Security Experts:

To Manage Risk Understand Adversaries, Not Just Activity in Your Environment

Six years ago the US National Institute of Standards and Technology (NIST) put forth a framework for information security continuous monitoring (ISCM), defined as maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions. The framework describes tools and technologies to support continuous monitoring with one of the objectives being to maintain awareness of threats and vulnerabilities.

The recommended technologies are mainly focused on monitoring activity inside the organization and looking for known threats for which a signature exists, both of which are critical. But to get a comprehensive assessment of risk, you also need to consider what’s happening outside the organization. Continuous threat assessment, which I’ll discuss more below, addresses this gap, allowing you to understand the threats to your organization as they emerge and evolve and how they affect your risk level. It’s kind of like how you approach driving a car. Based on gauge readings you alter your speed, fuel up, or take care of maintenance issues. But you’re also always attuned to changing weather, road and traffic conditions – factors which also cause you to adjust your driving practices. Continuously considering both internal and external factors mitigates risk and increases your chances of arriving to your destination safely.

Broadening the scope of risk assessment, the opening keynote at the Gartner Security & Risk Management Summit 2017 focused on CARTA, continuous adaptive risk and trust assessment, to manage the increasing risk associated with the digital world. CARTA complements the NIST framework with a process that spans the business – from how companies develop technology products to external partners along the supply chain. The CARTA process involves continuously assessing your ecosystem risk, which extends beyond the walls of the enterprise, and adapting as necessary.

Mitigating risk in the digital world is a challenge vexing more and more security teams. New research by ESG found that 26 percent of cybersecurity professionals claim that security analytics and operations is more difficult than it was two years ago because the threat landscape is evolving so rapidly that it is difficult to keep up.  A recent report from Cisco corroborates this sentiment stating that security experts are becoming increasingly concerned about the accelerating pace of change and sophistication in the global cyber threat landscape. Citing two dynamics, the escalating impact of breaches that are designed for destruction of service, and the pace and scale of technology, the report goes on to say: “it is important for defenders to understand changes in adversaries’ tactics so that they can, in turn, adapt their security practices and educate users.”

So how do you go about understanding adversaries’ tactics so that you can adapt? And how do you do it on an ongoing basis?  As you know, adversaries are dynamic and, as such, you need to continuously monitor and assess the threat and the tactics. CARTA specifies the use of analytics and automation to detect and respond to malicious activity other systems miss, and to help overburdened teams better protect their organizations by focusing limited resources on the most relevant threats. To do that you need to start with threat data. This doesn’t necessarily mean you need more threat feeds. Most organizations typically have more threat intelligence than they know what to do with from commercial sources, open source, industry and existing security vendors. Not to mention the massive amount of log and event data from each point product within their layers of defense. 

What you need is a way to aggregate global threat data and translate it into a uniform format for analysis and action. You then need to augment and enrich it with additional internal and external threat and event data. By correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, you gain additional and critical context to understand adversaries’ tactics – activity that flies under the radar of rules-based prevention tools.

Aggregating and enriching the data provides vital insights, but it does not filter out unwanted noise in the large amounts of resulting data. This is where prioritization is critical. So that you can determine where to focus and how to manage risk most effectively, prioritization needs to be defined by you as each company has different criteria and a unique risk profile. With the ability to change risk scores based on parameters you set (for example around indicator source, type, attributes and context, as well as adversary attributes) you can prioritize threat intelligence and filter out noise.

Prioritization also needs to be done on an ongoing basis, and automatically, as threat assessment is a continuous process. As the threat landscape dynamically changes along with your internal environment, you keep adding more data and context to your repository as well as learnings about adversaries and their tactics, techniques and procedures (TTPs). Automatically recalculating and reevaluating priorities and threat assessments ensures you continue to stay focused on what is relevant to mitigate your organization’s risk.

Whatever risk management framework or process you use – ISCM, CARTA, or something else, gaining a complete picture of risk hinges on your ability to keep up with the real threats to your organization. Given today’s dynamic threat landscape, continuous threat assessment is the linchpin in gaining a comprehensive understanding of security risk. It complements internally-focused continuous monitoring and is vital for assessing risks in the digital world. With a repository that is always updated, as threats change over time it helps ensure you stay focused on what is truly happening in your environment, putting you in a position to be more proactive with risk mitigation and even anticipate potential risks.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.