Regulatory environments and compliance drive global risk management and associated actions at many organizations. But auditing is not based on actual threats. As threat intelligence becomes more available and this information is offered up by multiple sources, is it changing the way that global enterprises view risk assessment?
"The ability to access intelligence and react to complex attacks is vital," said MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research, LLC, a Boston-based consultancy focused on global risk management and related services. "If a regulation states that a risk assessment must be conducted, what does that really mean?
"Regulations don't instruct, so it is important to understand what to look for," said Ulsch, who likens global threat intelligence to a cat setting out birdseed. "After a time, the birds feel it's safe to eat there."
Consumed by compliance
Security professionals have warned companies for years that compliance-driven security programs may not adequately address security concerns.
"It is very rare that you will find auditors focused on performance-based issues. Instead, they are mainly focused on documentation supporting compliance to a particular rule or requirement," said Ernie Hayden, CISSP, global managing principal, Verizon Enterprise Solutions. "In some cases, adhering to the compliance program and related paperwork actually gives management an inaccurate and potentially risky perception that the organization is secure, when it may not be the case."
Yet, Global 2000 spending is primarily driven by risk assessment based on regulations and compliance, rather than security, according to Gartner and other consulting firms. That trend has continued as technology changes increase attack surfaces for both enterprises and individuals with mobile, cloud and increasingly, big data.
Many organizations have invested years of work in developing processes that are driven by audit and audit responses, notes Tony UcedaVelez, managing partner at VerSprite, an Atlanta-based consulting firm that specializes in global risk management and threat modeling. "Some fear auditors more than adversaries planning targeted attacks," said UcedaVelez. "Although audits don't equate to strategic security defense at all, it at least provides a near-constant vigilance on security controls on nearly a year round basis. The takeaway," he adds, "is not reinventing an audit-based culture but actually overlaying or even paralleling it with a threat modeling-based approach to define the most probable and impact-oriented risks."
Board rooms on alert
While compliance concerns trumping cybersecurity is nothing new, escalating threat levels and warnings have infiltrated boardroom discussions.
Depending on the size, industry and security posture, many companies today have access to higher levels of threat information from multiple sources, ranging from a simple RSS feed to intelligence and analytics from a third-party service provider. Despite this level of threat intelligence, complex threats and harmful attacks still go undetected for months (62%) or even years (4%), according to Verizon's 2013 Data Breach Investigations Report.
More than 90% of breach events, according to Verizon's DBIR, are detected by people outside of the organization, findings echoed by other researchers and consultants. Most infiltrations occur because of unknown or unreported activities at a third-party vendor or client, or they get discovered when cyberespionage is detected at other organizations.
"Third parties are often involved, but it isn't always the third parties that you would expect," said Ulsch. "A customer's toxic IP address is every bit as dangerous as a malicious IP address originating directly from a hacker." Many companies are reluctant to bring up these issues and risk alienating clients. "As part of a global risk management program, companies should remain vigilant about who or what is operating in their environment," he said.
Organizations are also liable in the event that third-party contractors or service providers fail to protect the integrity of sensitive information. Ulsch, who structures detailed service-level agreements for clients, advises companies to carry out due diligence and work out contractual details, with a particular focus on seven areas:
- Security framework, breach history;
- Privacy, information handled (IP, trade secrets, regulated data);
- Threat and risk assessment;
- Compliance range;
- Internal audit, both right to audit and access to third-party audit findings; and
- Foreign corrupt practices management.
Managing foreign corrupt practices "is increasingly important as transparency becomes a vital element of managing risk," Ulsch said. Also, knowing the third-party's compliance range of requirements is useful in understanding what that company believes it must implement.
Reliable data on average annual loss expectancy is also hard to come by. McAfee, in conjunction with the Center for Strategic and International Studies, revised its $1 trillion forecast (a widely held estimate since 2009) to roughly $100 billion in the 2013 report, "The Economic Impact of Cyber Crime and Cyber Espionage." When the data was published in July, some companies -- and analysts -- wondered if the annual loss expectancy from a breach or security incident amounted to much more than a line item associated with the costs of doing business.
No time for global threats
With more access to global threat intelligence, is this information changing how companies "turn the dials" and respond to security and risk assessment?
Some organizations spend resources to obtain and analyze tactical and strategic risks, according to Hayden, but unfortunately, those companies are in the minority. "Many companies either don't want to pay for the threat intelligence or if they do they don't have the internal resources to take advantage of that information and beef up security," said Hayden. "I've even heard some companies complain that they can't get the intelligence data in a timely fashion, and then when they get it, the necessary mitigation response is not obvious. Hence, they may view it as ‘too hard' and simply fall back onto the classic perimeter-based or ‘castle and moat' defense."
