Essential Add-ons for Fast Paced Cyber Threatscape: Enterprise Vulnerability and Threat Management
By Girish Chiruvolu, Director Information Security and Risk management, Thomson Reuters
In the age of all-pervasive cyber threats, enterprises with limited resources are stuck with the challenge of taking huge risks and finding right resources/ strategies around a formal risk management program. Ashley-Madison's exit from the business is a living example of such trade-off between survival and safe guarding enterprise assets and the intellectual property along with competitive advantage. This article touches upon several aspects of managing such rapidly changing technology and Threatscape.
"It is a universally accepted fact that one needs a thorough understanding of a system that needs to be protected"
With the growing evidence of the involvement of States (governments) with Cyber espionage and theft of intellectual assets, the pain and the stakes on taking such risks have been amplified. Gone are those days where an enterprise is considered too small and unattractive for the organized attackers. In the current Threatscape, even the small enterprises, when their systems are compromised, are leveraged as attack vectors in targeting bigger and more attractive targets, e.g., financial or healthcare institutions.
While Target is not a small enterprise, certainly, when their point of sale (POS) systems were compromised, financial institutions got certainly involved with their replacement credit cards reissued for all the impacted end clients. As such any enterprise should consider their third party information security assessments as an integral part rather than an add-on especially during threat modeling. In line with this, even Internal Revenue Service (IRS) has mandated certain compliance with the vendors who handle and are enablers for tax return filings to reduce fraudulent returns and protection client’s data through their STAR (Strategic Threat Assessment & Response ) program.
Further, with advent of Internet of Things (IoT), every IoT device can be turned into a cyber weapon when compromised, thereby increasing the attack surface several-fold. Finally, in the triad of People, Process and Technology (PPT), people are the weakest link when it comes to social engineering and an eventual compromise of an enterprise. The policies around IoT devices and usage have to be carefully designed such that a) monitoring any suspicious activity of potentially compromised device, and b) configuration and least privileged on a need-to-have and fail-safe modes.
It is a universally accepted fact that one needs a thorough understanding of a system that needs to be protected. Any CIO/CXO would prioritize the securing of the assets that are aligned by their business drivers. While resource-aware, prioritized targets makes sense, still for an average enterprise to put a comprehensive information security and risk management program needs capabilities and resources that would stretch their means.
In the above context, fortunately we are seeing co-opetition (collaboration and competition) among the players in industries such as financial (banks), healthcare etc. As such, knowledge sharing about detected attacks is shared on an almost real-time basis. For example, FS-ISAC (Financial Services –Information sharing and Analysis Center) in the financial sector provides a wealth of feeds which can be filtered and processed to check for the applicability and similarly from vendors such as MS-ISAC from Microsoft. Certainly Common Vulnerabilities and Exposure (CVEs) and Computer Emergency Readiness Team (CERT) alerts from federal agencies are also great resources for timely addressing vulnerabilities.
As such, it all boils down to matching what are the likely external (or internal) threats with such applicable feeds for exploitation and eventually compromise the protected assets. Several threat intelligence platform (feed) vendors have entered the market with their feeds as SaaS (Software as a Service).
Another very attractive venue that the enterprises might tap into is the cyber security startup community. Startups bring in a wealth of targeted information and expertise and also offer incentives for the enterprises to be their early adopters. As a value-add benefit, the feedback and exchange of information is invaluable to both parties. This creates a venue for training and awareness for the enterprise teams on the latest cutting edge technologies. Such engagement with startups is highly recommended over limited/isolated test systems (labs) until the maturity and better understanding of the underlying technologies. In one instance, an enterprise was able to utilize a startup's technology in a whole new different system that brought orders more resiliency to known attacks than with traditionally known technologies at that time.
Academic research community is another great resource to tap into, while assessing and maintaining the security posture of an enterprise. While bringing up to speed the student community to the latest technologies takes a little effort and time, in the long run, it pays off from the fact that this young bright talent will be able to uncover the possibilities and eventually strengthen the understanding and increase security posture.
Little ad-hoc Red teams can be formed out of such semi-trained talent to test the possibilities while tapping to academia on the fundamental principles and analysis. In this context, security related conferences such as DefCon, RSA etc. are definitely a value-add to the above efforts. It should be noted that creating a knowledge-base (KB) and eventually KB sharing platform within an enterprise is of great value enhancer to the security posture. Any annual training programs that are a part of compliance would benefit by leveraging such knowledge base, as applicable for the appropriate audience.
Large global foot-print enterprises have inherently unavoidable variations of several local regulations and legal frameworks that need to be taken into account. In such scenarios, based on the specific use-cases, the VTM program needs to be adapted. Care should be taken when covering such special corner cases and asset access and usage should avoid toxic (not permissible) combinations.
Current vendor space in the Cyber security market has also evolved rising to the challenges of modern cyber Threatscape. A large combinatorial threat trees and attack vectors are automated to simulate in finding the right combinations of a potential dooms-day scenario and compromise. However, the fundamental role of CIO/CXO community has largely unchanged mainly due to the other two factors (people and process) in the triad PPT. Each enterprise has a unique combination of business drivers and risk appetite. As such, even with changing technology and automation on threat detection and avoidance, baseline fundamental components of Governance, Risk and Compliance (GRC) remain the same.