By Danny Solomon,
Head of International Consulting BDO Cybersecurity Centre, Israel
In the current dynamic security threats landscape, organizations need to prove to stakeholders that they pay more than lip-service to cyber security. To do this they need to demonstrate two things: Firstly to 'raise their gaze' and establish better sight or awareness of the threat environment, coupled with greater self-awareness to their own failings and weaknesses. The second is to 'raise their game' - by developing a higher state of readiness to deal with cyber security incidents.
But what does this mean and how can firms justify establishing the capabilities and appropriate level of 'maturity' in their security operations and establishing a proper defensive posture. BDO's Head of International Cyber Security Consulting Danny Solomon provides some thoughts …
Cyber threats are more potent than most boards recognize, and they prove consistently that static security concepts alone, are ineffective in the face of advanced attackers. In the meantime, firms are investing in security technology and discovering that the technology is being persistently undermined by different attack methods.
Most are over-confident in their ability to withstand an attack, or ignorant of the potential causes of their own security failure, and many underestimate the probable long term losses or damage to the organization and its reputation. This is essentially because management's attitude to securing the organization’s information and systems is reactive. Even among the more pro-active companies dangerous risk judgments are being made about where to invest in protecting against a breach, and how to invest in recovery from the compromise of systems.
Raise your Gaze
Organizations need to be informed and prepared for what they might face, and establish the processes, and procedures to cope with a severe cyber event. Unfortunately, organizational preparedness tends to build heavily on hindsight, or focus on historical threats, irrespective of their evolution.
Similarly, organizational awareness tends to dwell on the more familiar vulnerabilities, often because they have been targeted. Both point to a lack of insight: Insight into what is within their threat landscape; Insight into what the potential impacts could be on the organization; and insight into the pace of evolution.
The essence of a pre-emptive approach to security and resilience is based upon developing both insight and foresight, and the adage that being forewarned is forearmed is always the justification for investing in intelligence and preparation as part of an advanced cyber defense strategy. Good management practice and preparedness really requires ‘the ability to anticipate events long before they happen, and develop a planned response to each scenario’. Hence a key element of advanced cyber defense is developing awareness of external and internal factors.
Developing awareness of cyber risk, should incorporate the monitoring of relevant intelligence, the mapping of high-risk digital assets, an evaluation of more vulnerable staff, and regular security assessment to enable data flow protection analysis, and ultimately risk scenario building. This awareness should inform organizational preparedness in helping management to assess their risk posture, and define their risk tolerance. More importantly it should prioritize investment in the development and refining of both defensive and response capabilities.
However more than defining the requirements, the cyclical process for maintaining awareness of the evolving threat landscape, should also drive managers to proactively review flaws in their plans and identify barriers to effective performance through regular vulnerability tests, and security exercises. The ultimate prerequisite is that ‘defense’ needs to develop situational awareness to combat the levels of innovation and sophistication that threat actors are introducing.
Raise your Game
The shift towards a more resilient posture first requires a more proactive approach to adopting cyber resilience, and a determination to ‘win’ in the upcoming confrontation with malicious adversaries. But the reality that all companies face is harsh. They are invariably ‘weaker’ than the opposition, unprepared for the challenge they must meet, and quite unaware of the scenarios that underlie the risk.
So it is no surprise that they find it difficult to grasp what an enduring and relevant security model really looks like, let alone, what constitutes 'resilience'. There is daily evidence that static security postures are ineffective when faced with an ‘advanced’ attacker who has the ability to apply a sophisticated approach that corporate security can neither anticipate, nor detect in time to effectively prevent. At its core this is what resilience should be.
We should conclude that information security is proving to be a static concept in the way it is being implemented even as 'preventative security'. The persistent ‘perimeter’ approach commonly adopted shows the delusion that has plagued security concepts since the building of the Maginot Line. The issue is much less about the nature of the security concept, but more about the ‘doctrine’ that firms adopt to combat the threats.
Industry needs to move from 'securing' concepts to 'defending' concepts. Defence is a more dynamic concept because it incorporates the assumption that we have to detect and respond to an attack in real time, and we require various options with which to respond, depending on the objectives and methods of the attacker.
This is increasingly the case as organizations are learning that the attack process, from the attacker perspective, from first reconnaissance to full breach attempt, can last for days/weeks/months. In the case of espionage, and the evidence of malware like ‘flame’ or ‘the mask’: the end game is not ‘assault’ but the exfiltration of information that can persist for years.
An advanced approach to cyber defense should consider adopting a more proactive defense posture, which needs to be seen as a different doctrinal approach. A cyber defense assumes that technical measures will detect threats and repel attacks. This must be based on relevant threat intelligence, preparation & testing of response measures, and as maintained as part of a 'developed’ detection-response doctrine. It requires a high state of situational awareness based on an effective monitoring and detection capability, and only then can a firm establish a response capability to deal with what can reasonably be anticipated.
So how should organizations take the first step towards developing resilience?
Preparation of a resilient posture needs overt C-level leadership, because the management of future crises starts now, long before the crisis is apparent. Managers and leaders need to be informed and prepared for what they might face, and failure to prepare is a failure of management to protect the enterprise they are entrusted with.
Invariably the commitment of resources to preparation are only forthcoming when there is clear awareness of the risk, and it is most clearly obvious where a severe breach has already occurred to escalate the issue. Organizations should first focus on developing an awareness of their vulnerabilities that will provide tangible evidence of breach implications, and then test the efficacy of measures they have in place to bring their situation into clear focus, and end any complacency and speculation about risk. This will identify 'the gap' in capabilities that they need to fill, and then they have to find the quickest and more cost effective method for filling that gap. In many cases that will require technology like a SIEM, or more human-based security operations [SecOps] functions requiring operators, analysts, and responders.
Cyber defense is effective in the majority of cases where it is implemented comprehensively, but for most organizations, the intensity required for such a high level of readiness and awareness is complex and costly to maintain. In recent years the more quick & cost-effective method is to outsource much of the complexity to a Managed Security Service Provider [MSSP]. Most firms struggle to justify the resources to retain a full-spectrum cyber security team or to maintain up-to-date cyber security capabilities. Organizations are increasingly focusing on their business and turning to outsourced services. A managed service allows companies to focus their attention and resources on the aspects of their internal organization and processes that sustain a higher state of awareness and readiness.
About BDO Cybersecurity Center, Israel
Our corporate methodology incorporates several proprietary models for supporting organizations in developing and improving their resilience posture. From establishing compliance and building towards a proactive approach, and through the ongoing development of capabilities, with effective security risk management, we work with our clients to quickly attain higher levels of maturity and resilience.
For more on BDO CSC visit www.BDO.co.il/en-gb/services/advisory/cyber-information-security