in the threat landscape related to a specific incident, or from a higher level, a specific technology that's providing its statistical information into ArcSight, but you can then do trending and analysis on.

It is also good to get towards a single unified dashboard where you can see all of the security events that are occurring in the environment or outside the environment that you are pulling in, like edit from a disaster recovery (DR) site. You have that single dashboard where if you think there's a problem, you can go to that, start drilling down, and answer that question in a relatively short period of time.
Let's not undervalue the value of confidence -- not having to second guess not just the integrity of your systems and your applications.


Muller: I'll go back to Keith’s opening comments as well. Let's not undervalue the value of confidence -- not having to second guess not just the integrity of your systems and your applications, but to second guess the value of information. It's one thing when we're talking about the integrity of the bank balance of a customer. Let's be clear that that's important, but it can also be corrected just as easily as it can be modified.

When you're talking about confidence in patient data, medical imaging, drug dispensations, and so forth, that’s the sort of information you can't afford to lack confidence in, because you need to make split-second decisions that will obviously have an impact on somebody’s life.

Duemling: I would add to that. Like you were saying, you can undo an incorrect or a fraudulent bank transfer, but you cannot undo something such as the integrity of your blood bank. If your blood bank has values that randomly change or if you put the wrong type of blood into a patient, you cannot undo those without there being a definitely negative patient outcome.

Los: Keith, along those lines, do you have separate critical systems that you have different levels of classifications for that are defended and held to a different standard of resilience, or do you have a network wide classification? I am just curious how you figure out what gets the most attention or what gets the highest concentration of security?

Duemling: The old model of security in healthcare environments was to have a very flat type of architecture, from both networking, support, and a security standpoint. As healthcare continues to modernize for multiple reasons, there's a need to build islands or castles. That’s the term we use internally, "castles," to describe it. You put additional controls, monitoring, and integrity checks in place around specific areas, where the data is the most valuable and the integrity is the most critical, because there are systems in a healthcare environment that are more critical than others.

Obviously, as we talked about earlier, the ones that are used for clinical decision making are technically more critical than the ones that are used for financial compensation as it results from treating patients. So although it's important to get paid, it's more important that patient safety is maintained at all times.

Limited tools

We can't necessarily defend all of our vast resources with the limited set of tools that we have. So we've tried to pick the ones that are the most critical to us and that's where we've tried to put all the hardening steps in place from the beginning, and we will continue to expand from there.

Gardner: Keith, let's take this now to that question about managing your resources. Obviously, because you are in that Goldilocks position, as Raf pointed out -- not too big, not too little -- you have to be choosy. You don't have unlimited resources, but you have a very serious and significant responsibility.

Have you been starting to look at what is core and what is context, what should be either outsourced or provided through some managed services of some sort and what you would really like to retain control over? How does that thought process about that problem pan out?

Duemling: Absolutely, we look at every security project with the mindset of how we can do this the most effectively and with the least amount of resources that are diverted from the clinical environment to the information security program.

That being said, security as a service, cloud-based technology, outsourcing, whatever term you would like use, is definitely something that we consider on a regular basis, when it comes to different types of controls or processes that we have to be responsible for. Or professional services in the events of things like forensics, where you don’t do it on a regular basis, so you may not consider yourself an expert.
Some initiatives have gone premise-based and some have gone security-as-a-service based. We are kind of a mix.


We tend to do an evaluation of the likelihood of the threat materializing or dependence on the technology, what offerings are out there, both as a service and premise-based, what it would take from an internal resource standpoint to adequately support and use a technology. Then, we try and articulate that into a high-level summary of the different options, with cost, pros and cons related to each.

Then, typically our senior management will discuss all of those, and we'll try and come to the decision that we think makes best for our organizations, not just for that point, but for the next three to five years. So some initiatives have gone premise-based and some have gone security-as-a-service based. We are kind of a mix.

Gardner: Paul Muller, as a cloud follower, a close follower, you've seen hybrid services delivery arise in many different forms. I guess we're talking here about hybrid security delivery. How do they come together in your mind?

Muller: Exactly the same way. It is about what Keith described as understanding particularly where, for example, there is a high degree of specialization or skill required that is in short supply, particularly in your geography.

It's particularly true of security professionals that the bigger targets -- the banking institutions, defense, to a certain extent telecoms -- are able to offer a price premium to some of these people and it can make it hard to find the best quality stuff, particularly in mid-sized organizations. Therefore, it sometimes makes more sense to procure those staff and the services alongside them from outside of the organization.

