Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
A Simple Formula For Usable Risk Intelligence
Newest First  |  Oldest First  |  Threaded View
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/28/2014 | 6:35:52 PM
Re: Don't Forget To Supplement
Well, you are spot on.

I too have seen this time and time again. To me, I think the biggest problem is neither technical nor cyber-y. It's just most businesses still dont feel like cyber is "in their neighborhood" yet.  If your house has never been broken into, you start to not worry about daily diligence and having quick reflexes. Times they are a changin', as far as that goes. I really believe cyber will become virtually a daily management task for businesses over the next decade from top-bottom, bottom-top and sideways. Developers, CEOs, security professionals, employees, marketing, CFO shops..all the above. Well, unless a comet hits and our marketplace and personal lives become less connected or stop technologically advancing.

As to "but how to implement it from a technical perspective so that people are not milling around as much and feel the reality of the risk they must address?"...If youre interested in some further detail, drop me a line at [email protected] Several people have asked this week via email and social media since the article went online and I'd be happy to share.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/28/2014 | 6:26:12 PM
Re: ROI Ideal Justification
Good observation. ROI is one of those focal points for me of late.

The prevailing opinion in security/business has been that ROi is not possible with cybersecurity. I personally think this has been something of a contributing factor to businesses taking such a long time to begin to embrace tracking cyber the same way they do other things.

not only do I think it's possible, but it's actually time now to start again or, well, get selected against as things go on naturally.

much like physical therapy after a bad injury, businesses need to start over "learning to walk" all over again. baby steps, nothing assumed and an emphasis on the kinds of metrics you mention. to do it, they'll need to be collecting new types of seemingly un-cyber data, at new levels, in new ways, and analyzing it in new ways. just as you suggest.

as i point out in this piece, it's very rare to see businesses analyzing data in the context of their own operations and, as you mention, running continuous comparisions to help manage their own budgets and strategy. as an aside, what we need to fully support this is a cyber data service a la Standard and Poors.


lastly and personally, i think the number one contributing factor to the lack of the kind of oeprations you suggest?

the chasm between business leadership and security/INFOSEC leadership. nothing's going to really happen until both sides recognize that supporting this kind of true collab initiative around some risk intell "physcial therapy" will bolster the longevity of both domains in the long run.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
10/28/2014 | 4:13:47 PM
Re: Don't Forget To Supplement
I get that, Jason.  I think I have a knee-jerk reaction since I have seen massive budgets allocated to analysis, reporting and proposals _toward potential organization recommendations for cyber security_ and then watched the data stale, and the "potential recommendations" never turn into actual teams of techs dedicated to protecting data, preventing intrusion and performing forensics.  

If only the costs in both budget and time could be brought to a bare minimum through automation, interpretive templates and risk prevention recommendations against potential loss derived from the data analysis that could be used to quickly reach a decision on the part of companies who clearly need to fortify.  Let's spend less budget/time pondering and more budget/time doing.

Your formula make sense, but how to implement it from a technical perspective so that people are not milling around as much and feel the reality of the risk they must address?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/28/2014 | 12:32:59 PM
ROI Ideal Justification
I feel another variable in this equation for ROI in regards to Threat Intelligence needs to be postulated savings. By this I mean, comparative to other industries in your sector that were breached in that year, what relatvie safeguards/protocols did your organization take to ensure that you were not breached? What was the relative cost saved in terms of lawsuits, fines, reputation? I feel that this comparative analysis helps when providing the value of cyber security to the business side of the institution.
JasonPolancich
100%
0%
JasonPolancich,
User Rank: Author
10/28/2014 | 12:16:43 PM
Re: Don't Forget To Supplement
"Additionally, more emphasis should be placed on risk based security. Let's face it – business units do a very good job of business risk management, and security needs to do some catching up."


