Technology Reseller v50

01732 759725 26 CYBERSECURITY they paid the ransom. “There’s a major problem here; we’re losing the fight and organisations recognise that and realise that they need to augment that GRC approach with a threat-informed approach to find out what would happen if a hacker got onto a company laptop, where could they get to and could we shut down their activity? “That’s the new movement in the industry. It’s not about a product. It’s about all the holistic platforms, the firewalls, the SIEMs, the EDRs working together as a single organism, rather than just being a bunch of siloed technologies that don’t talk to each other.” The changing role of CISOs This transition is coinciding with a much stronger focus on cybersecurity from regulators and at board-level, which Brewer says requires a new approach from Chief Information Security Officers (CISOs). “Boards and regulators like the Bank of England’s Prudential Regulation Authority (PRA) in the UK are getting a lot more savvy about the testing and validation that they do. They invoke what’s called a CBEST test, which doesn’t involve a university graduate with a clipboard asking ‘Do you have a password? Do you have a firewall?’. Instead, the question is: ‘Take XYZ hacking organisation: they use these TTPs, show us how you would defend your organisation against that activity’. That’s a very different question that requires much more scenario-based analysis.” Brewer argues that while regulators and boards are changing their approach, there is a disconnect with CISOs who have come up through the trenches and are often too technical and too details-oriented. “They want to talk about how many hacks there have been and from which countries. That’s irrelevant to a board; the board are only interested in the risk to the business, what’s being done to solve the problem, what industry peers are doing and whether the right amount of money is being spent. There’s a disconnect between the technical language that the security teams talk and the risk language that the boards talk.” To illustrate the kind of approach he would like to see from CISOs, Brewer compares the data-driven boardroom presentations of CFOs and CMOs to the more speculative declarations of CISOs. “In the boardroom, the CFO comes in and has every detail: this is how much money we have, these are our creditors, these are our debtors, this is our balance sheet, this is our growth, this is what we’re expecting from collections, this is our cash flow. The marketing person walks in and says this is how many people have hit our website, this is how many people have downloaded our white paper and so on. The logistics person walks in and says we’ve got GPS in vans and this is what it tell us. When it comes cybersecurity, we just don’t have feedback on what’s working and what’s not working. We don’t have that evidence, that data. So we go in and say ‘We’ve kind of bought everything we think we need; we think we’re OK’. “That’s no longer acceptable. Boards need cybersecurity to act like every other function and CISOs, especially the newer ones, to talk in data-driven terms, not fear, uncertainty and doubt. Instead of saying there’s all this geopolitical activity happening, we need to spend more money on cybersecurity, they should be saying ‘We’re in energy; these are the groups that are targeting us; these are the things they’re going to do against us; we’ve measured our environment and we’re about 76% effective. If the board would like us to get to 86% effective, we need another couple of million pounds. Do you want to accept the risk at 76% or do you want to spend another couple of million pounds to get us to 86%?’. That’s more like the conversation you have with finance: ‘We’re going to buy this building, we’re going to retire these two buildings, and that’s going to reduce our rent by this, our liabilities by that and it’s going to increase our profit by this’. That’s a very different conversation.” The AttackIQ Security Optimisation Platform supports the emergence of this new type of CISO by providing the intelligence and data needed for a threat-informed defence, bringing new opportunities for channel partners to validate their customers’ defences and their own managed services. can get to, and if you can measure that, find those gaps before the hackers do and fill them in, then you’re less likely to become a headline. “We recently surveyed customers who were able to measure their controls with AttackIQ and found that their controls were 0.25%, either failing or degraded. If you think about the IT side of the business, we’re all chasing three, four, five 9s (.9999%), whereas in cybersecurity, we’re running at .75%. Is that acceptable?” More and more businesses think not and are adopting a more comprehensive threat-informed defence based on awareness of the latest TTPs of hackers and continuous monitoring and validation of security controls across the enterprise. “If you go back to the beginning of the cyber security industry, it was really about capabilities – let’s get some firewalls, let’s get some EDRs, let’s get some SIEM to protect ourselves. That was the proactive thing. Then it became a question of responding to the activity that was generated, being reactive by looking at incident management and now SOC,” explains Brewer. “But in doing this we actually missed a step, which was to take what we now know about the tools, techniques and procedures of hacking groups, which are really well documented by the MITRE organisation, and replay them against our infrastructure to make sure that our defences are actually intact so we don’t have to exercise our incident management as much. “Instead, we loosely installed the protection mechanisms and then heavily relied on incident management, which failed in a lot of cases – I think the statistic is that in 80% of breaches the information was in the logs but the organisations failed to see it. The missing step is to test those defences and to find gaps before the hackers find them. Organisations are now starting to recognise that the assumed breach methodology from MITRE and using the MITRE matrix to measure efficacy and efficiency is the way forward. This is called a threat-informed defence.” Brewer argues that this approach is gaining ground because the top-down, risk-informed defence that has prevailed for the last 30 years, which is all about governance, risk and compliance (GRC), has failed so dramatically. As evidence points to the fact that there were 300 million ransomware attacks last year and 81% of victims surveyed by the BBC said ...continued