Is Your Security Team Not Getting Enough Exercise?

מאמרים

The Need for a More Proactive Cyber Defense

8 באוקטובר 2017

By Danny Solomon, Head of International Consulting BDO Cybersecurity Centre, Israel In the current dynamic security threats landscape, organizations need to prove to stakeholders that they pay more than lip-service to cyber security. To do this they need to demonstrate two things: Firstly to 'raise their gaze' and establish better sight or awareness of the threat environment, coupled with greater self-awareness to their own failings and weaknesses. The second is to 'raise their game' - by developing a higher state of readiness to deal with cyber security incidents. But what does this mean and how can firms justify establishing the capabilities and appropriate level of 'maturity' in their security operations and establishing a proper defensive posture. BDO's Head of International Cyber Security Consulting Danny Solomon provides some thoughts … . Cyber threats are more potent than most boards recognize, and they prove consistently that static security concepts alone, are ineffective in the face of advanced attackers. In the meantime, firms are investing in security technology and discovering that the technology is being persistently undermined by different attack methods. Most are over-confident in their ability to withstand an attack, or ignorant of the potential causes of their own security failure, and many underestimate the probable long term losses or damage to the organization and its reputation. This is essentially because management's attitude to securing the organization’s information and systems is reactive. Even among the more pro-active companies dangerous risk judgments are being made about where to invest in protecting against a breach, and how to invest in recovery from the compromise of systems. Raise your Gaze Organizations need to be informed and prepared for what they might face, and establish the processes, and procedures to cope with a severe cyber event. Unfortunately, organizational preparedness tends to build heavily on hindsight, or focus on historical threats, irrespective of their evolution. Similarly, organizational awareness tends to dwell on the more familiar vulnerabilities, often because they have been targeted. Both point to a lack of insight: Insight into what is within their threat landscape; Insight into what the potential impacts could be on the organization; and insight into the pace of evolution. The essence of a pre-emptive approach to security and resilience is based upon developing both insight and foresight, and the adage that being forewarned is forearmed is always the justification for investing in intelligence and preparation as part of an advanced cyber defense strategy. Good management practice and preparedness really requires ‘the ability to anticipate events long before they happen, and develop a planned response to each scenario’. Hence a key element of advanced cyber defense is developing awareness of external and internal factors. Developing awareness of cyber risk, should incorporate the monitoring of relevant intelligence, the mapping of high-risk digital assets, an evaluation of more vulnerable staff, and regular security assessment to enable data flow protection analysis, and ultimately risk scenario building. This awareness should inform organizational preparedness in helping management to assess their risk posture, and define their risk tolerance. More importantly it should prioritize investment in the development and refining of both defensive and response capabilities. However more than defining the requirements, the cyclical process for maintaining awareness of the evolving threat landscape, should also drive managers to proactively review flaws in their plans and identify barriers to effective performance through regular vulnerability tests, and security exercises. The ultimate prerequisite is that ‘defense’ needs to develop situational awareness to combat the levels of innovation and sophistication that threat actors are introducing. Raise your Game The shift towards a more resilient posture first requires a more proactive approach to adopting cyber resilience, and a determination to ‘win’ in the upcoming confrontation with malicious adversaries. But the reality that all companies face is harsh. They are invariably ‘weaker’ than the opposition, unprepared for the challenge they must meet, and quite unaware of the scenarios that underlie the risk. So it is no surprise that they find it difficult to grasp what an enduring and relevant security model really looks like, let alone, what constitutes 'resilience'. There is daily evidence that static security postures are ineffective when faced with an ‘advanced’ attacker who has the ability to apply a sophisticated approach that corporate security can neither anticipate, nor detect in time to effectively prevent. At its core this is what resilience should be. We should conclude that information security is proving to be a static concept in the way it is being implemented even as 'preventative security'. The persistent ‘perimeter’ approach commonly adopted shows the delusion that has plagued security concepts since the building of the Maginot Line. The issue is much less about the nature of the security concept, but more about the ‘doctrine’ that firms adopt to combat the threats. Industry needs to move from 'securing' concepts to 'defending' concepts. Defence is a more dynamic concept because it incorporates the assumption that we have to detect and respond to an attack in real time, and we require various options with which to respond, depending on the objectives and methods of the attacker. This is increasingly the case as organizations are learning that the attack process, from the attacker perspective, from first reconnaissance to full breach attempt, can last for days/weeks/months. In the case of espionage, and the evidence of malware like ‘flame’ or ‘the mask’: the end game is not ‘assault’ but the exfiltration of information that can persist for years. An advanced approach to cyber defense should consider adopting a more proactive defense posture, which needs to be seen as a different doctrinal approach. A cyber defense assumes that technical measures will detect threats and repel attacks. This must be based on relevant threat intelligence, preparation & testing of response measures, and as maintained as part of a 'developed’ detection-response doctrine. It requires a high state of situational awareness based on an effective monitoring and detection capability, and only then can a firm establish a response capability to deal with what can reasonably be anticipated. So how should organizations take the first step towards developing resilience? Preparation of a resilient posture needs overt C-level leadership, because the management of future crises starts now, long before the crisis is apparent. Managers and leaders need to be informed and prepared for what they might face, and failure to prepare is a failure of management to protect the enterprise they are entrusted with. Invariably the commitment of resources to preparation are only forthcoming when there is clear awareness of the risk, and it is most clearly obvious where a severe breach has already occurred to escalate the issue. Organizations should first focus on developing an awareness of their vulnerabilities that will provide tangible evidence of breach implications, and then test the efficacy of measures they have in place to bring their situation into clear focus, and end any complacency and speculation about risk. This will identify 'the gap' in capabilities that they need to fill, and then they have to find the quickest and more cost effective method for filling that gap. In many cases that will require technology like a SIEM, or more human-based security operations [SecOps] functions requiring operators, analysts, and responders. Cyber defense is effective in the majority of cases where it is implemented comprehensively, but for most organizations, the intensity required for such a high level of readiness and awareness is complex and costly to maintain. In recent years the more quick & cost-effective method is to outsource much of the complexity to a Managed Security Service Provider [MSSP]. Most firms struggle to justify the resources to retain a full-spectrum cyber security team or to maintain up-to-date cyber security capabilities. Organizations are increasingly focusing on their business and turning to outsourced services. A managed service allows companies to focus their attention and resources on the aspects of their internal organization and processes that sustain a higher state of awareness and readiness. About BDO Cybersecurity Center, Israel Our corporate methodology incorporates several proprietary models for supporting organizations in developing and improving their resilience posture. From establishing compliance and building towards a proactive approach, and through the ongoing development of capabilities, with effective security risk management, we work with our clients to quickly attain higher levels of maturity and resilience. For more on BDO CSC visit www.BDO.co.il/en-gb/services/advisory/cyber-information-security