Core intellectual property

Having said that, there are times when there is core intellectual property (IP) of your organization, core capabilities, particularly around industry vertical processes, where that level of expertise is not widely understood.

It's too generic to be of value. Healthcare is a great example, where the compliance requirement, plus the particular or specific patient management systems, would be too specific for a general-purpose service provider to add much value. It's a question of blending that right to the capabilities.

I want to add that it's interesting that the security world tends to have a somewhat schizophrenic view of software as a service (SaaS). They will typically be okay with the idea of putting all of your sales pipeline and your customer data into a customer relationship management (CRM) system in the cloud, but will often have a negative reaction if you say let's use security SaaS.

So often you will find that it's actually more palatable for the organization culturally, when looked at maybe as a managed service, rather than treating it as a SaaS, knowing, in other words, that there's people behind it as well as software. I don't know. Raf, what are your thoughts?

Los: Well, Paul, eloquently put. There's still that stigma of cloud somehow magically meaning less secure, and I work with that trepidation almost daily, like you do.
The one aspect we need to make sure that we emphasize and understand is that there are  people behind all of this.


The one aspect we need to make sure that we emphasize and understand is that there are  people behind all of this. This isn’t just some automated scan, script, or thing. There are people behind a lot of this, and the broad sense of why security really matters is the human element of it.

So these hybrid types of services make sense, because there are a lot of things and -- going back to that comment about the size of the organization -- you can't do it all yourselves. If you can, you can't do it well, whether you're a massive company or a small one.

Knowing that fact, acknowledging that, and being able to consume security services intelligently can be the difference between getting lost in "dashboard hell" and having the right information at the right time to make the right decision, based on partnerships with the correct organizations.

I think you summed it up well, but I just felt like I would add a little bit of color to that, because that's a little bit of what I have been seeing.

Gardner: It's interesting that a common thread for successful organizations is knowing yourself well. It's also an indicator of maturity, of course. I know that Paul is talking about this, and Raf as well, that those organizations that know themselves well can better plot their future architecturally and across comprehensive services. But it also sounds as if this is really important, when it comes to deciding what services to retain total control over or retain the resources that deploy them and another set of choices.

Back to you, Keith. It sounds like you have a good level of maturity. You have had a good opportunity to know yourself and then to track your progress. Is that helping you make these decisions about what's core or context in the design of your risk-mitigation activities?

What you do well

Duemling: Yes, it is. You have to know what you do well and also you have to know the areas where you, as an organization, are not going to be able to invest the time or the resources to get to a specific comfort level that you would feel would be adequate for what you are trying to achieve. Those are some of the things where we look to use security as a service.

We don't want to necessarily become experts on spam filtering, so we know that there are companies that specialize in that. We will leverage their investment, their technology, and their IP to help defend us from email-borne threats and things of that nature.

We're not going to try and get into the business of having a program or to create an event-correlation engine. That's why we're going to go out and look for the best-of-breed technologies out there to do it for us.

We'll pick those different technologies, whether it's as a service or premise-based and we'll implement those. That will allow us to invest in the people that know our environment the best and intimately and who can make decisions based on what those tools and those managed services tell them.

They can be the boots on the ground, for lack of a better term, making the decisions that are effective at the time, with all the situational awareness that they need to resolve the problem right then and there.
Security is more than just technology. It really is the people, the process, and the technology.


Gardner: Keith, you've got a little bit of 20/20 hindsight, having done this. For those of our listeners who are perhaps at that level, where they are juggling quite a few security products or technologies and they would like to move into this notion of a program and would like to have a unified view, any thoughts about getting started, any lessons learned that you could share?

Duemling: I would say just a couple of bullet points. Security is more than just technology. It really is the people, the process, and the technology. You have to understand the business that you are trying to protect. You have to understand that security is there to support the business, not to be the business.

Probably most importantly, when you want to evolve your security and set up projects into an actual security program, you have to be able to talk the language of the business to the people who run the business, so that they understand that it’s a partnership and you are there to support them, not to be a drain on their valuable resources.

Gardner: Raf, any thoughts to amplify or extend that?

Los: I think he has put it brilliantly just now. IT security is a resource and also a potential drain on resources. So the less we can take away from anything else the organization is doing, while enabling them to basically be better, deliver better, deliver smarter, and save more lives and make people healthier, that is ultimately the goal.

