.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,630&ssl=1 "CISOs Step Up Cloud Security as CISA Renewal Stalls")
Even before the federal government shutdown began on October 1, the renewal of critical legislation supporting cybersecurity information sharing was overdue.
The Cybersecurity Information Sharing Act of 2015 (PDF: CISA 2015) expired on September 30 without being authorized, potentially creating gaps in threat awareness for defenders. With CISA approval in legislative limbo and the government shutdown ongoing, what should CISOs focus on to protect their organizations?
CISOs from Root Insurance and Convera offered perspectives on how they shore up the defenses of cloud-based resources during periods of such uncertainty — and explain why information sharing bolstered by national support is vitally important to cybersecurity.
Relevance of Shared Threat Intelligence
CISA 2015 lets companies share information about cyber threats with other companies and federal authorities without facing legal liability. The policy includes Automated Indicator Sharing, a service maintained by the Cybersecurity and Infrastructure Security Agency (also known as CISA, but distinct from the legislation).
Congress’s failure to reauthorize the legislation before its September 30 expiration – now compounded by the government shutdown — has raised concerns about filling the threat intelligence gap.
Companies, of course, can take direct action to secure their in-house resources. However, their cloud-based networks are a different story, as they often rely on third-party providers, making it harder to enforce consistent security controls.
What measures are CISOs taking within their organizations to address potential lapses in information sharing on cyber threats? How can they protect their cloud-based resources that are in third-party hands?
Internal and External Security Assessment
Srini Srinivasan, CISO for car insurer Root Insurance, said his organization’s approach to cybersecurity includes real-time visibility across cloud and on-prem environments and role-based security access. That came in handy, he said, with the lapse of CISA 2015 and other external factors that may affect the security landscape.
“The automated anomaly detection capabilities we have, as well as the behavioral analytics that we deployed, allow us to have good visibility to detect any threats very early,” Srinivasan said.
As questions about the renewal of CISA 2015 linger, he finds some solace with internal intelligence resources and external partnerships with the Financial Services Information Sharing and Analysis Center (FS-ISAC), private coalitions, and security domain forums.
He stated that Root Insurance is more cloud-native than many legacy companies. Srinivasan explained that Root uses cloud security platforms and other tools for automated monitoring to gain visibility into its infrastructure. This includes perimeter and edge protection. Leadership uses simulations and tabletop training exercises to ensure internal readiness.
The company also deploys in-house tools to detect unusual behavior. “If you see something going out of the ordinary, you don’t wait for that to become an issue,” he said.
Vetting cloud vendors is naturally part of establishing security, Srinivasan said, which includes verifying certifications such as SOC2 or ISO 27001 before entering into a partnership.
With CISA 2015’s renewal in question, he said technology and cybersecurity leaders could demonstrate their resilience by continuing information sharing and supporting cooperation. “That means creating a strong internal threat-sharing process within the company, with our stakeholders, as well as joining the public and private coalitions.”
Defunding Cybersecurity Frameworks Threatens Global Security
Sara Madden, CISO for cross-border commercial payments platform Convera, said she has other concerns in mind as federal lawmakers debate.
She is concerned about nonprofit research organization MITRE and its Common Vulnerabilities and Exposures (CVE) program losing funding, which Madden said has been on the chopping block several times. “If we start dismantling the institutions that we rely on for vulnerability management, I can’t do my job as a CISO defending our cloud systems,” she said.
Defenders deal with attacks constantly, Madden said, patching vulnerabilities in systems, but if foundational systems for vulnerability management, CVE reporting, and patches get defunded or lose budget, threats can start to fall through the cracks. “That’s a huge issue for global internet stability.”
The vulnerabilities that defenders need to know about, she said, are the same across many systems. “We all use the same vendors, we all have the same supply chain, and it’s a global problem.”
Private Threat-Sharing Subject to Distortions
Madden said sharing of threat information is voluntary, MITRE helps ensure it is done responsibly. If foundational reporting systems erode, she said the risks can include improper disclosures, such as researchers going public with a vulnerability before a fix is available.
Moreover, some companies might downplay the threats they deal with. “You could have organizations trying to downgrade the severity of a vulnerability,” Madden said. That could lead to critical vulnerabilities being incorrectly ranked as less of an issue.
Though she advocates for companies to come together to share information for the overall greater good of internet stability, even without federal involvement, Madden acknowledged that reality is not so altruistic. “At the end of the day, you end up with a bunch of people that want to participate because they like their logo being involved in the information-sharing organizations,” she said.
Furthermore, she said, only one or two companies may actively share data, while many others on the list may be there just to receive information. When organizations do not see reciprocity, such sharing networks can collapse.
Attitudes about sharing information might also be influenced by the AI arms race, Madden said. “The way you get better at AI is with having more data,” she said. “Why are you going to give that data to somebody else when you could use it as a competitive advantage for you?”
Overall, Madden said, the threat landscape has not changed much over the decades, but the monetization that bad actors seek has shifted from malware to ransomware. “It always comes down to the fundamentals of vulnerability management, and visibility, and controlling your endpoints.” That is why resources such as MITRE are essential, she said, to better inform defenders.
The Silver Lining
The cloud, ease of automation, and enhanced visibility represent notable evolutions in security that help defenders, Madden said. When the cloud first emerged, it was easy for attackers to target assets because it was hard to manage the infrastructure perimeter and know which systems were on the internet. “What is really awesome in the cloud now is the level of visibility we have,” she said. “I have better visibility into everything that’s going on in the environment than I ever have.”
When information about threats is scarce, defenders must be creative, but Madden’s strategies for securing cloud resources remain clear. “It’s really about visibility, vulnerability management, and endpoint,” she said. “It’s endpoint control.”
.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,0&ssl=1&description=CISOs+Step+Up+Cloud+Security+as+CISA+Renewal+Stalls){kind=link}