Cyber Risk Management: The future is early
31 July 2017
Cyber risk is just another business risk. The appropriate response is to manage it with an appropriate amount of resources. Total prevention is ideal, but often mitigation makes more economic sense.
Don’t take it personally. Cybercrime is just business. The “entrepreneur” may be after money, glory, attention or some other objective, but in the end competition and economics prevail. Is it easier to break into your home or your neighbour’s to achieve their objective? What is the easiest way in?
If your conclusion is to throw a tonne of resources at building an impenetrable fortress, then you may have missed the point. Walls can be scaled. If you reinforce your windows, that will simply incentivise your attackers to try the hatch in the roof. Where does the spending end?
A more sensible strategy is to make calculated, adaptive, timely choices. The risk of cyber attacks is just that, a risk. And like any business risk, the appropriate response is to manage it with an appropriate amount of resources. Total prevention is ideal, but often does not support the economic argument. On the other hand, mitigation costs significantly lower than recovery. Early intervention minimises the impact of cyber attacks. Your attackers have broken through your roof hatch and are fumbling in the attic. Nothing has been stolen. Now pack up the valuables and calmly leave the building.
One advantage we now have is that we can generate and collect more information than ever before. For decades, strategic and tactical decisions on where to invest resources in cyber security were either retrospective (too late, the damage is done!) or mainly driven by guesswork (sometimes confused with intuition or experience). Today being cornered into after-the-fact, panicked countermeasures is no longer an inevitable fate. All this information we are collecting provides the opportunity for rich visibility and an evidence base for establishing a proactive cyber security posture.
This paves the way for an important addition to the cyber security armoury - an early warning system. What exactly is an early warning system? Simply put, a system to raise the early warning on targets of possible undesirable activity by systematically analysing a range of symptoms associated with early stages of threats. This has to be done so as to underpin decision-making on mitigating actions.
What attributes make for a good early warning system then?
Firstly, it is operationally critical such a system is set within a risk-aware framework. Implicit within early symptoms is a level of uncertainty. Accuracy is the price you pay for insight. Is that tapping noise an attacker breaking in through the hatch or simply squirrels scuttling across the roof tiles? Investigating every noise is not practical. To ignore the noise is to be blind to the threat entirely. But having a sense of the confidence level of threat associated with the noise is actionable intelligence. The more symptoms appear, the stronger the confidence level, the more urgent the call to action. A system for prioritisation and activation is key.
The system must be traceable. An important underpinning of an active and automated defence would be the ability to act on hard evidence. In a world of scarce resource, it is simply not good enough to be told that an incident has taken place, with no simple way of gathering the contextual information you need to make decisions on the right mitigating action. A warning to investigate a noise on the roof could potentially send you down a wild goose chase. But being told that noise surfaced shortly after a van pulled up, the front door handle was tried and a ladder is resting on the side of the building is instructive.
The system should sit flexibly across the technology layers, ideally providing visibility across the network and its endpoints. Attackers and attacks are getting more sophisticated. The increasing adoption of the internet of things, with its multiple protocols and complex supply chains, increases the number of vulnerabilities at each layer. We find ourselves facing multiple challenges of big data systems, networks virtualised, cloud services on-demand, enterprise systems scaling up and multi-stage attacks. This means the volume and variety of early attack symptoms is growing exponentially. It is equally important to have the big picture as it is the detail. Having visibility at only one layer is like being blind in one eye and wearing a monocle in the other.
Finally, the early warning system must sit within a wider culture of stakeholder ownership of risk. There are some technical aspects that might assist this, like attention to building a user interface and experience that engages each level of the organisation appropriately. But this cannot replace the need to bed in awareness, policies and processes. Again, the same rules apply as in any other form of business risk.
The information age gives defenders the choice of intelligent decision-making. Deploy resources only when you have to, where you have to. Innovative organisations have already started building out this future. The future is early. Are you ready?
Authors: Daniel Ng, CEO of CyberOwl and Professor Siraj Shaikh, CSO and co-founder of CyberOwl.