If there's nothing else that anybody takes away from a conversation like this, IT security is just another enabler in the business and we should really continue to treat it that way and work towards that goal.

Lessons learned

Gardner: All right, last word to you today, Paul Muller. What sort of lessons learned or perhaps perceptions from the example of Lake Health would you amplify or extend?

Muller: I will just go back to some of my earlier comments, which is, let’s remember that our adversary is increasingly focused on the market opportunity of exploiting the data that we have inside our organizations -- data in all of its forms. Where there is profit, as I said, there will be a drive for automation and best practices. They are also competing to hire the best security people in the world.

But as a result of that, and mixed in with the fact that we have this ever-increasing attack surface, the vulnerabilities are increasing dramatically. The statistic I saw from just October is that the cost of cyber crime has risen by 40 percent and the attack frequency has doubled in the last 12 months. This is very real proof that this market forces are at work.

The challenge that we have is educating our executives that compliance is important, but it is the low bar. It is table stakes, when we think about information and security. And particularly in the case of mid-sized enterprises, as Raf pointed out, they have all of the attractiveness as a target of a large enterprise, but not necessarily the resources to be able to effectively detect and defend against those sorts of attacks.

You need to find the right mix of services, whether we call it hybrid, whether we call it cloud or managed services, combined with your own on-premises services to make sure that you're able to defend yourself responsibly.
Cyber crime has risen by 40 percent and the attack frequency has doubled in the last 12 months. This is very real proof that this market forces are at work.


Gardner: Very good. I am afraid we'll have to leave it there. I want to thank our co-hosts today. We have been joined by Paul Muller, the Chief Software Evangelist at HP. Thank you, Paul.

Muller: Great having been here again, Dana. Good to talk to you.

Gardner: And also Raf Los. He is the Chief Security Evangelist at HP. Thank you so much, Raf.

Los: Thanks for having me, Dana. And Keith, it has been a pleasure having the conversation.

Gardner: And I'd like to thank our supporter for this series, HP Software, and remind our audience to carry on the dialogue with Paul Muller through the Discover Performance Group on LinkedIn, and also to follow Raf on his popular blog, Following the White Rabbit.

You can also gain more insights and information on the best of IT performance management at http://www.hp.com/go/discoverperformance.

And you can always access this and other episodes in our HP Discover Performance Podcast Series at hp.com and on iTunes under BriefingsDirect.

And of course I want to thank our very special guest today, with a very impressive story, Keith Duemling; he is the Information Security Officer there at Lake Health. Thank you so much, Keith.

Duemling: Thank you for the opportunity to share the information.

Gardner: And lastly, I would like to thank our audience for joining us for this special HP Discover Performance Podcast discussion. I am Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP sponsored business success stories.

We appreciate your listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP

Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Tuesday, November 06, 2012

Liberty Mutual Insurance Melds Regulatory Compliance and Security Awareness to Better Protect Assets, Customers, and Employees

Transcript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new, heightened security posture that permeates the applications development process.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Dana Gardner
Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike.

I'm now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief Security Evangelist at HP Software. Welcome back Raf. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Rafal Los: Glad to be back, Dana.

Gardner: And where are you joining us from today, where is your travel taking you?

Los: Well we are at the HP Protect 2012, here in beautiful Nashville, Tennessee where the sun is shining and the birds are chirping country music.

Gardner: We have a fascinating show today, we're going to learn how Liberty Mutual Insurance is building security more deeply into its business, and with that, I’d like to introduce our special guest, John McKenna, Vice President and Chief Information Security Officer for Liberty Mutual.

Welcome to the show, John.

John McKenna: Glad to be here.

Gardner: You're both at the HP Protect show in Nashville, so let’s focus on security a bit. Why is security so important to your business now, and in what ways are you investing?

McKenna: It’s pretty clear to us that the world has changed in terms of the threats and in terms of the kinds of technologies that we're using these days to enable our business. Certainly, there's an obligation there, a responsibility to protect our customers’ information as well as making sure that our business operations can continue to support those customers.

John McKenna
So, as I said, it's the realization that we need to make sure we’re as secure as we need to be, and we can have a very deep discussion about how secure we need to be.

In addition to that, we have our own employees, who we feel we need to protect to enable them to work and get the job done to support our customers, while doing so in a very secure workplace environment.

Gardner: You started off by saying that things are different. You recognized that. How do you generally think things are different now than, say, four or five years ago?

