One security framework may be key to cyber effectiveness

The risks associated with ineffective security can be dire, but one expert believes there's a security framework that stands above the rest in enabling effective cybersecurity processes for enterprises.

SearchSecurity spoke with Adam Isles -- principal at The Chertoff Group, a security and risk management advisory firm based in Washington, D.C. -- about the top security risk trends for 2020, including an expectation that customers and business partners will demand better measurements for the effectiveness of cybersecurity processes and tools.

While many security frameworks are considered good starting points, they aren't the most effective options for mitigating risk, Isles said, adding that enterprises would benefit from using the Mitre ATT&CK framework, as well as by joining an Information Sharing and Analysis Organization (ISAO) or Information Technology Information Sharing and Analysis Center (IT-ISAC).

Editor's note: This interview has been lightly edited for length and clarity.

The Chertoff Group's 2020 Security Risk Trends paper discusses better measurements for cyber effectiveness. Is it more effective to follow security frameworks or standards?

Adam Isles: In an era where there's no such thing as risk elimination, we're trying to get at the question of effectiveness. The standards out there don't easily answer that. You can get at issues of compliance, you can get at questions of the maturity of your controls, but you're not getting at the question of risk-based effectiveness.

There are a couple of reasons why. First, defining and modeling the universe of threats that could target an enterprise is a highly subjective task. It's a generalization; it's prone to blind spots, and security is basically control focused. Ultimately, you're getting to the NIST and [International Organization for Standardization frameworks]. There's little guidance on how to map threats to control choices, which is really important because you can't do everything.

What can be done to improve cybersecurity effectiveness?

Isles: Several years ago, Mitre released something called the ATT&CK framework. It's the most authoritative, most comprehensive exposition of what post-initial-access threat activity actually looks like.

Assuming the bad guy has gotten in -- for example, that someone clicked on a phish, that some customer complaint web server has been compromised or that a VPN didn't have two-factor authentication on and someone got in through that way -- the real question becomes, what then?

The Mitre ATT&CK framework allows you to say, 'Based on the business I'm in and who would be coming after me, how would they do it?' In other words, what tactics, techniques and procedures [TTP] would they use to try and compromise my environment? We have millions of new malware samples a day, but the techniques tend to be more consistent.

If we can understand what the TTP is, then we can start to understand what we have in place to defend against those and whether any of those work. I see a future of Mitre ATT&CK diagnostics that get much more precise on what controls need to be in place and whether they're operating effectively.

The other thing that's really important is Mitre provides a common language.

How does the Mitre ATT&CK security framework compare to using a report focused on threats and attack vectors for specific industries like the Verizon Data Breach Investigations Report (DBIR)?

Isles: Verizon provides a lot of detail on initial access -- are attackers getting in because they exploited a web-facing vulnerability, or through spear phishing or through credential compromise? You have some detail on what happens once they're in, but Mitre really builds on that.

For me, Mitre is DBIR on steroids. What's cool about it is you're starting to see people who have the data on what's actually happening contribute to the ATT&CK framework. You can see reporting on what they're seeing in the post initial access TTPs in the incident response activities or in the managed detection and response activities they're involved in. So now we don't just have the knowledge base from Mitre; we have data around where this stuff is being seen.

The other thing that's really important is Mitre provides a common language. Another key challenging threat is there wasn't a common taxonomy around (TTPs) on the inside. There was a lot of opacity around what tradecraft looks like on the inside. And if you don't have a common language, it's hard to have a discussion around what do we have in place to defend and if it's effective.

What can enterprises do beyond implementing security frameworks like Mitre ATT&CK?

Isles: This is where ISAOs and ISACs come into play. If you're a midsize organization, are you going to have the expertise to take the Mitre ATT&CK framework and apply it in the organization? Probably not. But if you're part of an ISAO or ISAC, the ISAO starts to build the threat model. It figures out which TTPs are in place.

Adam Isles

As the vendors start to align their products to the framework, you can connect the dots. You can say, "These are the TTPs that would likely be deployed against an organization like mine. Let me understand which of these TTPs CrowdStrike covers, which of these Palo Alto covers, etc. I can start to build a map.

The other thing that's changing is, we're looking at a major transformation in the pen testing world because what has emerged into the marketplace is a new class of automated controls assurance tools. That's a mouthful, right?

Essentially, what the tools do is create scripts that emulate TTPs. A red teamer would probably quarrel with what I'm saying here, but you can essentially automate pen testing. It kind of democratizes pen testing, because you have a tool that can emulate threat activity that can be applied by someone who doesn't have the years and years of training a sophisticated pen tester would have.

When I think about effectiveness, you have a lifecycle of assessing, mitigating and monitoring risk by monitoring, testing and validating. But the testing and validating piece is often inaccessible beyond larger organizations.

What becomes really interesting is when capabilities come into the marketplace that allow a broader group of companies to access testing controls assurance, the kinds of tools that will tell you you're using it right.