Blending Innovation and Security: A CISO Tells AllNovember 2017
Topics: Cybersecurity, Computer System, Information Security
Not long before Bill Hill became MITRE's Chief Information Security Official (CISO), MITRE created a cybersecurity operations center (CSOC) to explore radically different approaches to countering advanced cyber threats, especially from nation-state actors and criminals. As the CSOC began to demonstrate operational success, MITRE recognized there was an opportunity to permanently incorporate some of its approaches into our own information security operations.
The goal? Increase our focus on the adversary and adversarial thinking—without constraining creativity.
Hill was a chief information systems engineer who had worked in both information security and other areas. Right before he took on the CISO role, he provided expert guidance to some of MITRE's sponsors in the intelligence community. One of his greatest strengths lies in helping project teams with difficult challenges solve them by finding new ways to approach problems and teamwork. That skill set came in handy in his new role.
"When I became CISO, the goal was not so much to fix a problem, but to take the organization to a new level," Hill says. "There was interest in seeing how to institutionalize some of the CSOC's flexibility, innovation, and evolution.
"That's a really tricky thing any time. When you use those two words--'institutionalize' and 'innovation'—they’re almost always antithetical to each other."
Evolving Threat-Based Defense
Threat-based defense has long been at the heart of MITRE’s information security strategy. Under Hill’s leadership, MITRE's operational defense seeks continuous improvement against an evolving Advanced Persistent Threat (APT). We tackle the challenges the APT poses through innovation, deep technical analysis, and aggressive threat and intelligence sharing partnerships.
"I'm not sure there's a crisp definition of threat-based defense—lots of people use those words," Hill says. "But for us it means we pay a lot of attention to thinking about what's coming at us. What sorts of things are being sent? Who is sending them? What do they seem to want?"
On one end of the attack spectrum is the low-level, continuous base layer of "noise" that’s attacking everything on the Internet all the time. At the other end are attackers who care about MITRE as an entity, whose goal is something related specifically to us and our employees.
"We think of our adversaries not as 'exploits,' but as people," Hill explains "And these people definitely are thinking about 'who is MITRE, what do we know about them, how would we get in?' That’s why they're called Advanced Persistent Threats. They tend to make a job out of it. They're focused on us long term."
For Threat-based Defense, There’s Strength in Numbers
Because no single company can defend against every threat, cyber defenders must think through the possible outcomes and prioritize which ones to focus on, which ones we most want to avoid.
"We evaluate our defensive measures in terms of how they'll play across the spectrum," Hill says. "Generally, no tool works very well across that whole range. Tools like anti-virus and proxy filters are designed for the more basic, noise level attacks.
"At the other end of the spectrum, we do much more custom activities. We try to learn as much about our adversaries as they learn about us, so we can tune our defenses to either repel them or detect them if they get in."
One way MITRE learns about its adversaries is through vigorous participation in information-sharing groups. There are various types, organized along different principles. For example, some are groups of companies who work for the Department of Defense, since often foreign intelligence attackers seek to obtain defense secrets. Any time one company learns about something—a tool, a new attack, or information about a specific adversary—every other company learns about it too.
"Most adversaries don’t attack one company, they attack more than one company," Hill says. "You’re stronger together than you are apart."
Managing Risk through Partnership
MITRE's work programs focus on innovation and experimentation, including with computers and networks. Staff are free to ask for an exception to any rule, and there's a lot of latitude to do something unusual. MITRE has always had a strong set of information security procedures to enable this kind of innovation, but during Hill’s tenure as CISO, MITRE's information security group redesigned the approval process. Now, information security staff and internal business leaders share risk management together.
The information security group performs a risk assessment, puts together a business case, and facilitates the decision making by determining who in the company has a stake in the decision and needs to be involved. Generally, this is someone within the requester's management chain who both understands their work program needs and can evaluate the business value of the risks.
Hill notes the process works as a partnership: information security makes recommendations, and work program management makes the decision.
"This program has made a remarkable difference in the quality of the conversation and the deliberation that’s happening about risks," he says. "Because these risks are then monitored and managed, we can also report to management on aggregate risk. It lets us treat risk like a lot of other factors in the business—as something that can be managed."
Can There Be an Innovative Yet Secure Digital Future?
MITRE's government sponsors are increasingly concerned about data breaches, and Hill expects tough new requirements to protect sensitive government data. At the same time, MITRE continues to advance the benefits of an innovative ecosystem, so information security will be expected to find ways to enable more connectivity. Those approaches may include partnering with other companies and increasing use of personal productivity tools, such as watches and virtual assistants like Siri and Alexa.
Hill notes the conundrum facing companies who want both security and innovation in the digital sphere.
"Security-wise, we're being pulled in two directions that are virtually opposite to each other, so we have some real security architecture challenges ahead. How do we still do what we have to for security, but also enable a new range of systems, services, and behaviors that were unthinkable before now?
"We’re being challenged to find a way to make them work. So that's going to be our future in a big way."
—by Claudette Bishop