McKenna: I'll start with just the technology landscape itself. From mobility platforms and social networking to cloud computing, all of those are introducing different attack vectors, different opportunities for the bad guys to take advantage of.

Reducing the threat

We need to make sure that we can use those technologies and enable our business to use them effectively to grow our business and service our customers, while at the same time, protecting them so that we reduce the threat. We will never eliminate it, but we can reduce the opportunities for the bad guys to take advantage.

Los: John, you talk about for your customers. From a security perspective, your customers are your external customers as well as internal, correct?

McKenna: We absolutely have our internal customer as well. We have partners, vendors, agencies, and brokers that we're doing business with. They're all part of the supply chain. We have an obligation to make sure that whatever tools and technologies we are enabling them with, we’re protecting that as well.

Gardner: John, Liberty Mutual, of course, is a large and long-time leader in insurance. Tell us about the breadth and depth of your company. I imagine you're quite dispersed, as well, as with many different lines of services. Help us understand the complexity that you're managing, when it comes to bringing security across this full domain.

McKenna: We're a global company in the Fortune 100 list. We have $35 billion in revenue and we have about 45,000 employees worldwide. We offer products across the personal and commercial lines products, or P&C, and life insurance products. We’ve got somewhere in the range of 900-plus offices globally.

So we have lots of people. We have lots of connections and we have a lot of customers and suppliers who are all part of this business. It’s a very complex business operation, and there are a lot of challenges to make sure that we're supporting the customers, the business, and also the projects that are continually trying to build new technology and new capabilities.
In the past, security was really something that was delegated and was an afterthought in some respect.

Gardner: Raf, when we talk about what’s different in companies, one of the things I'm noticing that I think is pretty important when it comes to security, is that in the past, security was really something that was delegated and was an afterthought in some respect.

But I'm seeing a lot of companies now that, when they're planning new products and services, start asking those questions right-away. Is this something we can deliver securely? Should we bring this product to market in this way, when security concerns or privacy concerns are something that we need to consider for our brand, and our employees’ and our supply chain’s protection?

It seems to me that security is now a thought right at the very beginning of planning for new services. Is that the case in your travel?

Los: That’s what I'm seeing, and there's still the maturation that’s happening across the enterprise spectrum where a lot of the organizations -- believe it or not, in 2012 -- are still standing up formalized security organizations.

Not a given

So security is not a given yet, where that the department exists, is well-funded, well-staffed, and well-respected.You're getting to that state where security is not simply an afterthought or as it was in an organization in my past job history a decade ago or so. In those types of companies, they would get it done and the say, "By the way, security, if you take a look at this before we launch it, make sure it’s given virtual thumbs up. You’ve got about 20 minutes to go."

Raf Los
If you can get away from that, it’s really about security teams stepping up and demonstrating that they understand the business model and that they're there to serve the organization, rather than simply dictate policy. It’s really a process of switching from this tight iron-grip on control to more of a risk model.

It's sort of a cliché, but IT technology risks understanding acceptance and guidance. I think that’s where it’s starting to win over the business leaders. It’s not that people don’t care about security. They do. They just don’t know they do. It’s up to us to make sure that they understand the context of their business.

Gardner: John, is that ringing true for you at Liberty Mutual, where there is a more concern and thought put into security as you're bringing products and services to market and as you're considering what new products and services to bring to market?

McKenna: It absolutely is. It goes from the top on down. Our board certainly is reading the headlines every day. Where there are new breaches, their first question is, "Can this happen to us?"
As we're rolling out new capabilities, we have a responsibility to protect the brand and the reputation.

So it certainly starts there, but I think that there absolutely is an appreciation at our strategic business units, the leadership, as well as the IT folks that are supporting them, that as we're rolling out new capabilities, we have a responsibility to protect the brand and the reputation. So they're always thinking first about exactly what the threats and the vulnerabilities might be and what we have to do about it.

We’ve got a lot of programs underway in our security program to try to train our developers how to develop application, secure coding practices, and what those need to be. We’ve got lots of work related to our security awareness program, so that the entire population of 45,000 employees has an understanding of what their responsibilities are to protect our company's information assets.

I will use a term used by a colleague that Raf and I know. Our intent is not to secure the company 100 percent. That’s impossible, but we intend to provide responsible defenses to make sure that we are protecting the right assets in the right way.

