Security Experts:

Security Threats: Risk's Often Neglected Step Child

According to Gartner ("Security and Risk Management Scenario Planning, 2020"), by 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. This prediction is not surprising, considering the fact that leading risk indicators are difficult to identify when the organization's cyber foes, including their strategy, competences, and actions, are unknown. In turn, many organizations still focus on control gaps and vulnerabilities when performing risk assessments and neglect taking threats into account. This can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources.

Risk Management IT ThreatsOne of the hot topics at RSA Conference 2014 was threat management and threat intelligence. Not only were these topics broadly covered in the conference’s workshops and presentations, but a wide range of vendors showcased their latest security threat technology to reflect the dynamic changes in the risk ecosystem. The goal is to help security professionals strengthen their existing security defenses with new visibility and context into real-time attacks.

As we all know, two conditions are required for a security incident to occur: A vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.

Usually, security professionals have no direct control over threats to their organizations. In the past, this led to neglecting threats as a factor in an organization’s risk assessments. The focus, instead, was placed on the known, more visible facts – vulnerabilities and control failures. However, as the volume of vulnerabilities facing organizations has exploded over the past few years, it has become almost impossible to remediate all of them without vetting the impact and likelihood that they will be exploited. The point is, why would you give the highest attention to fixing vulnerabilities that have no threat associated with them and are not even reachable?

Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process. It can no longer be treated as risk’s neglected step child. In fact, advanced security operations teams leverage threat intelligence to gather insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate current and future threats.

In its simplest form, threat intelligence information is available from government agencies (e.g., the National Terrorism Advisory System by the U.S. Department of Homeland Security, United States Computer Emergency Readiness Team). For many organizations, however, there is a need to supplement these services to access more timely, accurate, and vertical-specific intelligence. In this context, industry information sharing forums such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) or Red Sky Alliance, a vetted group of corporate computer incident responders and security professionals woven together in a private social network, come to mind as options.

Lastly, organizations can opt to subscribe to commercial threat intelligence service offerings that provide information about IT security threats, vulnerabilities, incidents, and other security-related issues.

Depending on the quality of the services, organizations can gain insight into the agents, actions, assets, and attributes of threats. This intelligence is derived from both technical sources (e.g., honeypots, files retrieved from malware archives) and human sources (e.g., interaction with law enforcement agencies, counter-attacks on hacker groups, and analysis of network traffic by white hackers). 

Gartner predicts that by 2020, 25% of global enterprise will engage the services of a “cyberwar mercenary” organization, including threat intelligence services. However, subscribing to these services is cost-prohibitive for many organizations as subscriptions run up to hundreds of thousands of dollars annually. In addition, threat intelligence is not yet a mature market with inherent weaknesses such as the lack of measurement parameters, such as reliability of information and risk assessment.

Furthermore, organizations must recognize that subscribing to threat intelligence services only increases the challenges associated with processing and extracting actionable information from security big data, which in its raw form remains only a means to an end.

Stand-alone threat intelligence services as silo-based tools add to the volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized. As such, they require experts who can comb through mountains of information and correlate threat intelligence, vulnerability data, and other log files, which only delays the time it takes to close security gaps.

Fortunately, new technology – big data risk management – is emerging that helps not only to aggregate different threat intelligence feeds, but more importantly correlates security data with its business criticality or risk to the organization, allowing for increased operational efficiency and faster time-to-remediation.

Related News: IID Launches Threat Sharing and Collaboration Platform

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).