As Steve Martino approaches his 10-year anniversary as vice president and chief information security officer (CISO) at Cisco Systems, his job has morphed from treating security as simply a must-have to it becoming a strategic imperative for the company. His mettle has been tested in recent months – most recently when the WannaCry ransomware attack threatened organizations across the globe, including Cisco. Martino sat down with us to discuss how Cisco is preparing for the ongoing battle with fast-growing cybercrime networks.
How was Cisco affected by the WannaCry attack?
It was an event, but the teams knew what to do. We had processes to deal with it — to escalate and communicate. In the end, it was a lot of work to double-check and make sure everything was fine. We certainly had to do some scrambling and deal with active attacks and potential events, but we were prepared.
Now that the dust has settled from the WannaCry attack, what have you learned about Cisco’s cyber defenses?
One thing that we took away from this event was the further realization that these kinds of events will happen more often with less time between a patch available and someone taking advantage of the particular vulnerability, so we’re looking at that speed and timing and saying how can we shrink it to even less [time].
The other takeaway is that this [cyberattack] technique is not going to be isolated to this one event. We will see others adapting and modifying the technique to bring new threats. That’s really part of what I think has changed in doing cybersecurity. Five to 10 years ago, we had people wanting to make a statement and disrupting services. We had hobbyist doing things to see what they could do, and we had nation state actors. Today, while they still exist, I think most organizations can defend from the hobbyist and many of the people wanting to make a statement. It’s very hard to protect yourself from a nation state as an individual company.
The cybercrime network has matured and developed very quickly. Much like normal companies that are figuring out how to deliver their services at scale using web technologies, the cybercriminals around the world are doing the same thing, and they’ve built a supply chain that’s very effective. It starts with individuals who might be in a struggling country, but they have internet connectivity.
They don’t have a way of making a living, so they can now do social engineering. They might use a simple tool to look across areas of the internet that are exposed to find unpatched hardware and or systems that are running a particular version of software, and bundle those up and sell them to somebody else. They’re trying to make $50 or $100 a day, but it gives the cybercrime networks thousands of people that are out doing activities that they can leverage in a bigger supply chain.
How does an organization as big as Cisco stay agile in cybersecurity detection and prevention?
My team can’t be everywhere and see everything, so you have to embed it into the business processes of the company. We created security champions or advocates. We call them different things in different parts of the company, but we recruit people, create a role for them in their own organization where security is the focus. We train them on security principles and help them understand how to apply security in their role.
It makes security more of a priority in that embedded team, to think about it earlier and more often. [Also] the more I can do that and really embed it, the less I need a bigger core [information security] group to oversee it. It’s really baked into the process.
The second thing we did is realizethat bad things are going to happen. I need good security to prevent 95 percent of the bad things from happening, [but] you need to be able to deal effectively with that 5 percent — and that is not 5 percent of your security budget. That’s more like 50 percent of your security budget into active response.
I hold my team that is looking for bad things happening in our environment to two metrics: 24 hours to find it, and 36 hours to contain it. The average industry breach is upwards of 160 days before somebody has figured out they have an active adversary event going in on their environment. If you can find it and contain it, you’re going to greatly limit your damage, but you have to actively invest in that process.
What can companies do to protect themselves from these growing threats?
It’s not all doom and gloom. I think that the three things that every organization needs to do.
First, understand and figure out how important security is in your strategy. If you’re a digital company and you’re bringing products and services and bring to customers through a digital enterprise, then you need to embed this in your strategy and embrace it.
Second, you need this defense that I spoke about [earlier]. Do I have the right moats and walls around my castle, [and] can I respond actively to threats when they happen whether I do that myself or have a vendor or partner [to assist].
The third element that I think is important is having situational intelligence to help you understand who would attack you and in what ways, and then have the right defense to deal with it.