Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Security Threats: Risk’s Often Neglected Step Child

According to Gartner (“Security and Risk Management Scenario Planning, 2020”), by 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. This prediction is not surprising, considering the fact that leading risk indicators are difficult to identify when the organization’s cyber foes, including their strategy, competences, and actions, are unknown.

According to Gartner (“Security and Risk Management Scenario Planning, 2020”), by 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. This prediction is not surprising, considering the fact that leading risk indicators are difficult to identify when the organization’s cyber foes, including their strategy, competences, and actions, are unknown. In turn, many organizations still focus on control gaps and vulnerabilities when performing risk assessments and neglect taking threats into account. This can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources.

Risk Management IT ThreatsOne of the hot topics at RSA Conference 2014 was threat management and threat intelligence. Not only were these topics broadly covered in the conference’s workshops and presentations, but a wide range of vendors showcased their latest security threat technology to reflect the dynamic changes in the risk ecosystem. The goal is to help security professionals strengthen their existing security defenses with new visibility and context into real-time attacks.

As we all know, two conditions are required for a security incident to occur: A vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.

Usually, security professionals have no direct control over threats to their organizations. In the past, this led to neglecting threats as a factor in an organization’s risk assessments. The focus, instead, was placed on the known, more visible facts – vulnerabilities and control failures. However, as the volume of vulnerabilities facing organizations has exploded over the past few years, it has become almost impossible to remediate all of them without vetting the impact and likelihood that they will be exploited. The point is, why would you give the highest attention to fixing vulnerabilities that have no threat associated with them and are not even reachable?

Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process. It can no longer be treated as risk’s neglected step child. In fact, advanced security operations teams leverage threat intelligence to gather insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate current and future threats.

In its simplest form, threat intelligence information is available from government agencies (e.g., the National Terrorism Advisory System by the U.S. Department of Homeland Security, United States Computer Emergency Readiness Team). For many organizations, however, there is a need to supplement these services to access more timely, accurate, and vertical-specific intelligence. In this context, industry information sharing forums such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) or Red Sky Alliance, a vetted group of corporate computer incident responders and security professionals woven together in a private social network, come to mind as options.

Lastly, organizations can opt to subscribe to commercial threat intelligence service offerings that provide information about IT security threats, vulnerabilities, incidents, and other security-related issues.

Depending on the quality of the services, organizations can gain insight into the agents, actions, assets, and attributes of threats. This intelligence is derived from both technical sources (e.g., honeypots, files retrieved from malware archives) and human sources (e.g., interaction with law enforcement agencies, counter-attacks on hacker groups, and analysis of network traffic by white hackers). 

Gartner predicts that by 2020, 25% of global enterprise will engage the services of a “cyberwar mercenary” organization, including threat intelligence services. However, subscribing to these services is cost-prohibitive for many organizations as subscriptions run up to hundreds of thousands of dollars annually. In addition, threat intelligence is not yet a mature market with inherent weaknesses such as the lack of measurement parameters, such as reliability of information and risk assessment.

Advertisement. Scroll to continue reading.

Furthermore, organizations must recognize that subscribing to threat intelligence services only increases the challenges associated with processing and extracting actionable information from security big data, which in its raw form remains only a means to an end.

Stand-alone threat intelligence services as silo-based tools add to the volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized. As such, they require experts who can comb through mountains of information and correlate threat intelligence, vulnerability data, and other log files, which only delays the time it takes to close security gaps.

Fortunately, new technology – big data risk management – is emerging that helps not only to aggregate different threat intelligence feeds, but more importantly correlates security data with its business criticality or risk to the organization, allowing for increased operational efficiency and faster time-to-remediation.

Related News: IID Launches Threat Sharing and Collaboration Platform

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.