Addressing threats helps prioritize your cybersecurity strategy?
Security professionals have long held the view that understanding assets and risk is the foundation of security.
This understanding increases confidence in the decisions made to allocate resources to protect the assets that really matter from the things that are most likely to cause serious harm to the organization.
But is your thinking trapped in the past?
New terms like threat-led security and intelligence seem to be the order of the day. All cybersecurity professionals will be familiar with the terms, even if they don’t always feel comfortable with them. It may be easier to understand the role threat intelligence plays in cybersecurity defenses.
Clearly, it must be understood by professionals working in security operations centers and incident response teams, but how does it relate to the basis of risk management? In short, threat intelligence provides a picture of the current landscape and methods used by attackers.
However, sophisticated cyber attackers do not infiltrate your network without a specific intent, so the first step is to establish what the possible targets of a cyber attack would be.
Attackers will target their assets, that is, any information, software, or hardware owned by the organization that is used in the course of the organization’s business activities. The value of a particular asset can be determined by assessing the impact that would result if it were no longer available or worked properly.
These assets are likely to be very specific to your organization and this is why it is important that the threat and risk analysis process is collaborative; threat-intelligence needs to be interpreted in context.
There are different scales that can be used to evaluate the value of an asset:
- The business value can be estimated in relation to the business processes. Normally, the accuracy, completeness and timeliness of the data are the most important characteristics and their combination is what determines the value of the asset. This could include the ability to simplify your supplier’s process and stock building.
- Cost is the cost of acquiring or replacing a lost asset, including the cost of impact to the organization while that asset is unavailable.
- The economic can be derived from how an information asset contributes to an organization’s revenue. For example, this could be an asset that supports sales or compliance.
- The market is derived from measuring the revenue generated directly by the asset. For example, a software service, which is purchased and used by customers, can be said to be an asset that has intrinsic value if it is not available in the market and therefore has the potential to provide more value to it than its competitors. For example, information about your organization’s competitive position.
The value of this information is relative to the motivation of the attacker; for example, for an attacker of a nation, intellectual property is a primary objective. This may be of limited value to a hacktivist group targeting your business because their motivation is to cause damage to your brand and reputation.
For them, a key asset could be the content management system of their Web site, which if compromised would allow them to publish their logo on their customer-oriented site.
By understanding the real value of assets, security risk professionals think about who could compromise a system and, therefore, the assets of the organization, why they might want to and how this might happen in terms of:
- Vulnerability: A weakness that could be exploited to cause harm.
- Attack: A method of exploiting a vulnerability.
- Threat: An adversary who could act to cause harm and the resources that could be allowed to deploy.
- Impact: The consequence of a realized threat.
Cyber attacks are rarely single events, but they are a campaign sustained by increasingly sophisticated attackers who use a combination of social engineering and technical skills to penetrate a network and gain access to the most important assets. This increased complexity and skill level of the adversary means that there is no single solution to prevent cyber attacks.
No organization can defend itself against every conceivable threat, and so it makes sense to prioritize threats by those most likely to target their specific business and then make informed decisions about how to prevent and detect those threats.
An IT security risk assessment can vary greatly in terms of method, rigor, and scope, but the primary goal is always the same: to identify and quantify risks to your organization’s information assets.
A threat-based approach changes the dynamics of security risk assessment from something based on published observations, guesswork, and analysis to something that approaches real time and uses information about real-world events.
The discipline remains the same, but with the best “instrumentation” to identify and understand the behavior of potential adversaries and vulnerabilities within assets, risk assessment will better determine priorities and focus on mitigating real-world events specific to an organization.
This approach must be part of a cyber-resistance strategy that not only allows the organization to take measures to prevent these threats, but also responds appropriately if defensive measures are defeated.
Security budgets are finite, so this approach can help target limited resources more effectively to protect the assets most likely to be selected.
Instead of adding new layers of defense and more products, the main move is toward cyber strategies focused on cyber-resistance and driven by a threat-based approach focused on the organization’s key assets and the motivations and capabilities of the most likely attackers. Risk analysis remains the foundation of this approach.