New Challenges Require New Approach

By Thomas Degardin, Group CISO, Bouygues Construction

Thomas Degardin, Group CISO, Bouygues Construction

In ancient time, a firewall and an anti-virus software were enough to offer a decent protection. The best practices defined by architecture model were to host your company’s data in one or more databases, all located in the corporate datacenter. A perimetric defense was enough.

Our era of mobility, communication, and collaboration has totally broken these basic principles. New modus operandi and new models have drastically changed our daily work. The companies are now multi-located, share their data with their partners every day, stock them in the Cloud or buy SaaS solutions. The model of the impenetrable stronghold can no longer ensure the protection of the most sensitive data of the company and help the business to survive in our era.

Information security must transform its state of mind to remain efficient against the threats:

1) First of all, be data-centric. Your first step must be to become data centric Every data of your company don’t have the same level of sensitivity. They don’t need the same level of protection. Some of them could also have different levels during their lifecycle: release of sales results for example.

Base security functions are mandatory to protect all data of your company. You must add options and new security functions when the sensitivity level of the data increases. Like the principle of Russian dolls, the most sensitive data are protected by security functions of previous levels. This approach allows you to focus on data which are really important for your company and its business. You can share your resources and invest massively where it’s needed.

To be efficient, you must know what your most precious assets are. The best way to identify them is to ask directly your business partners: which data they would love to retrieve from your opponents? Which data are under specific regulation? 2) To be protected against everything? Of course, no! Zero risk doesn’t exist but we should not try to avoid everything.

To stay efficient and as threats evolve every day, information security must protect the company against the risks with a real impact and probability.

Again, your best ally is your business manager: thanks to a business impact analysis (BIA), he would describe what he really fears and which threats could impact his business. Are you sure that this malware will stop your supply chain for days or has your company developed backup procedures? Would you lose money with this transfer fraud or do you double-check every payment?

In this way, your defense will be adapted against risks threatening your company. Don’t rely only on technologies : invest in people and processes. A holistic approach will help you to narrow the information risks. You will focus on most important assets: you protect the most sensitive data against real threats.

Don’t rely only on technologies : invest in people and processes. A holistic approach will help you to narrow the information risks

These two approaches—data centric and risk oriented— are well-shared in the information security community but how could you develop a efficient security strategy? 3) A holistic approach

Year after year, generation after generation, technology products have stacked in your datacenter to protect your data. Sometimes redundant but always mandatory, you may have a wonderful but inefficient security - mille-feuille. You should not only invest and rely on technological protection but you must also invest in processes and humans. Your information security must be equally technological, organizational, and behavioral.

A holistic approach of the information security could be divided in five major phases. A governance stream will help you to coordinate your strategy.

Anticipation: Security watch over internet (Dark and Deep Web), study and production of technical standards, security incidents integrated into your company’s ticketing tool, cyber-insurance.

Prevention: Security testing (Blue and Red teams), external and internal vulnerability scans, secure

code review, server compliance, patches management, user security awareness (good behavior and alerting channel).

Protection, it must be— end to end and cover all aspects:

1) Access: Security and compliance of end user device (browser, antimalware protection, control of applications, patches), mobile device protection, network access control, traceability of information system access

2) Network: Security and compliance of central and remote sites, transmission encryption, remote access protection, DDoS protection

3) Application: Secured application hosting, datacenter zoning, identity and access management, segregation of production and non-production servers

4) Data: Anonymization, traceability, data encryption, and secure storage

5)Detection: Detection of external intrusion attempts, monitoring of abnormal internal behaviors

6)Reaction: Security incident management with human resources (crisis team) and technical resources, reaction plans (virus infection, intrusion, denial of service, information leakage, identity spoofing)

7)Governance: An organization around your information security is required to follow and improve the protection of most sensitive assets of your company. Your organization will be accountable to identify those critical assets, to follow risks and control implementation of security functions. IT will also be responsible to integration information security in IT procedures and contracts.

You must be careful to not create silos between your major phases. It is mandatory each phase works with all others:

•The dark web watch (anticipation) will discover new threats and you will be able to update your monitoring tools (detection).

- Security tests (prevention) will identify new vulnerabilities. You will block specific ports or functions in your web-application firewall (protection) until the right patch is deployed (prevention).

• The results of your reaction plans (reaction) will help you to adapt your defense (protection) and your detection capabilities (detection). This holistic approach helps to manage all aspects of information security and bring a global answer to threats. Every organization must assess its maturity level and define its own security action plan. Each phase is essential and your information security couldn’t be efficient if you miss one.