Los: That’s very interesting. You mentioned something about how the board reads the headlines, and I want to get your take on this. I'm going to venture a guess. It’s not because you’ve managed to get them enough paper, reams of paper with reports that say we have a thousand vulnerabilities. It’s not why they care.

Quite a challenge

McKenna: Absolutely right. When I say they're reading the headlines, they're reading what’s happening to other companies. They're asking, "Can that happen to us?" It's quite a challenge -- a challenge to give them the view, the visibility that is right, that speaks to exactly what our vulnerabilities are and what we are going about it. At the same time, I'm not giving them a report of a hundred pages that lists every potential incident or vulnerability that we uncovered.

Los: In your organization, whose job is it? We’ve had triangulation between the technical nomenclature, technical language, the bits and bytes, and then the stuff at the board actually understands. I'm pretty sure SQL injection is not something that a board member would understand.

McKenna: It's my job and it's working with my CIO to make sure that we are communicating at the right levels and very meaningfully, and that we’ve, in fact, got the right perspective on this ourselves. You mentioned risk and moving to more of a risk model. We're all a bit challenged on maturing, what that model, that framework, and those metrics are.

When I think about how we should be investing in security at Liberty Mutual and making the business case, sometimes it's very difficult, but I think about it at the top level. If you think about any business model, one approach is a product approach, where you get specific products and you develop go-to-market strategies around those.

If you think about the bad guys and their products, either they're looking to steal customer information, they are looking to steal intellectual property (IP), or they're looking to just shut down systems and disable services. So at the high level, we need to figure out exactly where we fit in that food chain? How much bigger risk are we at at that product level?
It's working with my CIO to make sure that we are communicating at the right levels and very meaningfully.

Gardner: I've seen another on-ramp to getting the attention and creating enough emphasis on the importance of security through the compliance and regulation side of things, and certainly the payment card industry (PCI) comes to mind. Has this been something that's worked for you at Liberty Mutual, or you have certain compliance issues that perhaps spur along behaviors and patterns that can lead to longer-term security benefit?

McKenna: We're a highly-regulated industry, and PCI is perhaps a good example. For our personal insurance business unit, we've just achieved compliance through QSA. We’ve worked awfully hard at that. It’s been a convenient step for us to address some of these foundational security improvements that we needed to make.

We're not done yet. We need to extend that and now we're working on that, so that our entire systems have the same level of protections and controls that are required by PCI, but even beyond PCI. We're looking to extend those to all personal identifiable information, any sensitive information in the company, making sure that those assets have the same protections, the same controls that are essential.

Gardner: Raf, do you see that as well that the compliance issues are really on-ramp, or an accelerant, to some of these better security practices that we've been talking about?

Los: Absolutely. You can look at compliance in one of two ways. You can either look at a compliance from a peer’s security perspective and say compliance is hogwash, just a checkbox exercise. There’s simply no reason that it's ever going to improve security.

Being an optimist

Or you can be an optimist. I choose to be an optimist, and take my cue from a mentor of mine and say, "Look, it's a great way to demonstrate that you can do the minimum due diligence, satisfy the law and the regulation, while using it as a springboard to do other things."

And John has been talking about this too. Foundationally, I see things like PCI and other regulations, HIPAA, taking things that security would not ordinarily get involved in. For, example, fantastic asset management and change management and organization.

When we think security, the first thing that often we hear is probably not a good change management infrastructure. Because of regulations and certain industries being highly regulated, you have to know what's out there. You have to know what shape it's in.

If you know your environment, the changes that are being made, know your assets, your cycles, and where things fall, you can much more readily consider yourself better at security. Do you believe that?

McKenna: It's a great plan. I think a couple of things. First of all, about leveraging compliance, PCI specifically, to make improvements for your entire security posture.
Because of regulations and certain industries being highly regulated, you have to know what's out there. You have to know what shape it's in.

So we stepped back and considered, as a result of PCI mapped against the SANS Top 20 cyber security controls, where we made improvements. Then, we demonstrated that we made improvements in 16 of the 20 across the enterprise. So that's one point. We use compliance to help and improve the overall security posture.

As far as getting involved in other parts of the IT lifecycle, absolutely -- change management, asset management. Part of our method now for any new asset that's been introduced into production, the first question is, is this a PCI-related asset? And that requires certain controls and monitoring that we have to make sure are in place.

Los: That one question probably kicks off more security conversation than you would ever have before.

McKenna: Right, absolutely agree with you.

