Every vendor is pushing a threat intelligence feed, program, and/or product. How does a lean organisation separate the hype from the actual value?
Brought to you in partnership with Mimecast
Phishing has been around almost as long as the internet, but its still going strong and getting more sophisticated. Why? Because it works.
Brought to you in partnership with Cofense
Today BAE Systems launched what it describes as 'The Intelligence Network' with the laudable aim of creating a safer society in the digital world, working on the premise that sometimes you need to build a network to defeat a network, which it wants to do by bringing together different organisations intested in defeating the problem.
But it needs to overcome the contradictions of creating another body to combat fragmenation in the sector and producing more information to help users identify the information they really need in an industry awash with reports and surveys.
The new grouping is taking on the bigger picture of fostering collaboration and promoting best practice approaches - led by major organisations with the ability to contribute, while smaller organisations including SMEs primarily consume its output.
However the network is not setting itself up as another standards body, though it may well provide a forum for unified lobbying of government. The analogy of running a relay rather than a marathon was used to promote the benefits of cooperation - while the example of how individuals may not want to pay extra for their CCTV cameras so as to better protect banks from DDoS attacks illustrated how a wider perspective of the common good was also called for, with the unsaid suggestion that this would require regulation.
At a launch roundtable held inside Tower Bridge, in the shadow of the Tower of London, Julian Cracknell, managing director, BAE Systems Applied Intelligence explained the background to settig up the grouping. "Previously we needed to pursuade people that there was a threat, but now governents and businesses recognise that there is a cyber-threat, particularly a threat to reputation, and the need now is how to navigate through (the options) to protect themselves. There is a fragmented supply base so how do you navigate now through a future problem?" and the issue is particularly accute due to the disruption of existing business models from the introduction of new technology - including 11 billion home IOT devices this year.
The suggested approach is because it is so hard to navigate on your own, hence you should think of cyber-security as as a team sport, working together for better understanding of current and future threats to be better able to navigate those threats. Hence the network aims to bring together large organistions, academia, think tanks and ultimately government too to share information and understanding.
James Hatch, director, Cyber Services, BAE Systems Applied Intelligence added that while innovation is working well, and large organisations generally know what to do to defend themselves, and information sharing has got better over the last few years, there are still three things he identified as not working so well:
"First - collaboration. Previously, the need was to keep up with the herd and it was the stragglers who were hit. Now we need to change that approach because of the increase in targetted attacks. But our conception has not kept up. And this approach does not solve the problem for the herd." He adds that curent approaches protect individual organisations and not society.
"There are lots of collaboration efforts, particularly by the banks and energy companies, but its harder elsewhere where it is limited by trust," said Hatch who agreed that government has an important role to play as it has an interest, but that industry often expected government to lead, whereas it is now time for industry to pick up more of the burden and come up with ideas.
"Second is Simplicity," continued Hatch, noting how an individual finds it hard to maintain 100 passwords, not click on links nor open documents, and thus we don't make it easy for people to do what they need to do - as employees, consumers and security practitioners. He reinterated that the major challenge is fragmentation, saying that the sector is: "Crying out for integration between products."
The final problem faced is: "Certainty. Not knowing what will hit us tomorrow. We need to plan and know that the future will be volatile. Eg a year ago we did not know ransomware would become so important. The Cyber Security discipline is not really working - like say health and safety. We know what we have to do but it's hard to do. When it comes to incident readiness our research shows few are confident about what they have in place," adding that there is neither a technological magic bullet or person who will save us. Thus the call was for more maturity in the sector, introduction of standardised procedures etc to help cope with volatility and simply become part of what the enterprise does. It is not a new product or service that's wanted, but people working together says Hatch.
In response to the question, why is it business and not government that is doing this, Adrian Nish, head of cyber threat intelligence, BAE Systems Applied Intelligence, responded that while we rely on public services to tackle crime and nation state threats, supported by government, cyber-space presented entirely new problems where traditional boundaries don't exist, annonymity emboldens actors and the pace of change is more of a challenge. Whereas governments don't move quick. "Businesses are more agile, especially international business. There's an elelment of having to fend for ourselves. But we will still collaborate with governement and businesses can learn a lot from government intelligecence."
Nish described three levels of traditional information sharing, ranging from classified, security cleared and vetted communites in intelligence, to commercial sharing of information under NDAs - described as not necessarily the best model as people become risk-averse to sharing real risk; and finally there are trust relationships that exist - not formal NDAs and clearances - such as where resarchers have a level of trust to share bad IP addresses, techniques etc, to tip off victims. "There is more that can be done to share beyond informal sharing," concluded Nish.
As examples of both large and small organisations cooperating with BAE, also in attendance were, respectively, Andrzej Kawalec, CTO, head of strategy and innovation at telco giant Vodafone's Enterprise Security Services, and Jonathan Luff, co-founder of CyLon, Europe’s first cyber-security accelerator.
Luff described how Cylon and its 53 supported companies to date have worked with BAE as a manifestation of the type of collaboration discussed, giving entrepreneurs the abilty to try out ideas and get involved at an early stage. These new start-ups have been fostered via collaboration with 350 mentors from 100 organisations, including BAE working with all of the companies.
SC Media UK did asked how a large organisation that wanted less fragmentation could take advantage of and foster a small innovative company. It was acknowledged that there is a burden placed on large companies not to kill innovation while still seeing how they could scale those ideas. "Large corporations can't be somewhere that good ideas go to die," said Cracknell.
Luff added that there were two ways companies can go. Large organisations may have seen something that aligns with what they are doing and enhances it and so they will work in a way so as to not overload the start up and see it as a strategic partnership within the large organsation. Or the small company can use the insights they gain working with the large organisation and go their own way as good ideas will flourish. Hatch added that sometimes the larger organisation can make more contribution as a customer.
For Kawalec, whose organisation has its own extensive cyber-defence capabilities, the motivation was different, as he commented: "We have to creat a new type of security culture. Its not done in the same way as health and safety as there is an active adversary out there - our adversaries are dynamic, innovative and colllaborative. There are big competing waves of change. Our digital footprint means we now have a global attack surface. Regulatory changes are like tax laws - there will be tax loopholes as people find flaws in regulation. We need to make changes with more creativity more collaboration and intelligence."
Kawalec continued that we now have to ensure the whole value chain has cyber-awareness. In an age where there are 13 connected devices per household, our risk perception needs to change, building awareness as individuals, local and national government. "Its not just protecting the most valuable IP and companies, but our protecting our schools and society, and not in an ad-hoc way but systematically."
As a parting shot, Nish was asked what the biggest cyber-threat was that BAE was currently concerned about and responded that it was the issue of supply chain security - noting how you don't control the security and can't enforce an upgrade of security within an existing contract.