מאמרים

Reaching for Resilience

8 באוקטובר 2017

By Danny Solomon, Head of International Consulting at BDO Cybersecurity Centre, Israel Developing and maintaining security capability, user awareness, and a high state of organisational readiness is very management & resource intensive, but this is only one reason why the evolution in industrial cyber security uptake has not mirrored the revolution in security technology. Now that providers of managed security services can provide a simple and affordable route to establishing cyber resilience, what is constraining firms from investing to protect their businesses? BDO’s Head of International Cyber Security Consulting, Danny Solomon shares some insights... The understanding of ‘cyber’ security has been evolving gradually, not least because of the increasing need for stakeholders and decision-makers to become more cyber ‘literate’ to the point of being able to objectively assess the risk. This is still a distant objective however, because there is inadequate awareness of vulnerabilities, combined with a lack of appreciation of the types of threats that are evolving, and the full potential impact that they can have. Nonetheless, organisations are becoming more conscious of the direct and indirect implications of indemnity, liability, and charges of negligence resulting from disruption of service, loss of data integrity, and the resultant damage to organisational reputations. Over the past decade, as understanding has evolved, there has been an overriding focus on the importance of business continuity and compliance processes at the expense of investment in proactive security. This is starting to change as there have been increasing calls for investment in ‘effective’ security and more ‘defensive’ measures, which more closely equate to a resilient posture. This is more in line with the profile of current threats which render a reactive approach to security as potentially negligent or reckless in the face of a complex threat, against which, reactive measures are ineffective. In most cases - once struck, the damage is done. Typical levels of poor resilience combine the failure to implement existing & recognized best security management practises, and more specifically, the failure to make best use of established security technology. Resilience and cyber security ‘maturity’ is most developed where security measures’ adoption rates [SMARs] are highest, and this has been most evident in industries that are under greatest threat and to organisations that have experienced a breach. Furthermore, where organisations have a more ‘developed’ risk management approach that underpins a more comprehensive evaluation of cyber security, there has tended to be greater recognition of the need to invest in security, and more justification for ‘protecting the value in the business’. The greatest challenge to achieving higher SMARs remains organisational issues that cause barriers to the appropriate allocation of budget and recognition of security priorities, particularly where IT investment in security may be at the expense of investment in IT capacity. This is very much a tactical issue, but the more significant issue behind this is the poor understanding of resilience as a concept. In this regard, there is still work to be done in explaining: a) why static security will always be fallible; b) what value, monitoring, detection & response offers to any firm; and c) how cost-effective it can be to outsource [what are essentially] a complex array of advanced capabilities. From Readiness to Resilience As the appetite for risk has changed over recent years there has been a growing appreciation of the need for ‘cyber readiness’, particularly as low-probability events are no longer systematically considered ‘black swans’. This is now changing as experts can build a range of different scenarios to illustrate how any cyber risk could happen. More importantly, technology can translate those scenarios into effective monitoring and detection functions for any organisation. The development of this technology has given rise to a renewed focus on resilience, because it has made advanced capabilities more accessible and more affordable for nearly all firms. As investment in cyber security tries to achieve more in addressing more complex scenarios, the advent of big data; advanced analytics; cyber intelligence; and the cumulative experience in deploying effective monitoring & detection solutions, can now easily provide the solutions that companies require. One key challenge to investment is the complicated nature of the threat. Few organisations have the resources or skills to build and maintain the complete set of capabilities required to deliver comprehensive resilience. Indeed, even larger organisations struggle to sustain the capabilities to identify the source of attacks, and to develop predictive or warning mechanisms, or the countermeasures to more sophisticated types of worms, viruses and other malware. In a financial climate where there has been a reluctance to invest aggressively in proactive security, greater emphasis has been placed on mitigating higher probability risks, and the ability to react rapidly to enact contingency plans effectively. This has started to change with greater investment in IPS/IDS systems, and SIEM