Gardner: I'm also looking at this larger theme of what's different now than, say, five years ago? I often hear that the types of threats are different. You mentioned the types of bad guys are different. We often hear now more about nation-states being involved rather than college students being mischievous.

I know it’s going to vary by company to company, in vertical industry by industry, but do you sense that you're dealing with a different type or higher level of sophistication when it comes to threats now, John?

Level of sophistication

McKenna: We're certainly dealing with a higher level of sophistication. We know that. We also know that there is a lot we don't know. We certainly are different from some industries. We don't see that we're necessarily a direct target of nation-states, but maybe an indirect. If we're part of a supply chain that is important, then we might still get targeted.

But my comment to that is that we've recognized the sophistication and we've recognized that we can't do this alone. So we've been very active, very involved in the industry, collaborating with other companies and even collaborating with universities.

An effort we've got underway is the Advanced Cyber Security Center, run out of Boston. It's a partnership across public and private sectors and university systems, trying to develop ways we can share intelligence, share information, and improve the overall talent-base of and knowledge base of our companies and industry.

Gardner: Raf, rising sophistication of security threats.

Los: This is something that's been building. When we started many years ago, hacking was a curiosity. It moved into a mischief. It moved into individual gains and benefits. People were showing off to their girlfriend that they hacked a website and defaced it.
There are entire cultures, entire markets, and strata of organized crime that get into this.

Those elements have not gone away, by the way, but we've moved into a totally new level of sophistication. The reason for that is that organized crime got involved. The risk is a lot higher in person than it is over the Internet. Encrypting somebody's physical hard drive and threatening to never give it back, unless they pay you, is a lot easier when there is nobody physically standing in front of you who can pull a gun on you. It's just how it is.

Over the “Internet,” there is anonymity per se. There is a certain level of perceived anonymity and it's easier to be part of those organized crimes. There are entire cultures, entire markets, and strata of organized crime that get into this. I'm not even going to touch the whole thing on activism and that whole world, because that’s an entirely different ball of wax.

But absolutely, the threat has evolved. It's going to continue to evolve. To use a statement that was made earlier this morning in a keynote by Bruce Schneier, technology is often adapted by the bad guys much faster than it is with good guys.

The bad guys look at it and say, "Ooh, how do we utilize it?" Good guys look at a car and say, "I can procure it, do an RFP, and it will take me x number of months." Bad guys say, "That’s our getaway vehicle." It’s just the way it works. It's opportunity.

Gardner: So not only more sophistication, but more types of attacks and let’s say a speedier time to risk.

Los: It’s less risk and more reward, and that’s what everybody who's “bad” wants.

Insurance approach

Gardner: I want to go out on a limb a little bit here and only because Liberty Mutual is a large and established insurance company. One of the things that I’ve been curious about in the field of security is when an insurance approach to security might arise?

For example, when fire is a hazard, we have insurance companies that come to a building and say, "We'll insure you, but you have to do x, y and z. You have to subscribe to these practices and you have to put in place this sort of infrastructure. Then, we'll come up with an insurance policy for you." Is such a thing possible with security for enterprises. Maybe you’re not the right person, John, but I am going to try.

McKenna: It’s an interesting discussion, and we had some of that discussion internally. Why aren’t we leveraging some of the practices of our actuarial departments, or risk assessors that are out there working our insurance products?

I recently met with a company that, in fact, brokers cyber insurance, and we're trying to learn from them. This is certainly not a mature product yet or mature marketplace for cyber insurance. Yet they're applying the same types of risk assessments, risk analysis, and metrics to determine exactly what a company’s vulnerabilities might be, what their risk posture might be, and exactly how to price a cyber insurance product. We're trying to learn from that.
The fact that you don’t have the metrics is one side of this. It’s very difficult to price.

Gardner: So, Raf, an interesting concept.

Los: Yeah, it is. As you were talking, I kept thinking that my life insurance company knows how much they charge me based on years and years and years and years of statistical data behind smokers, non-smokers, people who drive fast, people who are sedentary, people who workout, eat well, etc. Do we have enough data in the cyber world? I don’t think so, which means this is a really interesting game of risk.

McKenna: It’s absolutely an interesting point. The fact that you don’t have the metrics is one side of this. It’s very difficult to price. But the fact that they at least know what they should be measuring to come up with that price is part of it. You need to leverage that as a risk model and figure out what kind of assumptions you're making and what evidence can you produce to at least verify or invalidate the model.

