The role of risk and information owners is typically to separate, understand and value the critical assets of each department or business unit. They can then calculate the business threat and overall business risk before the application of an effective countermeasure.
This initial quick win exercise can ultimately set the security strategy and shed light on the vision of the company. And with existing and pending changes to legislative, regulatory and governance guidelines, the importance of the owner’s role should no longer be overlooked.
But by monitoring the underworld and the darknet, many buyers, sellers and cybercrime ring owners already have this model and have pre-valued businesses’ data. Crime-as-a-service has replaced individual threat agents as the most likely source of cybercrime and continues to evolve closer to the classic model of crime.
The layer-cake of cybercrime can be mapped to include the technology toolkit providers and malware, and exploit kit authors who now offer products or services for a small outlay, but net the ring or client a significant ROI. Examples of this found recently in the Europol Internet Organised Crime Threat Assessment (iOCTA) conclude that this problem is not going away anytime soon.
As has been the case for many years, to best counter any threat, businesses need to provide context from a standard blueprint with the aim to own their asset before the adversary. This includes valuing assets and evaluating overall threat to calculate impact, while concurrently understanding that vulnerabilities and applied countermeasures will calculate likelihood. Together, this primarily asset-centric and attacker-centric model will help indicate the threat priority.
Exploit the data, not the people
Using data to protect data sounds like a novel idea, and it can be implemented with success. A review of recent security incidents across large enterprises found that security operations teams were typically notified and received an alert in the form of a suspicious event, but lacked the process, resource or the behaviour context to perform effective triage and validation.
A key goal for most security operations teams is to mature their technology stack to include more timely, accurate and actionable security events from threat intelligence. Yet many will still struggle because without the initial data discovery exercise of understanding their critical assets, it’s difficult to assess impact and still decide which events to act on first.
Most security professionals I meet have a hacker mentality. Indeed, many label themselves ethical hackers and still continue to share some great tools, techniques and tactics (TTPs) they have employed to test their threat models.
Within this mentality is the option to include the science of data to understand patterns and statistics. Exploiting and maximising the data available becomes another exercise that can be used after taking a step back to really see the wood from the trees and focus on the business importance of data, while at the same time realising that analysing large datasets can also infringe on privacy.
The compromise is typically made easy by identifying and protecting privacy using basic techniques of anonymisation, without losing the value of data. Unfortunately, infosecurity and data science professionals are both in short supply because of this desirability to exploit data ethically.
Align the predictive element in security and corporate strategies
With the asset-centric and attacker-centric model implemented and the continuous threat model process initiated, the struggle is often for businesses to then prove the real value in their risk-based, data-centric strategy.
The value comes from the security team being on the verge of implementing a predictive program using predictive analytics that can be used to further identify and protect the business from threats, regardless of source. The added context will eliminate the majority of false-positives or non-urgent events and put an element of control back into the hands of the defenders.
The use of machine learning to identify assets and the application of threat intelligence to identify attack patterns can be combined to move to a more predictive and ultimately proactive strategy.
By coincidence, corporate strategy is most likely undergoing a similar change with the role predictive analytics in business strategy brings from big data. The result is businesses successfully making the connection between security and corporate strategy.
Sourced from Neil Thacker, Websense