Security officers who view threat intelligence and risk management as the cornerstone of their security programs may have advantages over peers who face constraints when it comes to taking advantage of the available data.
CISOs are generally tasked with evaluating security controls and assessing their adequacy relative to potential threats to the organization, and its business objectives. Their role in cybersecurity risk management -- the conscious decisions about what the organization is going to do and what it is not going to do to protect assets beyond compliance -- is still hotly debated.
The transition towards risk management is more likely for the 42% enterprises whose security officers report to executives (the board of directors or chief risk officers) outside of the IT organization, according to Gartner. The firm's analysts advise security officers to achieve compliance as a result of a risk-based strategy, but admit that "organizations have not kept pace."
Equinix started to build a customized threat intelligence program about five years ago. The International Business Exchange data center provider uses threat intelligence along with risk assessment to do its "homework" before the company invests its resources in information security or agrees to IT requests from departments with different priorities.
"It doesn't make sense to go and buy a piece of [security] equipment because somebody in sales and marketing says, 'This is a big deal for the company,'" said George Do, global information security director of Equinix, which operates colocation centers in 15 countries. "We have to vet it, and we have to understand: Is this really a threat? What are the threat vectors?
I want to make sure that whatever we are spending resources on is truly managing risk.
George Do, director, global information security, Equinix
"Sometimes, there is this black orbit, and we are just there for the ride," said Do. "I am always very conscious of that, and I want to make sure that whatever we are spending resources on is truly managing risk."
Metrics that Do reports up the chain of command, starting with the CIO, include data from the last quarter and year on the number of critical instances -- compromised data or critical servers, for example. Because Equinix employees frequently travel all over the world, security incidents, such as malware or backdoors, involving employees' mobile endpoints (laptops and mobile devices) are tracked, as well as employee acceptable-use policy violations.
In addition to capturing incident data, the security team tracks metrics around any attempted cyberattacks against the organization, especially around the perimeter from firewalls, VPN servers and mobile device gateways. "We have a Palo Alto firewall where I can see that [data] very clearly," said Do. "I can present a very simple dashboard to any executive that shows: Hey, at any given second of the day we are being attacked by literally thousands of threats and the firewall is doing its job so it's not like we invested in this for nothing."
While threat intelligence is the foundational piece of risk assessment at Equinix, the use of intelligence data in the security industry is often ad hoc. "It has either plateaued or actually decreased," said Do.
"There are always two sides of the spectrum," he continued. "The companies that are very good at doing SIEM [security information and event management] and all of these intelligence pieces so that the more intelligence or data points that they've added to their infrastructure, the smarter they become."
But the majority of the security teams don't do that. "They are either mired in compliance checkboxes or chasing down shadow IT services. Or there are so many things going on in their universe that there are no resources, or time, left to focus on threat intelligence."
What to fix and when
Threat intelligence services can offer a useful shortcut for organizations that can't produce their own threat data, analyze it and do threat assessments, said Anton Chuvakin, research director, Gartner IT security and risk management group. The cost of the subscription data feeds -- malicious IP addresses and domain names -- can vary widely, and it is not always clear how the services differ. "To me, the main win is threat prioritization," he said.
Organizations that use SIEM should take advantage of threat intelligence feeds. The data can add global information to the SIEM, which monitors the organization's data in near real time. When it comes to triggered alerts, however, security teams should use common sense based on the value of the threat data. Some global threat intelligence lists are better suited for checking IP addresses against periodically, according to Chuvakin. "I wouldn't wake myself up at 3:00 in the morning for that."
Threat intelligence gives companies a filter for looking at threats and assets in different areas, from valuable and regulated information to vulnerable machines and tens of thousands of employees. "You use threat intelligence to shine a light in a certain area, and you say, 'These assets are likely threatened because the Russian credit card schemes are after these particular data points, and it's likely they will steal it in this particular way,'" Chuvakin said. "That gives you a chance to figure out what the priorities are in this particular domain. It becomes a risk assessment issue, if the other choice is that you won't do it."
