Five Questions With: Chris Taylor

The R.I. State Police this fall hosted a cybersecurity training for employees handling its most sensitive information, with instruction led by MIS Training Institute of Southborough, Mass. The session was part of Rhode Island’s Joint Cyber Task Force efforts. Chris Taylor, an instructor at the institute, says municipalities are finding there is strength in numbers.

PBN: When considering cybersecurity for business, what things are universally important?

TAYLOR: There is a distinct road map to maturity that cybersecurity programs must go through. It is easy to get caught up in the marketing hype and want to skip steps in that path. Without the strong foundation, the rest of the program will falter. This foundation requires an accurate and up-to-date asset inventory. You can’t secure what you don’t know about. It also requires 100 percent visibility of the enterprise.

To get proper visibility requires a way to monitor three basic facets of the enterprise: network security monitoring – not just at the perimeter but also at key barriers and choke points within the enterprise; robust and comprehensive centralized log collection, management and analysis – [getting] data into a single stream in order to get proper correlation of events from different parts of the enterprise; and proper, detailed monitoring of endpoints.

- Advertisement -

PBN: How does cybersecurity protocol differ for groups in the critical-infrastructure category, such as the R.I. State Police?

TAYLOR: Computers are computers in any industry. So, how we approach cybersecurity does not change just because the industry is designated critical infrastructure. But the level of controls does change depending on the sensitivity of the data being protected, and critical-infrastructure industries will have, on par, more-sensitive data than less-critical industries.

PBN: Rhode Island has a Joint Cyber Task Force, which includes the R.I. State Police Computer Crimes Unit and experts in other industries. Are many states forming alliances such as this?

TAYLOR: Yes. Many states, metropolitan areas and industries have created organizations similar to the [R.I.] State Police’s Joint Cyber Task Force … from Vermont’s Cybersecurity Advisory Team to California’s Cybersecurity Task Force … at least 23 states so far.

Many large metro areas are creating cyberthreat intelligence fusion centers to provide a way for companies in their cities to band together to defend against cyberthreats. There are also information-sharing and analysis centers, ISACs, and information-sharing analysis organizations, ISAOs, which focus on specific industries.

An ISAC exists per presidential mandate to protect critical infrastructure, and an ISAO is the same type of organization for industries not on the federal government’s critical-infrastructure list. Both types of sharing centers allow dozens of other industries to … collaborate in order to create a herd defense. When one member is attacked and shares information about what the attack looks like, other members can alter their defenses to inoculate themselves from the attack before they have to experience it personally.

PBN: Your blog mentions a cybersecurity concept called Zero Trust. What is that and how did it evolve?

TAYLOR: Zero Trust was created by John Kindervag at Forrester Research in 2010. It is a concept that security professionals felt and espoused longed before 2010, but this model articulated it so succinctly and cleanly that it has been adopted by many as the best practice for how to approach security.

The concept goes like this: We don’t trust anyone. Not the internet, not our partners, not even our own users. There are varying layers and levels – so I do trust my users more than I trust the internet – but no layer approaches a level where we actually trust them. The way that gets implemented is through security controls that allow us to monitor, detect and respond to every device and user on the enterprise. This takes the form of firewalls and network sensors being placed in the back end of the network to monitor users’ access to servers, endpoint-detection and response tools monitoring users’ workstations, and so on.

This is a more holistic approach than what was taken 20 or 30 years ago, where all the focus was on perimeter security, which allowed us to protect from the internet but provided no way to detect and respond to an insider threat. If I use the old model where all my defenses are in the perimeter and I trust my users, once one of those users opens a phishing email attachment, I lose. I have no way to prevent the spread of the malware. In the Zero Trust model, I’m creating multiple perimeters not just between the internet and the inside but also between different groups of users and between the users and the back-end servers.

PBN: How does the MIS Training Institute manage to keep up on current threats, so its content is relevant?

TAYLOR: Our trainers … when not in the classroom … are consultants and leaders in various businesses across the globe. They are directly engaged in the fight, just as our students are. Our curriculum is under constant rewrites to ensure it stays relevant to changes in the technology, threats and students’ requirements. Working together with leading security companies, we develop and deliver weekly newsletters and articles featuring real-time, expert advice and commentary. Our partnerships allow us to deliver premium, actionable content.

Susan Shalhoub is a PBN contributing writer.