Eli brings over 25 years of IT and Information Security experience and has been a strategic and thought leader for both the private and military intelligence sectors. Prior to Guardicore, Eli led the Cyber Intelligence team for Israeli Inter-University Computation Center (IUCC), serving the eight largest academic institutions in Israel. Previously, Eli was the CISO for Comverse, where he was responsible for numerous security programs and initiatives across over 40 countries.
The Strategic CISO: Bringing Value to the Business
A one working day of a CISO is never the same as the past days. Most of the CISOs will tell you they probably know how their day starts but never how it will end. The CISO is required to maneuver between a large number of tasks, demonstrate technical and managerial skills, be strategic with the stakeholders and tactical with execution teams.
Traditionally, the CISO role has been focused on technical skills with a responsibility over the security infrastructure. Due to ongoing changes in the organization environment, higher dependency on the IT infrastructure, regulation and digital transformation, the CISO role has become more strategic, involved in the business goals, HR recruitment and training, regulations and standards, adoption of new technology and more.
Expect the unexpected
The CISO today is required to make quick decisions, the changes are fast and the requirements are many. “Expect the Unexpected” is probably the motto of many CISOs. A workday that begins with reading SLACK messages, emails and responding quickly to issues that arise. Issues that require a more comprehensive attention get into the queue, Later on can turn into an emergency after further reading updates from Cyber Security sites that raised an alert about a product or software component vulnerability that the organization uses. An event that requires an immediate inspection of the infrastructure and a fast response to mitigate the exposure.
The organization has no clear barriers anymore
The shift of on-prem services to the cloud and working from home as a result of the COVID-19 pandemic, puts a lot of pressure on the CISO. The Information Security Department is required to analyze the risks of each application the organization would like to adopt, make the proper decisions and define usage procedures that will enable application use and yet not put in risk customer and organizational information.
But it is not only that, with the move to the cloud, work from remote and the wide propagation of new threats, the organization has no clear barriers anymore where traditional security infrastructure fails to provide any advantage.
The variety of challenges the CISO needs to address are wide
To be in control with the daily security posture changes, the CISO needs proper dashboards that provide a clear visibility of the status of information security. Normally not more than two or three dashboards.
As a CISO I am concerned by a number of issues:
- The level of internet exposure that may allow unauthorized access by attackers to enterprise systems (e.g. web sites, DNS servers, email servers, customer cloud systems, cloud services)
- Information security threats within the organization – risks that can also lead to unauthorized access or damage to information, both by external parties, internal entities and by the supply chain.
As stated earlier, the corporate network has become complex. Distributed infrastructure in multiple datacenters, hosting services and cloud services. The variety of challenges the CISO needs to address are wide, ranging from insecure applications, covered (leakage/access) channels, privilegesd abuse, misconfigured servers and networks, information security patches to social engineering and more.
Reduce risk level, Regardless of where assets are physically located
One of the first decisions we made in order to reduce the level of exposure and mitigate lateral movement risks, such as human attacks, worms or ransomware, was a network segmentation with strict access rules, which became a Zero Trust project.
Using Centra from Guardicore, we have created secure virtual zones, a kind of the well known VLAN only that the secured assets no longer depend on their physical location on the network, on the switch ports nor on the firewall interface. Using an advanced label mechanism we created groups and subgroups based on type, role, application similarity and with identical security requirements. Using a sophisticated set of rules we created strict access permissions between the different labels, up to the application layer of the TCP/IP model. All this as stated, regardless of where assets are physically located, in the main datacenter, hosted in the backup servers farm, in Google, Amazon or Azure, or roaming laptops at home.
The excellent traffic visualization capabilities of Centra allowed us to map the connections between the various servers and applications up to the application layer. While using built-in templates combined with network traffic maps we have been able to generate security rules quickly and isolate traffic that we were unable to identify its use for further investigation.
Threat Hunting and Threats Discovery
The fine network mapping capabilities of Centra combined with an advanced set of API’s are regularly used not only by the IT teams to detect network problems and failures, but mainly by the Cyber Security team and myself for Threats Hunting and Threats Discovery in the network, in addition to investigating security events.
Some examples of our Threats Discovery use of the Centra to improve information security level and reduce threats:
- Insecure Applications – Search for unauthorized applications that can compromise the network security, like p2p or remote desktop applications.
- Covered Channels – Discover traffic that goes behind the radar, like embedded base64 in the command line, direct dns connections with internet servers.
- Insider Threats – Search for users malicious activity, e.g. use of scan or tcpdump tools.
- Misconfigured Servers and networks – Look for missing patches and known vulnerabilities.
- Data Loss – Search for file sharing tools or abnormal traffic size to the internet.
- Privilege Abuse – Check for services running on high privileged accounts, access production databases with development tools.