UNDERSTANDING CYBER RISK to Adopt the Appropriate SECURITY FRAMEWORK
How Good Do You Need To Be?
Today, every organization faces a daunting challenge to ensure they are not significantly impacted by a cyber-attack. This is because every organization–regardless of size–is a target for these attacks. The majority of C-Level executives within large organizations now understand that cyber breaches will happen sooner or later and that they must build a resilient security infrastructure. Under that framework, the enterprise must quickly identify a breach when it happens, repair the breach made by the attacker, kick them out and hunt for the next successful breach. The big question is; how good do you need to be? What is the right framework for your organization?
If your organization is an intelligence agency for a major country, it is likely that other nation-states employ a large number of well-resourced individuals focused on breaking into your systems to steal national secrets. This obviously means that your organization will have to focus a large effort on predicting attacks, preparing human resources for the fight, and deploying top notch prevention and detection solutions to successfully thwart as many attacks as possible and quickly detect the ones that do get into your environment. However, if your organization is perhaps a small regional dry-cleaning business, do you need to build a resilient infrastructure able to withstand the assault from a nation-state? No, in fact, it is unlikely you could afford to do that and still run your business. Should that dry-cleaning business be concerned about cyber-attacks? Absolutely.
Here at FireEye we typically look at two categories below the “Compliant” level and two above it
Attackers today are motivated by a number of nefarious motives–espionage, crime, and hacktivism. As a small organization, crime is likely your biggest threat. Attackers might want your customer database which likely contains Personally Identifiable Information (PII) which could help them commit Identity Fraud against those same customers. They may want to utilize stolen data as information points needed to crack someone’s bank account, or simply collect your customers’ credit card information as they pay for their dry-cleaning. Attackers might go after that same fictional business with a ransomware attack where they encrypt your important business data and require a ransom before giving you a key to decrypt it. So, although your business may not have to withstand an attack from a nation-state (emphasis on shouldn’t) it must be as fully prepared as possible for a cyber-attack from a determined adversary with unknown intent. Obviously, there are many levels in between our fictional dry-cleaning business and our fictional intelligence agency, let us discuss those levels and look at how good you might need to be through the lens of a security maturity framework.
Tools Based → Integrated Framework → Compliant → Adaptive Defense → Resilient Infrastructure (Security maturity framework – evolving from left to right)
Here at FireEye we typically look at two categories below the “Compliant” level and two above it. At the lowest level is a ‘Tools-based’ Framework that allows you to counter conventional and legacy threats. An ‘Integrated’ Framework for countering most Cybercrime threats is a step up. Compliance is important and something that must be addressed, however, understanding risk is even more important in this new age of continuous cyber-attacks and is more of a focus as you move up the scale towards a “Resilient” infrastructure. Moving up above the “Compliant” line our next level is an ‘Adaptive Defense’ where we are able to thwart nation-state attacks and cyber espionage. The final level is a ‘Resilient’ infrastructure where you are able to withstand an attack, continue operating through it while repairing any damage and making adjustments to stop the next attack.
It is important to note that adversaries at all levels are continuing to evolve their tools and processes. So, while you may have significant resources and strive to achieve that ‘Resilient’ infrastructure, you can slide back down the scale without a continuous and focused effort to evolve your own tools, techniques, and processes. So, what do these levels mean to you and can you rate your own organization to determine where it is at on the scale?
We could fill an entire article simply on these four frameworks however we will touch on them briefly and simply.
A Tools-based framework is just simply that, tools that you have acquired via a vendor or open-source and put in place to stop attacks. It could consist simply of a firewall, intrusion prevention system and some type of endpoint product. They provide some value but will not stop any determined attacker from breaking into your enterprise.
An Integrated framework is tying those tools together with perhaps a SIEM based tool with an alerting system for your security staff. If you have made this step, you have likely added more tools into the mix as well.
An Adaptive Defense framework is above the compliant line and is where real obstacles are put in place for a determined adversary. Your infrastructure has a number of integrated tools in place and you likely have out-sourced the monitoring of those tools to a company with the proper expertise to identify attacks while focusing internal efforts on security tool maintenance and processes for reacting to breaches. Many companies today at this level have Incident Response experts on contract for when they are breached to parachute in and minimize damage.
A Resilient infrastructure is everything in an Adaptive Defense and also has a focused team of experts with a deep level of understanding of their enterprise infrastructure, data-sets, and what normal traffic looks like. The expert team has an intelligence-led perspective on cyber threats where they understand their possible adversaries, the tools they use, the processes they use, and what indicators they leave behind. This allows for a hunt perspective continuously inside the environment where attacks are quickly identified and mitigated.
The Adaptive Defense and Resilient Infrastructure framework levels are typically out-sourced to companies focused on providing this service since expertise in the cyber realm is in high demand and many cyber expert jobs go unfilled across the world. In fact, Forbes magazine earlier this year claimed more than a million positions are open in cyber security. It is important today for companies to focus on this issue to ensure they are not featured in the evening news or suffer brand damage or a lower stock value.
Ensuring you have the right expertise and the right focus can help you determine how good you need to be. You certainly have to be good enough today to protect your organization.