Photo - Dr Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia, opens the 10th Computerworld Malaysia with his keynote on the current threat landscape.
Organised by Executive Networks Media, the 10th edition of Computerworld Malaysia Security Summit 2016, held at InterContinental Kuala Lumpur on 14 April 2016, attracted more than 200 information security practitioners from all industry sectors.
During the event, which included real-time electronic voting, expert speakers and IT leaders noted that cyberattacks have escalated in frequency, severity and impact. To stay ahead of these challenges, information security must remain nimble, flexible and resolute. Some of the themes discussed in the keynotes and two industry panels also put the spotlight on information security's value to enterprises, the agility required to predict and respond to threats, and the repercussions of attacks on businesses in the digital age.
"Cybersecurity has become a national security challenge, and Malaysia is not immune to such attacks," said national agency CyberSecurity Malaysia's chief executive officer, Dr Amirudin Abdul Wahab, who started the summit with his keynote opening address. "The attacks are growing in sophistication and complexity, and are damaging as they harm critical infrastructure across different sectors."
"Traditional cybersecurity approaches are no longer sufficient to address the new breed of cyberattacks as most depend heavily on signatures and known patterns," he continued. "This is not effective in identifying unique customer malware. Traditional approaches also leave significant gaps in defences with most malware lying dormant and remaining undetected."
"While the traditional approach relies on prevention, detection and responsiveness, the new adaptive cybersecurity strategy includes the ability to predict attacks," said Dr. Amirudin. "Big data analytics helps to protect digital assets. Collecting and analysing data allows us to predict and simulate current and future threats. Through forecasting and modelling, organisations can use evident-based knowledge to identify attack patterns, thus minimising threats."
"To create a secure, resilient and trusted cyber environment and stay ahead of changing threats, there has to be cybersecurity protection that is dynamic, holistic and adaptive with a flexible, intelligent strategy to counter the emerging trends in advanced attacks," he concluded.
National ICT agency Malaysia Digital Economy Corporation (MDEC) Infotech Industry Development head of Information Security, Victor Lo concurred. "A paradigm shift is required. Security is a catalyst for digital transformation and threat intelligence is a game changer," said Lo. "With digital transformation and the growth of disruptive technology in social, mobile, analytics, cloud and the internet of things, risk management needs higher attention. Businesses have to be aware of threats and the data security risks of digital enablement. This is vital when aligning digital projects to cybersecurity obligations."
Security adds value to business
"It is important to always remember that businesses do not exist to comply with IT security policies and guidelines," said Prudential Assurance Malaysia head of IT Governance, Gan Geak Sue. "As IT professionals, our role is to provide value to companies by helping them run their businesses securely. This we can do by understanding and mitigating the risks."
"We need to understand the business challenges when implementing security controls. Any policy adopted must not hinder business but help solve business problems. Consider its effect on users and provide business users with alternatives," he advised. "We must also be able to clearly communicate what these risks mean to the business. IT security is not just about playing defence. We need to move forward and innovate securely."
Such innovation included keeping up with the pace of technological change. "Software is the engine driving fast-changing IT. From infrastructure to application, IT resources will be delivered as a service, allowing users to purchase IT on-demand, which is instantly available," declared Sangfor Technologies chief product and marketing officer, Jackie Chen. ""Current IT infrastructures are siloed and complex, with bottlenecks and a rigid infrastructure. Future infrastructures will be commoditised and consolidate compute, storage, network and security, thus reducing cost and vendor lock-in."
The new security landscape
There is no part of your business immune to a security breach. "Depending on the type of attack, any incident will leave an impact be it loss of records, revenue or reputation," said Check Point APAC, Middle East & Africa head, Emerging Technologies, Evan Dumas.
Understanding the cyber kill chain could help organisations to think like an attacker and fortify their defences. "Attacks follow a sequence of events; it come in phases. The earlier you can detect an attack, the better it is for you," explained Dumas. "Timing is everything. First, you try to block something from entering your defences. If it gets through, how fast you react is critical. The longer an attack remains undetected, the longer it takes to contain it and the more expensive it becomes to fix."
He continued, "Multi-layered security can help you prevent, detect and contain attacks quickly. Stand-alone solutions have very little value, but in conjunction with other layers, it provides a better level of security and is more cost effective."