Technology is emerging that can help and it is playing a huge role in resolving some of the challenges involved in security content aggregation, analytics and correlation, according to VerSprite's UcedaVelez. "There is too much data for security operations to manually consume and review," he said.
Gartner's 2020 Vision
According to Gartner, security will move to the forefront of global risk management programs by 2020. Senior security managers and CISOs are advised to consider the following assumptions when planning their organizations' long-term global risk management and security strategies:
- Global risk assessment will drive more risk and security spending than government regulation by 2020, according to Gartner, despite increasing government regulation.
- In the same timeframe, 25% of global enterprises will hire a "cyberwar mercenary."
- By 2020, at least one manufacturer will be held liable by a national government for security problems with a consumer product.
- Facebook will lose 30% of its longstanding members (three years or more), based on privacy issues.
- Gartner estimates 30% of Global 2000 CEOs will have personal data and accounts "directly compromised" by cybercriminals or hacktivists.
SIEMs and related tooling are starting to consume shared cyberintelligence -- typically, lists of perceived potential threats, including bad IP addresses and Web URLs -- from companies such Cyveillance, Verisign's iDefense and Vigilant, which was acquired by consulting firm Delolitte in May 2013. These companies, among others, publish their threat intelligence as XML feeds and structured data or offer cyberintelligence services. SIEM providers, such as Hewlett-Packard and IBM, integrate their own intelligence feeds.
"It is a very new thing. It is still seen as a top-shelf feature; it is not seen as something that everyone would use," said Dr. Anton Chuvakin, research director, security and risk management, Gartner. "If you have someone who understands SIEMs and is technically inclined, they will make use of the features, and they will have threat detection in a shorter time frame, but that's not a majority of customers." Companies that can get useful threat intelligence and cut the detection lag from two to nine months after an incident -- per Verizon's latest data -- to a couple of days or a week, would have a huge advantage, according to Chuvakin.
"Some companies don't detect anything ever -- their time frame is infinity -- third-parties detect most of the breaches," he said, confirming Verizon's findings. "If you can detect a breach in a couple of weeks compared to never, then to me that's a huge advantage.
"Real time to me is kind of way beyond wishful thinking," said Chuvakin. Most of the threat intelligence is produced in a lab and it takes time to create the products. Finding good threat intelligence is also a bit of a "black art," Chuvakin said. "The only criterion that I would use is if my threat detection improved. There is no real shortcut to figuring out whose intelligence feed is good."
SIEMs require an architectural approach, which can be expensive and difficult to implement and manage, notes UcedaVelez. The discrepancies between vulnerabilities and exploitation are more the result of most organizations' security posture, or lack thereof. "The issue is that very few organizations have a security approach," he said. "Compliance drives much of the rationale behind security resources and projects. As such, no one stops to consider their threats in order to apply tailored controls and countermeasures to more probable attacks."
The use of SIEMs and related tooling, such as vulnerability management, is important, according to Ulsch, because it could shorten the time between infiltration and discovery. "The biggest issue I've seen is that log data is collected but no one looks at it," he said. "That's why it is important to understand how each element is to be deployed and maintained in a global risk management program. Clearly, collecting data is a valuable contribution to the process only if the data is analyzed and acted upon. In fact, having the data and then not analyzing it may contribute to risk. You had the data, but you failed to recognize its threat significance because you never analyze it. That doesn't look good to the client you must notify or the regulators, or even in court.
"In my experience, the real reason that companies fail to take advantage of this is one of cost. I've heard security officers say, ‘I don't have the staff or budget to analyze it. We're collecting it, but that's all I can do,'" said Ulsch. "My response is that, in a well-managed global risk management program, this gap would be identified and remediated."
If even half of all the SIEM users would consume threat intelligence, according to Chuvakin, detection lags would improve across the board. "I'm hoping to start to see it in the global threat report, but I'm not holding my breath to see it happen immediately," he said. In a year or two, if the majority of SIEM users have threat intelligence -- and they need to have good threat intelligence -- their SIEM products and other security products would be able to detect breaches faster.
As more Global 2000 companies are compromised by cybercriminals or hacktivists, will spending on risk assessment and security move beyond regulatory requirements and compliance?
"The threat intelligence and how it can be useful to a company is not immediately obvious to the executives who approve security expenditures," said Hayden. "And, with the new threat intelligence, the CISO may need to ask for more technology or staff to help react to the intel more effectively."
Changes may be on the horizon, however. According to Gartner, security is projected to overtake risk assessment as the primary driver of security spending by 2020. In the same timeframe, 25% of Global 2000 companies will hire "cyberwar mercenary" services.
"I personally believe the industry is maturing away from a compliance approach to more risk-based approaches or those that are even security-based," said UcedaVelez, "but for the most part, companies still follow the mantra of doing only what they have to and not what they need. Many large organizations do not even have CISOs, which is a clear indication that they don't feel a dedicated and consorted effort should be made around infosec."