22 01732 759725 CYBERSECURITY ...continued intact so we don’t have to exercise our incident management as much. “Instead, we loosely installed the protection mechanisms and then relied heavily on incident management, which failed in a lot of cases – I think the statistic is that in 80% of breaches the information was in the logs but the organisations failed to see it. The missing step is to test those defences and to find gaps before the hackers find them. Organisations are now starting to recognise that the assumed breach methodology from MITRE and using the MITRE matrix to measure efficacy and efficiency is the way forward. This is called a threatinformed defence.” Brewer argues that this approach is gaining ground because the topdown, risk-informed defence that has prevailed for the last 30 years and is all about governance, risk and compliance (GRC) has failed so dramatically. As evidence points to the fact that there were 300 million ransomware attacks last year and 81% of victims surveyed by the BBC said they paid the ransom. “There’s a major problem here; we’re losing the fight and organisations recognise that and realise that they need to augment that GRC approach with a threatinformed approach to find out what would happen if a hacker got onto a company laptop, where could they get to and could we shut down their activity? “That’s the new movement in the industry. It’s not about a product. It’s about all the holistic platforms, the firewalls, the SIEMs, the EDRs, working together as a single organism, rather than just being a bunch of siloed technologies that don’t talk to each other.” The changing role of CISOs The other big change taking place in the cybersecurity world cited by Brewer is a stronger focus on cybersecurity from regulators and at board-level, which he says demands a new approach from Chief Information Security Officers (CISOs). “Boards and regulators like the Bank of England’s Prudential Regulation Authority (PRA) in the UK are getting a lot more savvy about the testing and validation that they do. They invoke what’s called a CBEST test, which doesn’t involve a university graduate with a clipboard asking ’Do you have a password? Do you have a firewall?’. Instead, the question is: ’Take XYZ hacking organisation: they use these TTPs, show us how you would defend your organisation against that activity’. That’s a very different question that requires much more scenario- based analysis.” Brewer points out that while regulators and boards are changing their approach, there is still a disconnect with CISOs who have come up through the trenches and are often too technical and too details-oriented. “They want to talk about how many hacks there have been and from which countries. That’s irrelevant to a board; the board are only interested in the risk to the business, what’s being done to solve the problem, what industry peers are doing and whether the right amount of money is being spent. There’s a disconnect between the technical language that the security teams talk and the risk language that the boards talk,” he said. To illustrate the kind of approach he would like to see from CISOs, Brewer compares the data-driven boardroom presentations of CFOs and CMOs to the speculative declarations of CISOs. “In the boardroom, the CFO comes in and has every detail: this is how much money we have, these are our creditors, these are our debtors, this is our balance sheet, this is our growth, this is what we’re expecting from collections, this is our cash flow. The marketing person walks in and says this is how many people have hit our website, this is how many people have downloaded our white paper and so on. The logistics person walks in and says we’ve got GPS in vans and this is what it tell us. When it comes cybersecurity, we just don’t have feedback on what’s working and what’s not working. We don’t have that evidence, that data. So we go in and say ’We’ve kind of bought everything we think we need; we think we’re OK’. “That’s no longer acceptable. Boards need cybersecurity to act like every other function and CISOs, especially the newer ones, to talk in data-driven terms, not fear, uncertainty and doubt. Instead of saying there’s all this geopolitical activity happening, we need to spend more money on cybersecurity, they should be saying ’we’re in energy; these are the groups that are targeting us; these are the things they’re going to do against us; we’ve measured our environment and we’re about 76% effective. If the board would like us to get to 86% effective, we need another couple of million pounds. Do you want to accept the risk at 76% or do you want to spend another couple of million pounds to get us to 86%?’. That’s like the conversation you have with finance: ’We’re going to buy this building, we’re going to retire these two buildings, and that’s going to reduce our rent by this, our liabilities by that and it’s going to increase our profit by this’. It’s a very different conversation.” Brewer says that in educating C-level cybersecurity professionals to talk more effectively to the board, we are starting to see the emergence of a new type of CISO who takes a threat-informed defence approach and uses data and evidence to drive their decisions rather than buying yet another shiny widget to put in their arsenal of other shiny widgets that individually are fine, but collectively don’t provide the protections that organisations need. AttackIQ feeds into the movement towards threat-informed defence and the new data-driven way of doing evidence-based security. www.attackiq.com
RkJQdWJsaXNoZXIy NDUxNDM=