Arbor Networks sales engineering director, Asia Pacific, Tony Teo agreed that a multi-layered approach worked best. "Today's distributed denial-of-service (DDoS) attacks use a dynamic combination of volumetric, transmission control protocol (TCP) state-exhaustion and application layer attack vectors. A layered approach to protection, backed by continuous threat intelligence, helps stop such attacks," he stated.
"This means stopping attacks volumetric attacks in the cloud before the attacks saturate circuits and overwhelm on-premise security devices, and stopping application layer attacks on premises where you have more control over protection of services that matter most. There needs to be intelligent communication between the two environments to stop dynamic, multi-vector attacks," he said.
The human factor
The human factor is sometimes seen as a weak link in an organisation's security armour. Whilst acknowledging that, Export-Import Bank of Malaysia's head of IT Infrastructure Management, AVP, Mohd Rezal bin Hj Zakaria believed organisations had to play their part in mitigating the weakness. "Security is dependent on intent. People may not be aware of the risks. Businesses have to educate users and make them aware of their responsibilities in keeping the organisation secure," he said.
Mass Rapid Transit Corporation deputy general manager, IT, Maz Mirza Mohd Aminurashid added, "Breaches are not just security or technology issues, but business issues. Interactive education works best in creating an awareness of the impact of breaches on businesses and on individuals as well."
Such awareness applied to top management too. "Senior management are not always aware of the latest security threats. It is important to keep them updated of the risks which can affect the overall business," said Felda Global Venture Holdings (FGV) head of IT Planning, Strategy and Governance, Nishal Bipinchandra
Picking up on that theme, Sime Darby head of Information Risk & Security Management, Aizuddin Mohd Ghazali said, "How you communicate the risks and threats to senior management is important. Transform your context from technical jargon to discussing what they really want to know - the business impact. Take a holistic approach in briefing them of the risks without giving them false hope, and have a response plan of what you intend to do in case of a breach."
"We like to think that attacks are external but more often than not, threats come from within," said Forcepoint principal technical consultant, South East Asia, Brandon Tan. "Visibility is at the crux of the issue. The digital revolution has obfuscated visibility, and organisations cannot manage threats that they cannot see. Behavioural analytics can mitigate the insider threat by restoring some visibility. By collecting and analysing data which pinpoints the riskiest users, enterprises can identify users performing the highest risk activities."
"Everyone should be equipped with basic knowledge while dealing with threats," said Palo Alto networks solution architect, Aaron Chan. However, you cannot control what you do not know."
He continued, "Governance is an ongoing process and should be collaborative effort. It can be improved through sharing, educating and elevating awareness, as well as through security reporting and use of correlation tools. When planning a security blueprint, make sure you understand the business and its risk, and define an architecture that promises economies of scale."
Leveraging on technology
"With enough data, technology and human insights, the past can help you tell the future," said Standard Chartered Malaysia head of Information Security, Chia Wing Fei. "Having a consistent stream of data is important for analytics which can help identify issues and provide solutions. Data history helps us build a more reliable model where we can detect behaviour anomalies and outliers."
By integrating human insights with technology, a clearer profile would emerge. "Human insights are valuable. We need people with critical thinking mindsets to make sense of the data. It is easy to profile what is normal but attackers continually change how they carry out attacks," said Chia. "To understand and predict the future, we need to rely on both human insights which can interpret behaviour analytics whilst leaving the hard work to machines."
With more enterprises adopting cloud technology, behavioural analytics extended to the cloud. "The biggest risk in cloud security is the lack of visibility on what users are doing and the information which is being shared," said Bluecoat/Elastica director of System Engineering - Cloud, Asia, Justin Hammond. "Organisations are responsible for users' activities and data. However, traditional tool sets do not provide that visibility. Technology and control needs to be in place to monitor and identify anomalous activities, and to enforce and control user activities."
"With security becoming more complex, consider the business angle," suggested Dimension Data Asia Pacific regional business development manager, Security Business Unit, Yamin Prabudy. "If your organisation cannot manage security, outsource it to specialists. Leave the monitoring to others and focus instead on building the best security practices and framework applicable to your organisation."
In summing up the day's discussion, Dimension Data Malaysia team lead, Security, Ng Tuck Bin advised organisations to take a proactive approach on security. "Do not wait until something goes wrong. Do your assessment, find your gaps and build a security roadmap for your organisation."
Sign up for CIO Asia eNewsletters.