systems that monitor firewalls, anti-malware scanners and other security devices. This goes some way towards building an adequate level of preparedness, but does not address the requirements for establishing resilience. Part of the problem is about making effective use of these capabilities, and this is essentially about skilled security operators who know how to use the technology and manage a security incident. Companies often find that they simply lack the time to devote to simply analyzing their security logs. The other side of the same coin is that hiring and retaining good security operators can be a major challenge. With security from Layer 0 to Layer 7, it is very difficult to find and keep suitable expertise in each area. In the past, the recognition that an ambitious security roadmap can be a very expensive pursuit has left many a roadmap obsolete and un-actioned, and left companies vulnerable. In parallel, the allocation of budget has been hampered by the perception of ‘over-exaggerated threat’ at board level, and the trade-offs faced by organisations in identifying a cost-effective protection which is proportionate to the organisations' risk. The net effect since 2010 has been that the threat has evolved much more rapidly than the typical ability to counter those threats, although the option to procure capability as a managed service has effectively closed that gap. Introducing Resilience Developing resilience must be firmly rooted in the needs of the business, and driven by a risk-informed assessment of the organisation, before defining an appropriate risk appetite, and thereafter a target ‘end-state’ that the resilience-building program will work towards. The role of an incident response capability is absolutely central to any advanced cyber defence concept. While good security requires acute awareness and preparedness, resilience requires the ability to detect, react, defend and recover, with minimal impact to the organisation. Formulating an overarching strategy is therefore complex as it requires the integration of many components, each with its own considerations, and an open intra-strategy ‘dialogue’, that coordinates and de-conflicts between different work streams. For example, decisions on investment in a Security Operations Center [SOC]; the propagation and limits of ‘cloud’ use, outsourcing and hosted services; and the buy-or-build of detection and response capability, will all have fundamental implications. In turn, those component considerations are likely to impact the overall definition of the overall approach. If there is a disjoint at any stage from conception to implementation, there is every chance that an organisation will not identify an achievable objective; the outcome will not address the problem; and the organisation will not support the solution. So, not only is the journey an expensive one, but it is complex and prone to failure because developing and maintaining capability and a high state of readiness is very management intensive, and is typically a long process. The more straightforward route is now to outsource many services, in particular Monitoring, Detection & Response, to a remote provider of Managed Security Services [MSS]. The advantages of doing so are clear for several reasons. Firstly the MSS provider will lead firms through the process of assessment and evaluation, so that expert input from the start ensures the right diagnostic process. In doing so, a hierarchy of imperatives for establishing the correct posture would be agreed, followed by the customisation of a solution that will fill the gaps in technology, procedures and people. Invariably this can combine a SIEM-as-a-Service and a SOC-as-a-Service with all the associated intelligence, hunter, and forensic analyst capabilities that would be required. The essence of the customisation is to best align client needs with the budget, which can be a small fraction of the cost of a self-build. Summary While most businesses are expected to continually improve their awareness of cyber threats, and many may set suitable risk management objectives, this progress is counteracted by the lack of focus on developing more effective resilience management processes, and measures that will establish and ‘mature’ their levels of capability. Inadequate risk governance is often central to the current weaknesses of most companies, and effecting a change in attitudes to security investment is central to building greater resilience. Many of the roots of current vulnerabilities have been established by investment decisions taken over the historic medium term. Critically, short-sighted management decisions still have the potential to compound risks & vulnerabilities to the organisation, in the way it invests in capabilities to detect a potential crisis, to respond to cyber events, and to define strategy for a more resilient posture against ‘real world’ cyber risks. By focusing attention on the true objectives of developing resilience, effective preparation, and encouraging a more informed approach to dealing with uncertainty, organisations can develop a more balanced stance when considering a broad range of cyber risk threats by seeking a managed security service provider to fill both capability gaps and capacity gaps, affordably. For more information please contact us