Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Transcription

1 Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council

2 Advanced threats differ from conventional security threats along many dimensions, making them much more difficult to defend against. Confronting a Different Challenge Profiles of Traditional and Advanced Threats Illustrative Among the severity indicators that differentiate advanced threats, CISOs find detection and prevention the most difficult. Less than 10% of CISOs report being highly effective at detecting or preventing advanced threats. Severity Indicators Low High Number of Vulnerabilities Exploited Volume of Attacks Resources Available to Attacker Skillfulness of Attacker Impact of Attack Difficulty to Stop Difficulty to Detect Difficulty to Prevent Standard Malware Advanced Hacktivists (DDoS or ZDE) State- Sponsored Attack 2

3 CEB hosted more than 70 CISOs across three forums and identified five critical imperatives for responding to advanced threats. CISO IMPERATIVES FOR COMBATTING ADVANCED THREATS Key Takeaways From Our Member Hosted Forums on Responding to Advanced Threats 1. Create a new model for security investments More so than usual in information security, it is extremely difficult to know how much to spend to defend against advanced attacks. Advanced threats require a different investment approach to move forward amid uncertainty. 2. Reevaluate investments in emerging controls and technologies Most of today s APT tools are helpful for getting organizations started in dealing with advanced threats as these tools often provide some early visibility into attacks. However, most organizations outgrow these commercially-available tools quickly and wean themselves off of many of the common APT tools. 3. Leverage external threat intelligence to improve detection Information security organizations need to use intelligence from multiple feeds to improve detection efforts as there is only minimal overlap in the information from different sources. 4. Build a hunter role on the information security team Quite different from a standard security monitoring role, hunters search actively and creatively for indicators of compromise. Hunters not only help in stopping attacks, but in providing broader learning about what is happening in the organization s systems. 5. Translate indicators of compromise (IOCs) into action As information security functions increasingly leverage hunters and better threat intelligence feeds, the number and complexity of IOCs can quickly rise and it becomes critical to have an efficient and organized, way to act on IOCs. 3

4 CISOs anticipate allocating more resources to detection and response capabilities in the next three years. Create a new model for security investments Allocation of Security Resources Today Percentage of CISOs 3% Entirely to Prevention 79% Mainly to Prevention, but We Have Good Monitoring and a Good Incident- Response Process 18% In Addition to Preventive Controls, We Have Robust Detection and Security Analytics Capabilities and a Response Process Optimized for Advanced Attacks n = 33. Source: CEB Responding to Advanced Threats Survey. Allocation of Security Resources Over the Next Three Years Percentage of CISOs 26% Relatively More Detective Capabilities 74% Relatively More Detective and Response Capabilities n = 33. Source: CEB Responding to Advanced Threats Survey. 4

5 Aligning advanced tools and other capabilities to a threat-based framework such as the kill chain allows for better gap analysis and makes it easier to plan investment needs. Chart not only those capabilities in use but also the relative maturity of each to depict coverage and depth at a point in time. DETERMINE INVESTMENT GAPS USING A THREAT-BASED FRAMEWORK Capabilities Aligned with the Kill Chain Illustrative Planning Example Controls Include: Malware Introduction C2 Lateral Movement Target ID Exfiltration Retreat or Persevere 1 Alpha Company uses interviews with security staff and IT SMEs to determine the existence and maturity of controls. It then couples its information with risk register and threat data to identify potential security investments. Awareness Training Cyber- Threat Intelligence Firewall AV/AM Detect Phishing Network Partitioning NAC Correlative Log Analysis Incident- Response Procedures DLP Forensics Malware Analysis Effectively Established Opportunity to address threats Partially Established or in the Planning Stage Missing Source: Alpha Company; CEB analysis. 1 Pseudonym. 5

6 While most CISOs view many emerging controls and technologies as effective, few have implemented them. Reevaluate INVESTMENTS IN emerging controls and technologies Implementation and Effectiveness of Emerging Technologies and Controls Percentage of CISOs Implementation Effectiveness Signatureless Threat Analysis and Protection Solution 45% 71% Sandboxes 39% 73% Web Analysis 39% 82% Honeypot 30% 61% Big Data and Security Analytics 21% 74% Tarpit 3% 77% n = 33. 0% 50% 100% Source: CEB Responding to Advanced Threats Survey. 6