Security officers at the Citibanks and Fortune 100 are tasked with risk management. CISOs at Fortune 1000 to 5000 companies often use threat intelligence to improve their security operations rather than consuming it for risk management or reporting, according to John Pescatore, a director at the SANS Institute. In these scenarios, the threat intelligence is often baked into systems from managed security service providers -- Dell SecureWorks, McAfee Global Threat Intelligence, IBM Security X-Force and HP Security Reputation Monitor -- that provide threat information pooled from the vendor's global networks.
Take any large security incident -- generally, it was a failure on the operational side of security, not in the risk management side of things.
John Pescatore, director, SANS Institute
"I almost call it a myth that more CISOs are moving towards risk management, because we have been sort of saying that for 15 years. And what we usually find -- take any large security incident -- generally, it was a failure on the operational side of security, not in the risk management side of things," said Pescatore, who joined SANS after 14 years at Gartner.
The value in threat intelligence information is in prioritizing your actions, according to Pescatore. But in order to do that, you can't just use threat information; you have to have accurate knowledge of your vulnerabilities: What is on your network? What is misconfigured? What is vulnerable? Where is it, and how quickly can the security team fix it?
SANS has long been a proponent of the Top 20 Critical Security Controls, which offer a way of prioritizing security resources based on vulnerabilities that real-world attacks are exploiting. Stewardship of the Critical Security Controls shifted in 2013 to the nonprofit Council on Cybersecurity. Prioritization guidelines are becoming more common. The PCI Security Standards Council offers a 12-step PCI-DSS prioritization guideline for the payment industry; the Australian Defense Signals Directorate provides Strategies to Mitigate Targeted Cyber Intrusions; and in late April the U.S. Department of Energy and U.S. Department of Homeland Security released recommended procurement terms aimed at cybersecurity of energy delivery systems.
Risk assessment based on threat intelligence and global risk management is also a core tenant of the NIST Cybersecurity Framework. As the ramifications from the framework loom for some industries -- in April the U.S. Securities and Exchange Commission's Office of Compliance and Examinations issued a blueprint for broker-dealers and investment advisors on cybersecurity preparedness -- organizations should figure out how to implement aspects of the framework and offer feedback for version 2, advised one CISO, who noted the highly charged political environment. "The awareness is there; the next step is investments and stewardship," he said.
Chuvakin, and others, advise companies to wait and see. "Ask me again in two years," he said.
"If you have a leaky roof or water damage, the vast majority of home damage doesn't come from meteorites or gas tanks, it really comes from the day-to-day problems of keeping water out of your house," Pescatore said. "Critical Security Controls and the PCI guidelines are sort of that pragmatic approach to reducing risk."
There is no such thing as risk management without minimizing, mitigating or avoiding the risk. The important part of risk management is knowing how you have to improve your defenses to lower risk to an acceptable level. "It is getting the incidents down to a bearable cost of business," Pescatore said. In retail about 3% is lost due to shrinkage (shoplifting) and it costs about 3% of sales; therefore, 6% of revenue is lost due to crime. "The same is going to happen to retail on e-commerce," he said.
Security officers should list the top five or 10 risks to their organization's objectives and create a matrix, even if it's in an Excel spreadsheet, according to Do, that ties the risk and the threat directly to a line of business. Columns can be as simple as: What is the risk (red, green or yellow)? What is the current state? What are the things we are doing about it now? "It gives executives or management a very good one- or two-page snapshot of, 'These are the areas of cybersecurity risk to the company, what we are doing about it, and where we are at today,'" he said.
"It has to be highly customized. You can't say, 'There is a PCI standard; we are just going to follow that.' For Equinix, we don't do card data, even though we steal bits and pieces from things that are best practices. We don't rely on any one standard."
About the author
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
Send comments on this column to firstname.lastname@example.org.