Business Info - issue 150

Ross Brewer magazine 24 CYBERSECURITY With 30 years’ experience in cyber security, Ross Brewer, nowVice President and General Manager EMEA and APJ at AttackIQ, has seen his industry grow and grow, often through FUD (Fear, Uncertainty and Doubt). That approach has worked for the industry, but does it work for customers? Brewer thinks not and is calling for a more data-driven approach that he believes will strengthen businesses’ defences and improve dialogue between cybersecurity professionals and business leaders. AttackIQ operates in what Gartner has coined the ’breach and attack simulation’ market, though Ross Brewer prefers to think of it as ’a continuous security controls validation’ opportunity. “Breach and attack simulation is where we started, and we were one of the founding fathers of that market. But breach and attack simulation focuses on the adversarial red teaming aspect, whereas if you think about most organisations, they’ve got a lot more blue teams –defenders – than they have The best form of defence internal attackers. Even if you’re using external red teams, your addressable market and who you can help is a lot bigger if you can work on the blue side. So we tend to think of this as more of ’a continuous security controls validation’ opportunity.” “Over and above that, we use the telemetry that we gather to drive a different style of cybersecurity – an evidence-based, data-driven style of cybersecurity, rather than one driven by fear, uncertainty and doubt.” Control effectiveness One of the key enablers for this approach is the publicly available MITRE ATT&CK framework, which collects information on the changing tactics and techniques of threat actors and provides security professionals with a matrix they can use to evaluate the effectiveness of their defences and identify areas that need strengthening. This framework underpins the AttackIQ Security Optimisation Platform, which allows organisations to test and measure the effectiveness of their controls and validate the performance of their firewall, DLP, EDR, SIEM etc. in an automated fashion, at scale and on a continuous basis, rather than manually, haphazardly or through quarterly or annual Red Teaming exercises. “What we’re talking about here is control effectiveness and how you measure the efficacy and efficiency of your cybersecurity controls, which ultimately points to the efficacy and efficiency of your cybersecurity programme, because it’s the control failures that allow hackers to continue their activity,” explains Brewer. “The first failure is the initial access – phishing, someone clicking on something, what MITRE calls ’assumed breach’. But that’s not where the action is. The important question is ’If they got to your laptop, could they get to your data, could they get to your contacts, could they get to customers’ personal information?’ It’s about understanding where they can start from and where they can get to, and if you can measure that, find those gaps before the hackers do and fill them in, then you’re less likely to become a headline. “We recently surveyed customers who were able to measure their controls with AttackIQ and found that their controls were 0.25%, either failing or degraded. If you think about the IT side of the business, we’re all chasing three, four, five 9s (.9999%), whereas in cybersecurity, we’re running at .75%. Is that acceptable?” AttackIQ’s revenue growth in EMEA and APJ – up more than 600% in the year ending January 2022 and predicted to grow by another 300% this year – would indicate that many think not. The company’s core market is government organisations and large enterprises – national infrastructure, energy, banks, technology companies, computer manufacturers, retailers – but it also addresses the needs of SMEs through a network of system integrators and service providers. Threat-informed defence Growing awareness of the cyber security risk facing these businesses – and their supply chains – is one reason for rising interest in the AttackIQ platform. Another, according to Brewer, is a greater emphasis on, and appreciation of, threat-informed defence. “If you go back to the beginning of the industry, it was really about capabilities – let’s get some firewalls, let’s get some EDRs, let’s get some SIEM to protect ourselves. That was the proactive thing. Then it became a question of responding to the activity that was generated, being reactive by looking at incident management and now SOC. “But in doing this we actually missed a step, which was to take what we now know about the tools, techniques and procedures (TTPs) of hacking groups, which are really well documented by the MITRE organisation, and replay those against our infrastructure to make sure Why it’s time to change tack in cybersecurity and replace Fear, Uncertainty and Doubt with an evidence-based, data-driven approach