James Parry explores the use of threat intelligence to manage cyber risk
The cost of cyber crime to UK businesses is substantial; up to £27bn per year. Business disruption represents the highest external cost, while incident detection is the most costly activity internally, followed by recovery. Cleaning up the aftermath of cyber crime is expensive, often more than the crime itself. The issue is clearly material, economically and in terms of business survival.
A recent study by the European Union Agency for Network and Information Security (ENISA) showed that the types of cyber crime with the highest economic impact were fast moving; denial of service attacks and web-based attacks. Malware was typically short-lived, with 95% of malware variants showing up for less than a month, and the majority less than a week, often tailored to attack specific organisations. Time is of the essence in stopping such attacks, which are superseded so quickly.
The difficulties caused by such attacks are compounded by the fact that risk assessment is frequently retrospective. There is very little real-time analysis, which in an age of constantly evolving cyber threats means any strategy quickly becomes dated. Risk assessment typically looks at historic or existing risks and is revised monthly at best so that emerging threats are not accommodated. There is little or no provision for projected risk, because few organisations are using predictive analytics that provide this level of forecasting.
The ENISA study also found that investment in incident response only took place after a major incident had occurred. Cyber incidents cover a myriad of attacks that exploit various attack vectors, from distributed denial of service attacks aimed at overloading web servers, to malware aimed at penetrating the organisation, or the theft of data using cyber channels. The reluctance to take action until after such an attack is proof, if any were needed, that in terms of acting as an early warning system/form of mitigation, current risk assessment methodologies aren't working.
Better risk assessment...
What's missing? What needs to happen for risk assessment to become more effective? Clearly, the quality of the data needs to improve, with more effective regulation across the board. Impending legislation in the form of the EU General Data Protection Regulations (or their equivalent, given the UK's pending withdrawal from the EU) will bring companies into line, providing far more regimented reporting practices. For instance, breaches may well need to be reported within 72 hours, which will help others in the same sector and reduce the window of opportunity for the attacker.
Timeliness of the data is therefore the critical differentiator. Real-time knowledge of a change in the threat profile of the business can make all the difference when it comes to mitigating that risk. But how do you obtain good quality data in a timely fashion? One method is to use real-time threat intelligence.
...leads to better risk management
Threat intelligence provides a real basis on which to make decisions, reducing guesswork and avoiding the possibility of risks being under- or over-exaggerated owing to vested interests. Threat intelligence has been described as 'food for malnourished risk models' and that's just how it can add value, providing far more accurate real-time information than post-event analysis.
Threat intelligence monitors internal and external networks for evidence of attacks, acting as an early warning system. Probing behaviour, which typically precedes the killchain of an attack (a multi-stage process that involves reconnaissance, weaponisation, delivery, exploitation, installation, command and control, action on objectives) can be detected using network monitoring, and alerts are then triggered to the monitoring team.
Rather than relying on the RAG status (traffic light system) to indicate risk, the greater granularity of threat intelligence leads to more timely and better informed decision-making. Risk models become more powerful, allowing firms to take on a better risk posture. In fact, threat assessment is often highly subjective and having hard-and-fast evidence at hand does away with pointless prevaricating over whether a risk has been assigned the right colour code.
Making it work in practice
That all sounds great, but, to date, threat intelligence has still been very security-focused. The result has been unwieldy or Security Information and Event Management (SIEM) Security Operations Centres (SOC) that are costly to run and difficult to manage. These systems relied heavily upon signature-based threat detection, which is often ineffective given the rapid evolution of malware. They're unable to respond to mutated malware, for instance.
For this reason, there has now been a shift towards machine-based learning and algorithms that look for anomalous activity to help spot reconnaissance efforts.
We're now at the stage where security solutions are able to learn from attack patterns, further improving detection rates, leading to the emergence of the intelligent SOC. The next-generation SOC has been heralded as a major breakthrough, enabling real-time threat detection that is able to determine and highlight threats in a business context. Its ability to operate as a virtualised system allows it to enter the mainstream, and there is even SOC-as-a-service (SaaS) that enables the organisation to outsource this capability.
Turning analysis into actions
Yet while risk analysis will undoubtedly benefit from threat intelligence, it isn't a silver bullet solution. There's still the need to translate that information into the business context to generate business intelligence.
Threat intelligence can feed into and inform business strategy, helping alert the business on emerging threats, heightened levels of risk, but also indicating where cyber spend is needed. This reduces the scatter-gun approach to defence with a focused investment strategy that sees security controls where they are most needed.
But it doesn't end there - predictive threat intelligence is now possible. This seeks to take these threats and use risk to forecast how threats might unfold and become magnified in the future. Numerous variables can be taken into account, from changes in compliance regimes, to fluctuations in the marketplace, to geopolitical influences, which could see cyber risk increase.
It is this capability to use threat intelligence to create business intelligence that is really exciting. The organisation is no longer forced to take reactive action but can instead anticipate and counter threats in a proactive manner. And the ability to weave that into the future strategy of the business ensures it delivers on the promise of threat intelligence, helping to determine a viable future path for the business that reduces risk and cyber spend.
Organisations now need to embrace this form of business-focused threat intelligence by looking at solutions such as the next-generation SOC or SOC 2. These intelligent SOC services are available in various guises, including SaaS. Such solutions finally provide the visibility needed by tracking threats in real time with predictive analytics to provide the business with the intelligence it needs and the time to act before succumbing to an attack.
James Parry is technical director, Auriga