A cyber breach is probably one of the most disturbing events that a CISO could encounter. Nettitude has worked with many organizations that have experienced cyber incidents, and provides consulting guidance to organizations to mitigate the threat from cybercrime. Here are our top five things that successful CISOs do to mitigate against the risk of a cyber breach.
Understands the attack surface
It surprises that us that many organizations do not have a good understanding of what their attack surface actually is. This needs to extend beyond the office environment and include hosted web infrastructure and cloud service providers. It also needs to include the people that work within an organization, and the networks that they connect to business resources from. We would recommend that organizations have an understanding of social media profiles and other information that is externally available on employees, as well as any other information that details people, process or technology that is available online. All too often organizations focus on protecting the core data center or the head office, and have little awareness of the broader attack surface. This results in a disjointed defensive capability, and detection and response instrumentation that only sees a subsection of all of the attacks.Understand what data that they have, and normal process flows
Many organizations have a poor understanding of what data they hold, and the process flows that take place when people interact with this data. Employees typically generate increasing levels of data every day. They then interact with this data whilst on the move, in the cloud and at the office. Data is frequently backed up, replicated, and snapshotted by a number of different software products, frequently without the knowledge or explicit request of the user. As a consequence, it is highly common for data to be in lots of places that are completely unknown by the information security team. The data that once sat in a secure data center in a single fileserver or database has now spread in to many other storage locations.
CISOs that take the time to understand where data really resides and how users interact with, have the best chance of securing it. Simply accepting that it is secure, and hoping that it has been contained to one location is simply not enough. Data discovery, and a deep understanding of how users interact with data is a key attribute of a great CISO. It is also a necessary and ongoing goal for organizations to manage the risk of a data breach.Conduct threat modelling, and build solutions that detect at multiple points of the attack chain
Many organizations assume that the threat will appear like a noisy, external attacker. There is frequently little understanding of what the threat landscape looks like and the techniques, tactics and procedures that many attackers will deploy. As a consequence, it is very common for organizations to be ill prepared and focusing on the wrong type of activity and behavior in the hope of detecting attempted cyber attacks.
When a CISO undertakes threat modelling, they should attempt to gain a thorough understanding of the current threat landscape. Through understanding adversarial motivations, modus operandi and TTPSs, it is possible to tailor a cyber security strategy more closely to the types of likely attacks. If the CISO focuses on the organizations critical assets, and reviews both the attack tree, and likely attack paths towards these assets, they will have a much greater likelihood of building a strategy that leverage both defense and response in depth. We would encourage CISOs to become familiar with the concept of attack trees and attack paths. The MITRE corporation has written a brilliant guide, download it now.Leverage SOC functions, predictive monitoring
Due to the fact that the attack surface is constantly growing and the amount of data we generate and consume is mushrooming, the likelihood of a cyber breach is at an all time high. Organizations are actively encouraged to build detection and response strategies in addition to their existing defensive controls.
When building a detection and response strategy, organizations should expect to leverage people, process and technology through either an internal or external security operations center. Hoping that technology solutions such as SIEM or IPS will detect and respond to cyber threats is somewhat misguided. Although technology almost certainly should feature in a detection and response strategy, there needs to be educated and trained staff that can act on alerts, and defined processes to ensure that the relevant responses are executed. Attackers are rarely kind enough to target organizations during the 9-5 working day. As a consequence, the detection and response strategy needs to extend further beyond core working hours, and deliver a 24/7 service that operates effectively 365 days of the year.Conduct assurance on detection capability
In the world of detection and response, many organizations rest on their laurels, assuming that their technology or SOC capability is fit for purpose and will prevent the organization from being compromised. Although some organizations may undertake table-top response activities, it is rare that they conduct threat led assessments against their detection and respond functions. Organizations assume that they will be able to detect, because they have bought technology and deployed it at strategic vantage points across their networks. All too often this detection technology, and any surrounding people or process involved in the detection process undergoes no form of assurance activity at all. Nettitude believes that the industry needs to evolve, and we are actively evangelizing about the need for change.
Organizations need to understand the threat landscape and conduct threat modelling, to understand the likely attack paths and the relevant tools, techniques and practices that threats have been seen to display. Detection and response assessments should then be conducted to simulate these threats and determine and organizations detection capability. And of course, this shouldn’t just focus on internal systems. Organizations need to have confidence that they have the right kind of tools and processes in place to detect attacks on the cloud services that they consume.Nettitude can help
Nettitude works extensively with CISOs in a broad array of organizations to help build valuable detection and response processes. For smaller businesses, we are able to offer V-CISO services, so as to deliver strategic cyber security and risk management guidance for the board. To find out more about how we can support your organization in building valuable detection and response capabilities fill in the form below, and one of our expert consultants will be in touch.