Last week, Jesper Nielsen described how setting up a private cloud can help a company avoid security risks. “Deloitte Weekly Tech Thoughts” contributors this week outline the ways organizations can reduce the threat even further. Deloitte Luxembourg partner Stéphane Hurtaud and manager Alexander Cespedes, both specialized in information and technology risk, deliberate on the importance of developing resilient cyber threat intelligence.
The evolving cyber threat landscape
Various business and technology innovations result in increased levels of cyber risks. The continued adoption of web, mobile, cloud, and social media technologies have opened new opportunities for attackers. Additionally, waves of outsourcing, offshoring, and third-party contracting have further diluted organizational control over information systems. These trends have resulted in a boundaryless ecosystem with a much broader attack surface.
Threat actors deploy a wide array of attack methods to stay one step ahead of their victims. In addition, criminal gangs and nation states are combining infiltration techniques in their campaigns while leveraging malicious insiders in targeted organizations. As reported in a 2012 Deloitte survey of global financial services executives, many financial services companies are struggling to achieve a level of cyber risk maturity needed to counter these evolving threats.
Being secure, vigilant, and resilient is a must
Organizations have traditionally invested in enhancing security. However, in the face of the evolving threat landscape, organizations should consider building cyber risk management programs to achieve three essential capabilities:
Enhancing security through a “defense-in-depth” strategy: a good understanding of threats, industry standards, and regulations can help organizations to secure their systems by designing and implementing risk-intelligent controls. Based on industry practices, organizations should build a “defense-in-depth” approach to address known threats. This should involve mutually reinforcing security layers that provide redundancy and prevent attacks.
Enhancing vigilance through effective early detection and signaling systems: early detection, through the enhancement of programs that indicate emerging threats, can be vital to mitigating losses. Incident detection that incorporates adaptive signaling and reporting systems can automate the correlation and analysis of large amounts of data. Organizations’ monitoring systems should be active 24/7 and should be supported by an incident handling and remediation process.
Enhancing resilience through simulated testing and crisis management processes: resilience becomes more critical as destructive attack capabilities become more advanced. Organizations have traditionally planned for resilience against physical attacks and natural disasters. Cyber resilience should be treated similarly.
Developing “actionable” Cyber Threat Intelligence
Becoming an organization where Cyber Threat Intelligence (CTI) drives decisions is increasingly important, as it can play a crucial role in enabling security, vigilance, and resilience.
CTI should be supported by the collection of raw data about cyber threat indicators in order to derive insights about adversaries from a wide range of sources. These sources should be both internal and external, through automated means, and through human interaction.
However, to be actionable, threat data should be viewed in a context that is meaningful to the organization. To this end, automation can be leveraged to filter and highlight information that is most relevant to important risk areas.
So, how can organizations move to an intelligence-driven cybersecurity model?
Organizations can learn from past intrusions within their firm and their industry. They should leverage the lessons learned from other campaigns to understand the nature of attacks, their tactics and patterns, and raise questions to consider when safeguarding themselves.
Organizations should supplement experience-based learning with a continuous monitoring program, focused on both external and internal threats. The program would be useful to develop a situational awareness of the threat environment, identify attack patterns, and increase the speed of response. This will allow for a proactive approach to their defense and response mechanisms.
Cyber Threat Intelligence acquisition and analysis
Gathering intelligence should involve choosing “channels” from which to scan the external environment and monitor the internal environment. However, while it pays to cast a wide net, there is always the factor of cost and the danger of sacrificing depth for breadth. So pick and choose your “feeds” relevant to your industry, needs, and capabilities.
Proactive surveillance completes the intelligence gathering effort. This should be supported by honeynets, malware forensics, brand monitoring, DNS monitoring, and watch list monitoring.
The amount of data derived from CTI can be staggering. Therefore, analyses should include statistical techniques for parsing, normalizing, and correlating findings, as well as human review. This should be conducted within a risk management process, built around well-defined communication and mitigation activities.
A cyber risk management process prioritizes, analyzes, and detects a threat before, during, or after its occurrence while specifying the proper response. The latter may involve remediation, control updates, and vendor or partner notification.
Becoming a learning organization
For firms, becoming a learning organization implies a need to develop an approach to address weaknesses in understanding their attackers’ motives and methods. Learning from experiences and sharing information both within and outside the organization can help reduce weaknesses and increase your ability to discover and recover from attacks.
Check back next week for more of Deloitte Weekly Tech Thoughts!
Source: Deloitte Luxembourg
Publié le 03 mars 2016