Los: On the notion of insurance, I can just think of all the execs that have listened to that, if it’s that insurance,saying, "Great. That means we don’t have to do anything, and if something bad happens the insurance will cover it." I can just see that as a light bulb going on over somebody’s head.

Gardner: It’s not the way it’s going to work. What’s going to happen is, if you don’t do that, you won’t be able to get insurance and the companies that have insurance and that have best practices are going to win in the market. So I don’t think that’s too much of a risk, because that’s not the way any other insurance works either, right John?

McKenna: That’s exactly right, yeah.

Los: I do hope it goes that way. That’s really a good driving force though.

McKenna: Again, we're just trying to learn from it, to understand how we should be assessing our own risk posture and prioritizing where we think the security investment should be.

What's the benchmark?

Gardner: If you take lots of risks, you pay more for insurance. The only question is what you benchmark against. What is good enough? Or do you benchmark against peers and how readily will your peers share data with that insurance company? That’s a dangerous topic.

Gardner: I'll just offer one insight on that -- the log data. If you're an insurance company, you want to find out what the posture of a company is, you have access to big data analysis, and you get access to the log data, you might have a good opportunity to provide more of an empirical view on a company’s posture than they are able to do, and therefore create a value-added service. But that’s just an off-the-cuff observation.

McKenna: I think the challenge is, as Raf mentioned, whether we have the data or the evidence. We have years and years and years of history around vehicle accidents, etc. We don’t necessarily have all the correlations of data with log data and security data that would enable us to paint those historical patterns and understand them.
Most of our security decisions, whether it’s investment or risk tolerance levels, are really rooted in a business position.

Los: That’s what I’d be worried about. The causality between, if you do this, take this kind of risk, this is the likely outcome. I'm not sure we completely understand causality quite yet.

Gardner: Let’s move on to one other area before we close off, and that would be other future-of-security trends or possibility. We brought one into the fold, which is this notion of insurance, but is there anything else for you, John, that’s interesting or hopeful in terms of the future of security and risk avoidance?

McKenna: In part this may be why I was put in this position. I have less of a technical security background and more an understanding of our business and how to make business decisions. We're getting much more direct engagement of our business partners or business units in helping us to assess risk and make decisions.

That is something that we're still continuing to work on and we’ve seen some progress there, very good progress. I think we'll see even more progress, so that in fact, all of our, or most of our security decisions, whether it’s investment or risk tolerance levels, are really rooted in a business position.

Gardner: Raf, last word to you, any other concepts for you coming down of interest in terms of where this is heading?

Away from the silo

Los: Security is moving in this direction already, but I think it’s going to continue to move away from being a silo in the enterprise. It's something that is fundamental, a thread through the fabric. The notion of a stand-alone security team is definitely becoming outdated. It’s a model that does not work. We demonstrated that it does not work.

It cannot be an afterthought and all the fun clichés to go with it. What you're going to start seeing more and more of are the nontraditional security things. Those include, as I said, like I said change management, log aggregation, getting more involved into business day to day, and actually understanding.

I can't tell you how many security people I talk to that I asked the question, "So what does your company do?" And I get that brief moment of blank stare. If you can’t tell me how your company survives, stays competitive, and makes money, then really what are you doing and what are you protecting, and more importantly, why?

That’s going to continue to evolve, it’s just going to separate the really good folks, like John, that get it from those who are simply pushing buttons and hoping for the best.
Security is moving in this direction already, but I think it’s going to continue to move away from being a silo in the enterprise.

Gardner: I'm afraid we’ll have to leave it there, and with that let me please thank our co-host, Rafal Los, the Chief Security Evangelist at HP Software. Thank you so much.

Los: Thanks for having me again.

Gardner: And I’d also like to thank our supporter for this series, HP Software and remind our audience to carry on the dialogue with Raf through his blog and also the Discover Performance Group on LinkedIn.

I’d also like to extend a huge thank you to our special guest, John McKenna, Vice President and Chief Information Security Officer for Liberty Mutual. Thanks so much, John.

McKenna: Thank you. This was fun, enjoyed it.

Gardner: And you all can gain more insights and information on the best of IT performance management at www.hp.com/go/discoverperformance. And you can also always access this another episode in our HP Discover Performance podcast series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussion of IT Innovation and how it’s making an impact on people’s lives.

Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP

Transcript of a BriefingsDirect podcast on how insurance company Liberty Mutual has adopted a new, heightened security posture that permeates the development process. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in: