Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

A Simple Formula For Usable Risk Intelligence
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
10/28/2014 | 6:35:52 PM
Re: Don't Forget To Supplement
Well, you are spot on.

I too have seen this time and time again. To me, I think the biggest problem is neither technical nor cyber-y. It's just most businesses still dont feel like cyber is "in their neighborhood" yet.  If your house has never been broken into, you start to not worry about daily diligence and having quick reflexes. Times they are a changin', as far as that goes. I really believe cyber will become virtually a daily management task for businesses over the next decade from top-bottom, bottom-top and sideways. Developers, CEOs, security professionals, employees, marketing, CFO shops..all the above. Well, unless a comet hits and our marketplace and personal lives become less connected or stop technologically advancing.

As to "but how to implement it from a technical perspective so that people are not milling around as much and feel the reality of the risk they must address?"...If youre interested in some further detail, drop me a line at [email protected] Several people have asked this week via email and social media since the article went online and I'd be happy to share.
User Rank: Author
10/28/2014 | 6:26:12 PM
Re: ROI Ideal Justification
Good observation. ROI is one of those focal points for me of late.

The prevailing opinion in security/business has been that ROi is not possible with cybersecurity. I personally think this has been something of a contributing factor to businesses taking such a long time to begin to embrace tracking cyber the same way they do other things.

not only do I think it's possible, but it's actually time now to start again or, well, get selected against as things go on naturally.

much like physical therapy after a bad injury, businesses need to start over "learning to walk" all over again. baby steps, nothing assumed and an emphasis on the kinds of metrics you mention. to do it, they'll need to be collecting new types of seemingly un-cyber data, at new levels, in new ways, and analyzing it in new ways. just as you suggest.

as i point out in this piece, it's very rare to see businesses analyzing data in the context of their own operations and, as you mention, running continuous comparisions to help manage their own budgets and strategy. as an aside, what we need to fully support this is a cyber data service a la Standard and Poors.

lastly and personally, i think the number one contributing factor to the lack of the kind of oeprations you suggest?

the chasm between business leadership and security/INFOSEC leadership. nothing's going to really happen until both sides recognize that supporting this kind of true collab initiative around some risk intell "physcial therapy" will bolster the longevity of both domains in the long run.
User Rank: Ninja
10/28/2014 | 4:13:47 PM
Re: Don't Forget To Supplement
I get that, Jason.  I think I have a knee-jerk reaction since I have seen massive budgets allocated to analysis, reporting and proposals _toward potential organization recommendations for cyber security_ and then watched the data stale, and the "potential recommendations" never turn into actual teams of techs dedicated to protecting data, preventing intrusion and performing forensics.  

If only the costs in both budget and time could be brought to a bare minimum through automation, interpretive templates and risk prevention recommendations against potential loss derived from the data analysis that could be used to quickly reach a decision on the part of companies who clearly need to fortify.  Let's spend less budget/time pondering and more budget/time doing.

Your formula make sense, but how to implement it from a technical perspective so that people are not milling around as much and feel the reality of the risk they must address?
User Rank: Ninja
10/28/2014 | 12:32:59 PM
ROI Ideal Justification
I feel another variable in this equation for ROI in regards to Threat Intelligence needs to be postulated savings. By this I mean, comparative to other industries in your sector that were breached in that year, what relatvie safeguards/protocols did your organization take to ensure that you were not breached? What was the relative cost saved in terms of lawsuits, fines, reputation? I feel that this comparative analysis helps when providing the value of cyber security to the business side of the institution.
User Rank: Author
10/28/2014 | 12:16:43 PM
Re: Don't Forget To Supplement
"Additionally, more emphasis should be placed on risk based security. Let's face it – business units do a very good job of business risk management, and security needs to do some catching up."

