Posted
Chief Information Security Officers (CISOs) operate in a world full of systemic risk, fueled by forces beyond their individual control. Unfortunately, despite a myriad of technological advances and the adoption of seemingly countless security products — CISOs have gained little in competitive advantage over their adversaries.
According to a recent World Economic Forum (WEF) future series report, Cybersecurity, emerging technology and systemic risk, “the approach to cybersecurity needs to be overhauled before the industry finds itself in any fit state to tackle the threat.”
Overhauling and future-proofing cybersecurity will require a new strategic technological approach to addressing five global cybersecurity challenges:
- The inability to assess, communicate and manage the financial impact of cyber events – and thus the business risk to the organization
- Increasing sophistication of cyberattacks and cyber adversaries
- Widening cybersecurity skills gap
- Lack of intelligence and operational information sharing
- Underinvestment and lack of business buy-in
Assess, Communicate and Manage Cyber Risk in Financial & Business Terms
Presenting cybersecurity risk to senior business leaders requires translation to bridge the gap in language and understanding. To do this, however, requires the CISO to ensure he or she understands their company and its business.
Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of response costs, lost revenue and other secondary forms of loss such as fines and judgements. Until now, the result has been a lack of focus on the risks that matter most to the business and an inability to communicate an accurate risk posture to the C-Suite and board of directors.
The Rosetta Stone that translates the technical nature of security into the language of the business is here – cyber risk quantification. By quantifying cyber risk, Chief Information Security Officers have the ability to speak the language of business.
“I think it’s incredibly important to evolve the way that we talk about cybersecurity,” said Michael Daniel, a former White House cybersecurity policy advisor and the CEO of the Cyber Threat Alliance, in a recent interview with the ThreatConnect Podcast. “Cybersecurity is now a critical enabler for most businesses to continue operating. And it needs to be framed in that way. And I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.”
Increasing Sophistication of Cyberattacks & Cyber Adversaries
Cyberthreat actors are developing more sophisticated tools, techniques, and procedures (TTP) which are outpacing standalone security solutions. It is not surprising they are able to get past disparate and uncoordinated defenses. Adversaries can be organized criminal or state-sponsored groups, known as Advanced Persistent Threats (APTs) – all of which have the tools, training, and resources to disrupt or breach most conventional network defense systems. These incursions are not conducted as isolated attempts. They are often multi-year campaigns targeting valuable, sensitive data.
Keeping pace with the adversary – and specifically with the adversary(ies) that matters your particular organization – requires a focus on cyber threat intelligence. Without this focus, this core security concern will remain for years to come. But to develop an effective cyber threat intelligence (CTI) program, you need to constantly harvest and process knowledge about threat actors, not just specific incidents that impact your network. Knowing the who, what, where, how, and when of the adversaries’ actions is the only way to decrease their chances of success. But the volume of intelligence is so massive that tracking and understanding adversarial actions can be overwhelming. A Threat Intelligence Platform (TIP) is the only way to manage the flood of data.
However, the difference between a good CTI program and a great CTI program is in its ability to communicate value to the business in terms of risk. This is a realization that many have come to within the threat intelligence community and a core reason why the discussion around cyber risk quantification is heating up in these circles. It factors heavily into ThreatConnect’s decision to acquire one of the pioneers in cyber risk quantification in late 2020.
By adding context and enriching our understanding of threats and vulnerabilities, a great CTI program helps inform an organization’s risk quantification platform and aligns the entire business to the threats that matter most based on primary (initial response) and secondary loss (the damage that comes to the business as a result of the breach) magnitude. Threat data also feeds your security orchestration, automation and response (SOAR) platform — all of which should be accessible through a single dashboard.
Organizations have different levels of maturity and capacity to leverage threat intelligence effectively. These factors are largely dependent on the organization’s perceived need and resulting investments in threat intelligence and related personnel and processes. The use cases for threat intelligence grow as an organization’s capability to leverage it grows. Regardless of your maturity level, if you’re looking to build a threat intelligence-led security program, you need a TIP.
At the end of the day, a TIP should allow your security team to aggregate all available threat data – both internal and external, structured and unstructured – analyze it rapidly, automate action, and then produce tactical, operational, and strategic threat intelligence all in one place.
Widening Cybersecurity Skills Gap
According to a November 2020 report by the Information Systems Security Association (ISSA), the global cybersecurity talent pool has increased but the skills gap remains at more than 3 million. Cybersecurity employment must grow by 41 percent in the U.S. and by 89 percent worldwide to fill the existing gap.
