Security Experts:

Build Versus Buy: Threat Intelligence and Digital Risk

An increasing reliance on online digital technologies, driven in no small part by the many operational benefits they deliver, has prompted organizations to consider investing in capabilities that protect against the digital risks that can often characterize their adoption. Unfortunately, when it comes to digital risk there is no universal remedy for establishing maturity. Many organizations look outward to vendor solutions to detect risks across the open, deep, and dark web; correlate external and internal information; and create workflows for automating responses. Others take the opposite approach, building in-house capabilities instead. In order to help inform the right balance between building and buying, consider these engineering and operational factors toward adequately leveraging existing processes and resources. 

Retaining Expertise and Talent 

Determine who in the organization will monitor and manage digital risks, receiving alerts, and taking action when issues are discovered. Capability development, maintenance, and operation are critical. When something breaks, who fixes it, and what or who allocates the necessary resources? Infrastructures require regular monitoring to confirm what worked yesterday still works today. The internet is constantly changing as are the sites; changes to APIs and interfaces must be taken into account.

Likewise, with more positions vacant than talent available to fill them, cybersecurity workers are often spoiled for choice. This can create retention challenges and the potential for loss of institutional knowledge and security gaps when employees leave for other opportunities. Ensuring your workforce remains engaged and enthusiastic is one way to keep qualified candidates satisfied and on the job.  When employees do leave, having a plan or program in place to transfer processes, policies and practices to someone else is necessary to safeguard business, and cybersecurity, continuity. Strategies may include workforce assessments to identify and document critical knowledge held by existing employees, or specialized training and job sharing to help keep accumulated knowledge within the organization. 

Ensuring Relevance and Avoiding False Positives 

Quite a few of the tools available today do a good job of covering content, but may also include numerous false positives. Different content types generate different signal to noise ratios. Working out how to deal with the false positives in an efficient manner to get to the valuable results is an important consideration.  Investigating false positives steals valuable manpower and time away from addressing legitimate security alerts, reducing and organizations’ overall security effectiveness. And the potential for false positives only rises with each additional security tool. 

Before installing security tools, make sure to understand what they’re meant to solve and how they function. Don’t rely on default settings; security tools should be configured and tuned continually to evolve with the environment they’re deployed in. From there, policies and procedures around reviewing, validating and categorizing incidents can help quickly identify and reduce the occurrence of false positives.

Coverage and Compliance

The internet moves swiftly and the frequency with which a tool is run or a query performed can have an impact on the time to detect a risk. Any service needs to consider what a baseline for coverage is. A risk-based approach focused on an organization’s threat landscape, infrastructures and operating environment will help prioritize security strategies likely to have the most impact. Outcome-focused security baselines (e.g. protecting against cyber threats or detecting and responding to incidents) are extremely effective, especially when facilitated by engagement of various stakeholders across business enterprise functions and sectors.

The reality is, the Web and the various services available on it is immense. Covering main services is an obvious security concern, but sometimes risks come left of field from a source or service that was previously not monitored. Even relatively popular sources, such as Twitter, present interesting engineering challenges. Working out acceptable coverage is an important step toward quantifying risk. 

It’s also important to make sure that activities conform with national and international rules concerning copyright, privacy, computer misuse legislation, in addition to complying with the various terms and conditions of the sources of data. These include the Electronic Communications Privacy Act (ECPA); Cyber Intelligence Sharing and Protection Act (CISPA); Computer Fraud and Abuse Act (CFAA); Trans Pacific-Partnership Agreement (TPP); and General Data Protection Regulation (GDPR), among others.

These considerations are just the beginning toward defining an internal maturity model for digital risk. While this topic is relatively new, factors like reporting, quantification, business requirements, and process documentation can help in the management of digital risk. While no framework is perfect, the optimal level of maturity will look to continually identify gaps, update processes and tooling, and reflect organizational changes.

view counter
Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.