Amen.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/28/2014 | 12:15:03 PM
Re: Don't Forget To Supplement
There are two points I wish to posit. 1) The board (or leadership) of an organization needs to be held accountable for lapses in security. This would serve to motivate organizations to pay closer attention to their security posture, and allocate resources accordingly. 2) The security leader should be able to communicate the security message effectively. It is a given that IT goals should align with the business goals of the organization. At the same time, security goals must align with IT goals, and therefore by extension, business goals as well.

Inevitably, there is always contention for budgets, with each unit clamoring for more. Decisions are often made to favor those units who can most effectively communicate and justify their requests. This has always been a disadvantage for the technical units, many of which are led by technicians who have advanced their careers to the point of executive leadership. Unfortunately, many of these leaders have not had the advantage of thinking in terms of business, but rather in terms of technology. This is especially true within security units. This lack of effective soft skills often hinders a unit from achieving their goal of an increased budget, so it isn't always that the organizational leadership is at fault. After all, how can they justify increasing a unit's budget when the unit itself cannot effectively justify the request for an increase.

Additionally, more emphasis should be placed on risk based security. Let's face it – business units do a very good job of business risk management, and security needs to do some catching up. Risk intelligence is sometimes seen as some esoteric concept, and justifiably so since its importance has not been so prominent in the past. When executive leadership cannot easily see the impact on the organization's bottom line, it is easy for them to turn a blind eye to budget requests. In light of the recent huge breaches, it should be clear to executive leadership that cyber security is a very loud message. It is incumbent of all security leaders to effectively communicate how their planned expenditures correlate with the mitigation of existing threats.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/27/2014 | 1:52:16 PM
Re: Don't Forget To Supplement
Interesting and good points all, Christian. Wouldnt diagree with anything you have written. The subtextual intent of the piece here hinges on not taking away resources, but instead adding reources - but in a different place. right now everyone's clamoring for bigger cyber budgets and more spending, but that's just as liely to be more good money after bad.

businesses do very solid jobs across the board (usuallly) with well established business intell for most key biz opps areas (e.g. sales, marketing, prod dev, etc.), but certainly dont yet fund or commit to establishing similar programs for cyber business intelligence.

from a risk reduction perspective, that's not only puzzling, but troubling.

almost any enterprise would likely gladly pay to reduce any risk that's significant and a proven threat to their bottom lines, but most wont pay for something they dont fully understand (i.e. document with numbers ove time). cyber has been the exception to that. in the end, a solid business risk intell program is as much (if not more) about getting the right budget together (i.e. justifying it) to pay for those CTF courses than to stop any given threat. put simply, most cyber budgets these days are gussing games. everything you point out below could be proven over time with BI efforts focused on cyber risk intell just as with, say, sales and product dev.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
10/27/2014 | 1:40:29 PM
Don't Forget To Supplement
So here's the thing.  Intelligence and prediction, analysis and planning – all of this is great stuff and industries are built upon it.  But as any "in the trenches" programmer and sysadmin knows, projects take valuable time away from actual work, and for the security-focused sysadmins, they all know that the data you spend a month analyzing and predicting against can change entirely by the time you implement.  Take away the risk intelligence work?  Not necessarily, but there are a couple things that should be done.  1) Trim all fat from your RI gameplan and keep the whole process as trim and operations-based as possible (automate, automate, automate).  And 2), supplement with talent who are part of the underground and who actually help to make cybercrime as difficult to predict and as evolved as it is.  Yes, you need people who ignore all the data from your RI and who can a) illuminate all those dark corners you're missing in the RI and b) pull intelligence from the underground that you are never going to get on your own to help prepare you for the next attack that everyone else will fall prey to because they are not keeping up with current penetration techniques and exploits.  And please, the next time you get budget for certifications, instead send your security people to CTF (capture the flag) camps and hands-on penetration testing workshops.  All the RI you can muster will not matter when that one really bad exploit comes along, but with the right experience under their belt, your security team can potentially prevent the worse from happening instead of just analyzing the data from the hit after-the-fact.


Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23369
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
CVE-2020-23370
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
CVE-2020-23371
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
CVE-2020-23373
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2020-23374
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.