Compounding this issue is the fact that most businesses have dozens, if not hundreds, of security tools in use at any given time. Each of these tools creates its own logs and contributes to an environment ripe for security alert overload and inconsistent triage. Teams that are already too small, or where deep experience is lacking, are left virtually drowning in information overload.
This exponential increase of data and alerts means that quick decision-making and execution needs to find a way to scale. To counter this, many have turned to new solutions designed to automate and orchestrate some aspects of their cybersecurity operations – in real time – and bolster staff productivity both through reducing workload and templating workflows that aide in overcoming any gap in staff skill set.
Security orchestration, automation and response (SOAR) integrates different technologies and allows you to conduct defensive actions: it increases your effectiveness in stopping, containing, and preventing attacks. Integration is important since your teams are likely to have little patience for point solutions that are difficult to implement or get value from.
Playbooks can automate almost any cybersecurity task using an easy drag-and-drop interface. Triggers (e.g., a new IP address Indicator, a phishing email sent to an inbox) pass data to apps that perform a variety of functions, including: data enrichment, malware analysis, and blocking actions. Once enabled, Playbooks run in real time and provide you with detailed information about each execution.
In addition, Playbooks can significantly improve your ability to onboard analysts quickly. With all of your team’s processes and documentation housed in a single Platform, removing the extended ramp-up time needed to learn multiple disparate tools and to track down necessary documents is critical.
Leveraging automation to bake-in knowledge or processes and procedures helps to mature the cybersecurity program that lacks experienced personnel. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.
Bridging the Intelligence-Operations Gap
Businesses and organizations today tend to be in a constant state of reacting to threats, vulnerabilities, and incidents. That’s a recipe for disaster in a world of highly-sophisticated criminal and state-sponsored adversaries, known as Advanced Persistent Threats (APTs).
The WEF report warns of what it calls “capability gaps” in the current generation of cybersecurity technology solutions. “Mitigating threats and responding to incidents individually and collaboratively will require new approaches,” the report states. “There is a need to increase the level of automation within cyber-defence capabilities, ensure that the cybersecurity tools developed can interoperate effectively, and support enriched intelligence sharing at the pace necessary to address emerging threats.”
Chief Information Security Officers must consider using intelligence and orchestration together to improve situational awareness and leverage historical data to determine when and how a task should be done. Intelligence allows the process to be adaptive to the changing environment. And, allows you to strategically plan for a better program.
While some organizations do not have a formally defined intelligence function on their team, the concept of using what you know about the threat-space to inform your operations exists in all organizations. Regardless of whether an explicitly named threat intelligence analyst employee is on staff, the relationship between intelligence and operations is fundamental and present in all security teams.
As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.
ThreatConnect is the first company to bring intelligence-driven SOAR to market…making it possible to drive this collaboration between intelligence and operations.
Underinvestment & Business Buy-In
Presenting cybersecurity risk to senior business leaders requires translation to bridge the gap in language and understanding. To do this, however, requires the CISO to ensure he or she understands their company and its business.
The Rosetta Stone that translates the technical nature of security into the language of the business is here – cyber risk quantification (CRQ). By quantifying cyber risk, Chief Information Security Officers have the ability to speak the language of business.
Risk scenarios should be and can be quantified in a way that the board can understand. A board that understands the risk, threat, response paradigm is better equipped to understand prioritization and resource allocation – and the need for right sizing of security investments.
By leveraging CRQ, a threat intelligence platform (TIP) and intelligence-driven security orchestration, automation and response (SOAR), CISOs can more easily demonstrate what risks they are prioritizing, the actions they are taking to mitigate those risks and the outcomes associated with those actions.
CISO Must Adjust
There is a tendency in the cybersecurity industry to conflate tactical changes in the threat landscape with structural and strategic imperatives that are fundamentally altering the role and responsibilities of Chief Information Security Officers. Today’s CISOs must do more than protect systems and data from the latest threats; they must become business enablers and champions of risk-based security programs.
Bridging the gap between cybersecurity and the business, however, remains an aspirational goal for many who struggle to understand where to begin. At ThreatConnect, we believe the first step in tackling each of the challenges we’ve explored starts with understanding the strategic advantages of shifting to a risk-led security program. Without understanding that risk is a business issue, not a technical issue, CISOs will likely not focus their resources on the right things.