Select Page
Community-Blog02

By Ilan Abadi, Vice President and Global CISO at Teva Pharmaceuticals

The APT era is here. Attacks are becoming more common and the level of damage increasing in severity. As CISOs, we must prepare for the APT era. We must commit to changing our attitude and not adopting only advanced technological tools. The current awareness is not sufficient for this era and in this article I will share my experience in increasing the ability of APT containment from a Tactical Strategic Relationships perspective (TSR).

As CISOs, we must prepare for the APT era.

Lateral Move has become an art form adopted by attackers. They work according to a regulated Play Book and every action is carefully calculated to stay under the radar. Using obfuscation tools and the fast deletion of traces of any operation make it very difficult for cyber security systems to detect. Some of the goals in Lateral Move are to gain control over privileged accounts but, like any human, the attackers sometimes make mistakes. A random, irregular action can raise general (but insufficient) suspicion that links the incident to a hostile cyber-attack. Unfortunately, the current awareness plans applied by an enterprise with a global presence and thousands of employees are ineffective in the event of such an attack. Professional, ongoing relationships with strategic partners in and outside your organization should be created in order to link abnormal activity to an APT attack and contain the cyber event quickly.

Despite my extensive experience, I am not a great relationship expert and will probably still be in the learning stage for the rest of my life. But I do know however that there are a number of basic elements in any relationship that are mandatory for success.

There are a number of basic elements in any relationship that are mandatory for success.

Choosing a Partner

I give first priority to choosing the partner to build a relationship with. Time is precious; we cannot build many relationships, and certainly not in an enterprise that has tens of thousands of employees, hundreds of departments and is located in numerous places around the globe. We need to carefully select the relationships we want. I would choose them based on their criticality to the organization and their proximity to the areas we know are most vulnerable to attack. Sometimes, these partners sit outside the organization. Major consideration for example is given to vendors who we need to drop in to the Battle Zone. IR teams and Threat Hunting teams rely on these deep, professional relationships, otherwise they suffer from the long curve of ineffectiveness.

Investment

When we want a relationship to succeed, we must invest in it. If we decide to invest, we will of course need the appropriate resources. First, create a dialogue with the department’s management. Make an effort to understand their business and build relationships with key employees. Participate in and create joint meetings to ensure a continuous, mutual understanding of a common goal: protecting the organization. Stress the importance of paying attention to things that seem unusual. Become an advisor to help decrease the number of False Positives. And keep at it. Without regular cultivation, assume that even a strong, well-built relationship will fail to identify and contain an APT event.

Routine

Routine is the enemy of every relationship. Falling into a routine creates a kind of numbness that breeds apathy and ill preparedness. As a result, keep relationships fresh. Cyber-attacks are reported almost every day and are a source of interest to people. We as CISOs can educate employees and give them the tools to avoid a cyber-attack in the home or office. Schedule “Lunch and Learn” sessions. Invite your vendors to present. These activities create mutual added value and help you reach your ultimate goal: maintain a workplace that provides security for the organization, its employees and their families.

There are very few indications that you’re under attack by an APT. When you do discover it, you need to react fast and smart. By maintaining a Tactical Strategic Relationship with key players, you can alert and mobilize them quickly. And when you “drop” an IR professional vendor into the Battle Zone, they will be more effective in a shorter period of time. The end result is containment and it’s attributable to the TSRs you’ve built and maintained.

By maintaining a Tactical Strategic Relationship with key players, you can alert and mobilize them quickly.

Today, more than ever, the CISO’s role is complex; we are required to create a resilient and fast recovery system in the event of a cyber-attack. A cyber-attack’s impact is significant in terms of money and time. If we look around, we will see that organizations today lose tens of millions of dollars and more to these events. Recovery times are prolonged, which drive costs up further. Sustained investment therefore in Tactical Strategic Relationships with specific IT/Business teams and vendors will help us to act faster and contain the damage from these next generation attacks.

Ilan Abadi is Vice President and Global CISO at Teva Pharmaceuticals. Connect with Ilan on LinkedIn.

Want to stay up to date with the latest news and opinions of CISOs from around the world? Subscribe to our newsletter to gain insights and updates from CISO Street.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This