Risk management to strategic resilience: The evolution of cyber-security
Risk management to strategic resilience: The evolution of cyber-security

“Now the board listens to what we have to say, or at least now ask us questions. But cyber remains a single discussion point on the agenda [whereas] cyber-security is a strategic conversation that deserves its own strategic theme,” Paul Dorey, visiting Professor at Royal Holloway university told delegates at a FireEye panel discussion and presentation last week.

Dorey went on to ask what this strategic discussion would be, moving on from risk. It would mean addressing maturity of capability, rather than simply listing threats faced.  The Carnegie Mellon University model of measuring capability maturity, from 1 to 6, was recommended, with the note that, “To report on maturity you have to measure it.”

Most of our discussions – and expenditure – tend to be about defending and protecting, but Dorey says resilience is about speed of  detection and response, with the US Airforce OODA loop model (observe, orient, decide, and act,) showing how  speed of completing the loop is the level of success.

In our context this meant, know what you have and automatically update – particularly automating repetitious tasks, such as IP blocking. Have a known good and check for changes. Design for rapid live updates; incorporate layered resilience, and report against performance goals

Dorey described how KPMG  looked at audit committees, where just over 10 percent were technical, and cyber-risk was found to be the most poorly articulated risk, and this was described as a CISOs problem. The need today is for both technical IT staff and strategic IT people, as the board need to have technical risks explained in a business context.

Dorey was joined by Gavin Bradbury, senior director of marketing EMEA, FireEye; Phil Packman client security director at BT; Silvio Pappalardo, director global sales, orchestration Fire Eye and Roger Francis, Mandiant consulting for a panel discussion.

Leading on from the accepted need to automate,  the panel was asked, “Who should be enabling automation in their  organisation?"

Francis responded;  “It depends on where the organisation is at now; automation is good for new organisations starting out.” It was a view supported by Packman who said that it is, “... easier for greenfield to automate.  Established organisations require proper understanding of all the processes, and may struggle to get one answer for all their different processes.”

Dorey repeated the need to leverage automation for cyber-security, because its already being used against us more and  more now, so its the only way to respond.  Though in subsequent private discussion with SC Media UK he agreed that the attackers capability was currently inferior, saying, “The attackers don't have a Watson.” Nonetheless, automation gets smarter and smarter and the gradual growth curve is here already.”Don't wait for it to happen, it's happening now,” he added.

As to what constituted AI, Dorey suggested, “... it has to learn. If it is just if x, does y that's binary. Logic.  It needs a self-learning component.”

Packman told how BT is using automation internally and in key areas for clients, which,”...tend to be on a per customer basis. ,,,Clever stuff, taking threat indicators, and updating policy live, blocking traffic in a live environment, automation of spam mailbox.  Lots of small automations, not a big app.  Firewall rule processes can be complicated to implement automatically, as they need a deep understanding of the infrastructure.”

Francis noted that automation can also be used when preparing for a breach.  “It can do preventative checks against compliance, NIST etc, and benchmark against that. From a preventative perspective, it can look at the attack kill chain, against each element of the kill chain.  And the earlier in the lifecycle it can stop something the better. In response scenario planning it can extrapolate what's happening in the market and learn from that.”

Francis also described how part of the remit for boards now includes understanding cyber threats, with CISOs having a role in education of the board. He told delegates,  “ A playbook won't tell you everything you need to know, but it will teach you how to approach the problem.”

Speed and automation helps mitigate risk, but it was also noted that automation, can help deliver compliance. But while continuous monitoring is growing, compliance has to be seen as the bare minimum.  Beyond this minimum, once you reach a certain level, if you were asked,  what would you do with another  £10 million, you need to be strategic about what is to be done.

Another issue covered was orchestration versus automation  Orchestration has decision-making built into process said Packman, while Pappalardo noted how automation is more binary, if this happens then that is the response.  Whereas orchestration has an analyst involved and less  binary, reacting to information in real-time.

How does any of this help with insider threats?  Packman opined that combating insider threats starts with behaviour.  “More effort needs to be placed on higher value assets.  A lot of it is analytics, finding deviations from normal, monitoring processes, noticing if a machine is operating in a different way.”  

However he pointed out that you don't want to penalise the organisation and its processes for catching the bad egg.  If you've got the right recruitment process in place, then most staff want to do the right thing.”

There was not much support for setting up special units to catch malicious insiders – apart from in particular circumstances and sectors (such as military).

Dorey noted how insiders are often wrongly motivated. As you automate, you still need humans - if not able to make decisions, then get a human to take a look when it's not right.  And have controls in place, Eg don't allow a single person to do x.

Francis said that this issue is to  manage automation –  use its speed to better manage your resources, as automation gives you bandwidth to other things, and move from reactive to proactive actions.

So how do we manage the transition to automation?  If its easier for Greenfield sites, do we just start again?  Dorey suggests that our legacy processes will be with us for next five years, but by then the volume will reach a level where we have to totally reengineer our processes.

However, looking at IOT devices, it was noted how it would be better to fix the problem now, rather than once there are a billion devices in the market, which would be more difficult to resolve.  The demand needs to be there that devices are secure. While government could play a part, providing ‘clean pipes' to overcome the financial struggle that cyber presents to many organisations, some organisations don't want to have their content monitored, and others such as academic researchers often want a less restrictive infrastructure.

Prioritisation was another issue where specifics relate to particular organisations and sectors. Dorey pointed out that different organisations had different measurements of security versus other priorities.  “For one, such as a hospital, it may be continuity of service, and another may want to know that it is totally secure. Eg what is the integrity risk?  So there needs to be a balance of both requirements. At Amazon, they design the system so that it will fall over so the designers know it has to deal with it as it will happen."

Packman suggested that... “business sets the priority, then you create [a table] to show the criticality of assets needed to support the business.  It's a holistic strategic discussion.  How to overcome; it's too big to leave to each [department].  There are other aspects of criticality, if one system fails, it has a knock-on effect.  Eg you could ignore the availability of the service aspect.  They need to explain their critical processes so I can see how they might be impacted.”