7 There are numerous external threat intelligence sources, many providing unique information. DIFFERENT EXTERNAL SOURCES, DIFFERENT PURPOSES Common Sources of Guidance on Responding to Advanced Threats Utility for Various Purposes Information Security functions have to often rely on multiple threat intelligence sources as there is only minimal overlap in the information received from different sources and use vary by purpose. Sources Peer Networking Groups Types of Information CISOs Are Seeking Organizational Strategies and Best Practices on Advanced Threat Defense Actionable, Threat-Specific Data Insight for Decisions on Product or Services Investment Industry-Based, Information-Sharing Organizations Government Agencies Commercial Intelligence Service Firms Trade Publications Useful Source Not a Useful Source 7

8 Designing the hunter role can be challenging, and organizations approach this challenge differently. Build a hunter role on the information security team Variations of the Hunter Role Not Mutually Exclusive The Gatherer The IOC Detector The Organizer The Advanced Expert Focuses on sourcing external intelligence and leveraging peer networks to refine threat-detection efforts Conducts analysis of external and internal sources to detect indicators of compromise (IoCs) Coordinates attribution efforts across threat management teams and processes Uses a range of sophisticated techniques to conduct security analytics and detect new threats 8

9 As intelligence capabilities improve, organizations should develop a threat intelligence data model and a process to translate indicators of compromise into action. Translate indicators of compromise into action Managing IoCs for Actionability Threat Data Sources Monitoring and Detection Applications Tactics for Organizing and Acting on Threat Data Attribute threats according to known advanced attackers (APT1, Comment Panda, etc.). Analytics External Intelligence Feed Findings of Cyber Hunters Forensics Results Other Tag threats for other expected events (e.g., how else does this attacker behave?). Run additional correlative analysis on each external intelligence data report. Optimize notifications or red flags by specific threat actors. Build or source a dashboard for easier relational analysis and monitoring in real time. Indicators of Compromise (IoCs) pieces of information that are reasonably likely to indicate an intrusion, and warrant detailed follow-up. 9

10 Managing advanced threats requires the information security function to think beyond vulnerabilities and develop a new, proactive threatbased process. A NEW PROCESS FOR MANAGING Advanced THREATS Information Security s Process for Managing Advanced Threats Schematic Scenarios Plan and Scope Efforts Consider ways in which attacks may occur, and use feedback from business and risk stakeholders to build a defense plan. Requirements Gather Intelligence Gather security intelligence data from external sources and counter-intelligence techniques. Track and Integrate Update intelligence products and indicators databases to improve future detection. Intelligence Process and Test Refine intelligence, and test for indicators of compromise. Knowledge Analyze Create hypotheses about how future threats may occur; then test and refine them. Information Respond IOCs Lessons Learned Take down malicious actors, and remediate controls. 10

11 CEB SUPPORT FOR BUILDING ADVANCED THREAT DEFENSES CEB Advanced Threat Resources Rethink Your Function Rethinking Information Security for Advanced Threats Our latest study provides strategies for developing new advanced capabilities and integrating them into the information security function. Learn the Latest Defense Strategies APT Networking Series Regular discussions with other practitioners keep you informed of the latest attack methods and familiar with the successful defense strategies that other large, complex organizations employ. Assess Maturity of Controls Against Advanced Threats Controls Maturity Benchmarking Service Identify controls gaps and help make the business case for security investments using benchmarks of your controls maturity. Our dataset includes responses from more than 200 large organizations from all industries. Improve Communication with Executives Building a Cybersecurity- Savvy Board Use our communication tips and templates to build executive understanding of APTs and drive investment from the board and senior stakeholders. Separating the Signal from the Noise Practical Research: Benefit from research from practitioners, not musings from theoretical analysts. Vendor Free: Our research is vendor neutral; we connect you with other practitioners to learn what works for them. Informed Investment Decisions: Our benchmarking service compares your controls maturity to other organizations to gain insight on tools investment decisions. Data-Driven Results: Our awareness research, for example, is based on measurements of the behavior of a quarter million employees. 11