Managing Risk through Machine Intelligence and Automation
Beyond the stories about vulnerabilities in just about every type of infrastructure, state on state espionage and the impact of misinformation and disinformation propagated through social media, the common theme from industry was unsurprisingly about how cyber security is becoming increasingly smart, operations automated and risk assessments more accurate.
One of the key barriers to cyber investment has always been board or senior management understanding of the cyber threat, the risk to business operations and therefore willingness to invest in a non-revenue generating business function. However, as several of the keynotes observed, times are changing. Google’s admission of state sponsored attacks in 2010 was an “epoch changing moment” and with increasing government oversight and new regulations in the shape of NIS, GDPR and equivalents, organisations are now more open to the threats and willing (or obliged) to report attacks or breaches. Still, articulating the threat to the ultimate budget holders is still part science, part art. WA enjoyed the story from SecurityScorecard about security threats to European football clubs and how to communicate the need for security to senior management. Using a benchmarking tool to compare your vulnerabilities and risk compared to your peers is one way to communicate the need for increased investment.
Lots of industry research exists about the scale of the threat and this can be leveraged by CISO’s to argue their business case. Symantec provided some useful insights with their research indicating that the cost of cyber-attacks increased by 11.6% from 2017 to 2018 and are taking longer to resolve. Naturally there was an argument that cost savings from deployment of security technology will save organisations billions of dollars. One of the largest threats comes from the malicious insider, hence the widespread deployment of Identity and Access Management solutions enabled with machine intelligence to detect suspicious activity on the network. However, Symantec believes that based on the technology impact and return of investment, industry is not investing enough in IAM, threat intelligence and automation and machine intelligence.
The volume of threat intelligence and number of organisations offering insights and advisory services has grown considerably. It has become the entry tool for suppliers to display a range of complimentary services to detect and respond to attacks, thereby reducing organisational risk. eSentire delivered an interesting analysis of threats that it gathered from 1,600 network sensors and 87,000 endpoint agents, whilst Agari presented a compelling story about how it uncovered a UK based global Business Email Compromise (BEC) organisation using operational intelligence.
The theme of risk was also part of a session by Spirent who advanced the practice of Purple teaming to improve organisational resilience as part of their CyberFlood Data Breach Assessment tool. Cyber security testing usually uses Blue (defender) and Red (Attacker) teams, ideally external, to simulate potential scenarios and to improve response. The purple team is an intermediary to facilitate and combine the defensive approaches with the attack strategy to ensure learning and improved security.
Understanding the cyber risk through threat intelligence and war gaming helps to build the business case to invest in technology that will further mitigate the impact of any attack. The business case becomes stronger if it doesn’t result in new headcount and improves the productivity of the existing security analyst team. Almost all the presentations touched on the benefits of machine intelligence working in tandem with security analysts to identify possible threats. Security Orchestration, Automation and Response – combining security products and processes into a single platform – also featured heavily throughout the show.
An increasingly important and much discussed topic is how to build resilience into both the supply chain and new system deployments. The bulk of security expenditure is centred around protection and detection of network threats and vulnerabilities. Whilst this will remain a key priority, there is an increasing focus on secure by design, ensuring that new, complex smart systems are cyber secure at the component and sensor level. NCC provided an insight into one of their priorities which is how to secure thousands of sensors in a pervasive wireless network, such as a Smart City. Data can generate significant benefits and improve efficiency, but the cost of encrypting thousands of cheap sensors is cost prohibitive and applying security patches to low power wide area networks impractical verging on impossible. The future security of smart cities and other infrastructure will be partly determined by security by design and that will be driven by city planners’ level of acceptable risk.
The balance between risk and investment will continue to be a key industry challenge. Whilst stakeholders remain ignorant to the cyber threat, the level of risk will be higher. It is the responsibility of CISO’s to reduce the organisational risk by upwards communication of the challenges and investment required. Scorecards, purple teaming and threat intelligence can help set the context. Technology that improves employee productivity provides a return on investment argument. If that is still not sufficient to get the investment required, then a few horror stories often help to focus management’s attention.