informa

Cybersecurity In-Depth

The Edge

Getting Started With Threat-Informed Security Programs

Security leaders need to examine their business model, document risks, and develop a strategic plan to address those risks.

Organizations that don't fully understand the current cybersecurity threat landscape can find it difficult to figure out the right course of action, let alone building robust security programs.

The challenges are amplified when people put money against cybersecurity initiatives without understanding the threats they are dealing with or what problem they are trying to solve, Michael Speca, president at security services company Ardalyst, said during the Mandiant Cyber Defense Summit earlier this fall. Security leaders should rethink common cybersecurity myths and re-evaluate how cybersecurity fits in their current risk mitigation approaches, he suggested.

“There are too many choices, all overwhelming and making either grandiose promises, or narrowly-focused, inapplicable options - that’s a recipe for really not knowing what to do,” Speca said.

Secure vs Not Secure

One common misperception is to think of the organization as being secure or not secure, Speca said. Security is not a once-and-done thing, and there is no one-size-fits-all approach on what organizations need to do.

"You would never argue that your house or your office is either secure or not secure. You would understand that there are different levels of security to your physical property," Speca said.

Consider a warehouse filled with inventory. "First thing you are going to think about is well how valuable is that inventory? How much is it worth protecting?" Speca said. "Second thing you are going to think about is what are the types of people who are going to be interested in trying to steal that inventory or damage that inventory? And then you would ask yourself questions about what kind of measures do you need in order to prevent or limit the ability of someone who wants to damage or steal that property from getting to that property.”

Cybersecurity also involves thinking about what threats are likely, and which ones are important. "You need to understand whether or not your organization is up against a nation-state actor that's trying to steal state secrets or is the main risk cybercriminals that are going to try to target you for a ransomware attack, or is the main concern simple vandalism defacement of your website," Speca advised.

Cybersecurity is a continuum, Speca said. After identifying the different kinds of threats that could disrupt the environment, it is important to set up countermeasures to handle such situations.

Disrupt the Kill Chain

Attacks may seem sudden and unexpected, but most of the time, they tend to be the culmination of a long chain of events, Speca said. There are a number of steps that an adversary needs to take to compromise the network and steal the valuable information.

“Hackers need to understand their targets, they need to figure out entry points into their targets, and also how to move around the space of their targets to identify assets that are worth compromising,” Speca explained.

Defenders don't need to out-hack the attackers. There are several different points in this kill chain where defenders can stop the attackers. This is where knowing the environment and understanding what countermeasures are available is important.

"If nobody's guarding the door, no matter how many locks you put on the door, someone's eventually going to be able to break it down. So you need people who are paying attention to what's going on with your cybersecurity program,” Speca said.