How sharing information can help strengthen cyber defenses [Q&A]
Organizations face a greater range of cyber threats than ever before. The key to dealing with these threats is better intelligence about the latest vulnerabilities.
We spoke to Jay Prassl, CEO of cyber hygiene startup Automox, which has recently launched an open community to foster cyber hygiene best practices, to find out more about how crowdsourcing and information sharing can help reduce the corporate attack surface.
BN: Why is good cyber hygiene so important?
JP: Experts don't start out immediately executing complex tasks. They learn and master the basic fundamentals first, growing their knowledge and abilities over time to become the best in their field. Cybersecurity is no different. An organization's cyber hygiene represents the foundation on which effective security programs can be built. Simply put, if you are not doing the basics well, little else in security matters.
Solid cyber hygiene enables organizations to remove systematic exposure by hardening IT environments and the assets within them through things like patch management and applying software updates and security configurations. These tasks are increasingly important given hackers are constantly searching for entry points into organizations of all sizes.
A complete cyber hygiene program makes the organization a smaller target and with this foundation, they can build world-class security programs that adequately protect their assets and enable businesses to focus on more strategic initiatives that move the needle.
BN: How does information sharing help organizations improve their security posture?
JP: To simplify things a bit, the enterprise threat landscape is a two-team game: organizations of all sizes vs hackers -- a true good guys vs bad guys scenario. Why wouldn’t the good guys share actionable information amongst themselves that makes everyone better at enterprise defense?
It makes sense for organizations to be involved in information sharing model for cybersecurity, where like-minded individuals can share best mitigation practices, how hackers are targeting systems and what processes work best to prevent certain types of attacks. This is what we’re aiming to do with our recently launched community -- Automox Alive.
We've made a community where security pros can take and share ideas among their peers. From security concepts, best practices, cyber hygiene and so much more, Alive is an open ecosystem for the conversation to happen.
In the collective fight against cyber attackers, the 'good guys' will only improve if we do everything we can to pool our resources to improve how we deploy people, processes and technology to bolster cyber defense.
BN: Are bug bounties effective in promoting disclosure of vulnerabilities?
JP: Bug bounties, when implemented and supported properly, are a healthy tactic and partnership between researchers and vendors. They represent an effective way for organizations to receive third-party vulnerability feedback before the risk usually impacts the user base, all while financially rewarding the talents of the independent researchers. They, however, do not provide immunity to organizations when it comes to practicing internal audits and implementing their own cyber hygiene practices.
BN: What's your view on the cyber skills shortage? Does automation actually help?
JP: A recent study from ESG notes that 53 percent of IT professionals note they have a problematic shortage of cybersecurity skills at their organization -- up from 42 percent only three years ago. It's clear the gap between industry needs and available talent is increasing.
To help fill in the gaps that organizations are dealing with, organizations are choosing to add automation into the mix to make employee workflows more efficient. It has already proven to be a valuable executor in a handful of different security tasks, from data crunching and network analysis to patch and security configuration management – tasks that were historically labor intensive and time consuming.
Automation is far from a silver bullet when it comes to security, but its effectiveness continues to improve across a variety of security use cases, taking care of mundane tasks that used to bog down valuable security professional resources. With that in mind, yes, automation does actually help with the cyber skills shortage, but it's important that organizations recognize that the technologies are implemented with the idea of enhancing the abilities of human security pros rather than trying to replace them altogether.
BN: In the future, do we need to move to a more open culture for sharing cybersecurity-related data?
JP: It would be incredibly helpful, so I think so. With how sophisticated attacks have become over the last five years or so, it can become difficult to keep up with the evolving nature and increasing velocity of attacks. By collaborating as a collective industry, security pros will be able to accomplish a lot more and ultimately better protect their respective organizations with more actionable information and tactics at their disposal.