User Rank: Ninja
10/28/2014 | 12:15:03 PM
Re: Don't Forget To Supplement
There are two points I wish to posit. 1) The board (or leadership) of an organization needs to be held accountable for lapses in security. This would serve to motivate organizations to pay closer attention to their security posture, and allocate resources accordingly. 2) The security leader should be able to communicate the security message effectively. It is a given that IT goals should align with the business goals of the organization. At the same time, security goals must align with IT goals, and therefore by extension, business goals as well.

Inevitably, there is always contention for budgets, with each unit clamoring for more. Decisions are often made to favor those units who can most effectively communicate and justify their requests. This has always been a disadvantage for the technical units, many of which are led by technicians who have advanced their careers to the point of executive leadership. Unfortunately, many of these leaders have not had the advantage of thinking in terms of business, but rather in terms of technology. This is especially true within security units. This lack of effective soft skills often hinders a unit from achieving their goal of an increased budget, so it isn't always that the organizational leadership is at fault. After all, how can they justify increasing a unit's budget when the unit itself cannot effectively justify the request for an increase.

Additionally, more emphasis should be placed on risk based security. Let's face it – business units do a very good job of business risk management, and security needs to do some catching up. Risk intelligence is sometimes seen as some esoteric concept, and justifiably so since its importance has not been so prominent in the past. When executive leadership cannot easily see the impact on the organization's bottom line, it is easy for them to turn a blind eye to budget requests. In light of the recent huge breaches, it should be clear to executive leadership that cyber security is a very loud message. It is incumbent of all security leaders to effectively communicate how their planned expenditures correlate with the mitigation of existing threats.
User Rank: Author
10/27/2014 | 1:52:16 PM
Re: Don't Forget To Supplement
Interesting and good points all, Christian. Wouldnt diagree with anything you have written. The subtextual intent of the piece here hinges on not taking away resources, but instead adding reources - but in a different place. right now everyone's clamoring for bigger cyber budgets and more spending, but that's just as liely to be more good money after bad.

businesses do very solid jobs across the board (usuallly) with well established business intell for most key biz opps areas (e.g. sales, marketing, prod dev, etc.), but certainly dont yet fund or commit to establishing similar programs for cyber business intelligence.

from a risk reduction perspective, that's not only puzzling, but troubling.

almost any enterprise would likely gladly pay to reduce any risk that's significant and a proven threat to their bottom lines, but most wont pay for something they dont fully understand (i.e. document with numbers ove time). cyber has been the exception to that. in the end, a solid business risk intell program is as much (if not more) about getting the right budget together (i.e. justifying it) to pay for those CTF courses than to stop any given threat. put simply, most cyber budgets these days are gussing games. everything you point out below could be proven over time with BI efforts focused on cyber risk intell just as with, say, sales and product dev.
User Rank: Ninja
10/27/2014 | 1:40:29 PM
Don't Forget To Supplement
So here's the thing.  Intelligence and prediction, analysis and planning – all of this is great stuff and industries are built upon it.  But as any "in the trenches" programmer and sysadmin knows, projects take valuable time away from actual work, and for the security-focused sysadmins, they all know that the data you spend a month analyzing and predicting against can change entirely by the time you implement.  Take away the risk intelligence work?  Not necessarily, but there are a couple things that should be done.  1) Trim all fat from your RI gameplan and keep the whole process as trim and operations-based as possible (automate, automate, automate).  And 2), supplement with talent who are part of the underground and who actually help to make cybercrime as difficult to predict and as evolved as it is.  Yes, you need people who ignore all the data from your RI and who can a) illuminate all those dark corners you're missing in the RI and b) pull intelligence from the underground that you are never going to get on your own to help prepare you for the next attack that everyone else will fall prey to because they are not keeping up with current penetration techniques and exploits.  And please, the next time you get budget for certifications, instead send your security people to CTF (capture the flag) camps and hands-on penetration testing workshops.  All the RI you can muster will not matter when that one really bad exploit comes along, but with the right experience under their belt, your security team can potentially prevent the worse from happening instead of just analyzing the data from the hit after-the-fact.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `` or `//` ```js con...
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...