Can We Talk? Finding A Common Security Language

How engineers can get beyond the crippling vocabulary and semantic barrier of infosec and actually communicate about cyber risk with bosses and business colleagues.

Put yourself in the shoes of your CEO.

Good morning, Mr. or Ms. CEO! Quick question -- and I need you to think fast: What’s the top cyber risk to your enterprise this quarter, and how does it affect your business’s bottom line?

It might help to think back to your last status meeting with your security team. In the meeting are all your department heads, including your CFO, COO, CMO, CTO, and CSO.

Imagine that you’ve come to the half-hour set aside for the CSO and his lead infosec engineers, and, on the slides, you see one summarizing your IT security and cyber defense spending over the first half of the year. Things like antivirus, malware detection, and anti-phishing show up, as do $ symbols followed by healthy numbers beside things like IDS/IPS, firewalls, signature detection, log aggregation, netflow analysis, and packet inspection.

Then you see a slide summarizing your top cyber security issues over the first half of the year: words and phrases like Zeus, Citadel Trojan, Backoff POS, Man-in-the-Middle, Dorking, Beaconing, Packet Reflection.

So, what is the top cyber risk to your enterprise this quarter, and how does it really affect your business’s bottom line?

Imagine you still can’t answer? You wouldn’t be alone.

Today’s enterprises, and their CEOs and board members, are increasingly impacted by everyday cybercrime. However, despite swelling budgets and ever-expanding resource allocations, many enterprises are actually losing ground in the fight to protect vital business operations from cyberharm.

While there are many reasons for this, none is as puzzling as the inability of executives and other senior management to communicate with their own security professionals. One major reason for this dysfunction hides in plain sight: There is no mutually understood, shared, and high-level language between the two sides via which both can really connect, perform critical analysis, make efficient and faster decisions, develop strategies, and, ultimately, work with less friction.

In short, it’s as if there’s a conversation going on where one side is speaking French, one side Russian, and they’re working through an English translator who’s using pocket travel guides for both languages.

In other business domains, such as sales or financial performance, there are time-tested and well-understood standards for expressing concepts and data -- in words. For example, things like “Run Rate” or “Debt-to-Equity Ratio” allow those people pulling the levers and pushing the buttons in an organization’s financial operations to percolate up important reporting for business leaders to use when steering the enterprise ship.

This is all made possible by a shared language of terms and classifications.

For the area of business where cyber security and business overlap, there’s no common, intuitive, business intelligence or key performance indicator (KPI) language that security professionals and business leaders share to communicate effectively. No common or generally accepted business terms and metric specifications in place to routinely track, analyze, and express how cybercrime affects a business. And, for the leaders and security professionals alike, this gap affects both sides equally.

How do businesses get things tracking?
There is no silver bullet that will work for every organization. But there are simple, practical ways to help the two sides begin communicating better. To start, enterprises can establish a standard, high-level cyber ontology within their organizations. In other words, create a specification for how cyber concepts are described and tracked. This will enable engineers on the security side to express lower-level, cyber operations information in ways that management can leverage for planning, strategy, and, more fundamentally, good old-fashioned discourse.

Once established, data can be gathered together, mapped to this specification, and then analyzed and exchanged. It sounds simplistic, but too few organizations diligently collect cyber data in this manner, and thus they lose out on the opportunity to create a common language for expressing important concepts.

For example, most cyberthreats and hits that an organization suffers can be expressed in terms of: Who did what to whom (or against what), how it was done, and what happened as a result? For example:

  • Actor
  • Target
  • Effect
  • Practice

From here, as things occur, macro-level categories of items can be created underneath each of the high-level groupings such as:

  • Actor. State-Sponsored, Organized Crime, Hacktivist, etc.
  • Target. Web Servers, Point of Sale (POS) System, Cloud Storage, etc.
  • Effect. Website Downtime, Data Stolen/Leaked, Vandalism, etc.
  • Practice. Network Intrusion, Social Engineering, Malware, etc.

As entries are made, other data can also be added. Enrichment data and simple metadata, such as date and time, and specific micro-level information, such as "Malware: Citadel Trojan," can be entered and then analyzed. Everything from simple summary rollups to time series analysis, and more can then be performed against this data in ways that resemble traditional KPI-driven formats found in sales or financial performance.

What’s more, once data is collected in a standard format, it’s very easy to connect it to KPI-type data from the other key business domains to create insights into how your business, your suppliers, your customers, and more are being affected by cyber events. IT and security budgets become more amenable to fine-grained assessment and continuous quality checks and improvements.

In other words, security engineers and those who lead them can begin to talk the same, shared, data-driven language. It’s a simple, inexpensive approach with big, persistent results.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading