Though based largely on anecdotal evidence, the communications gap between frontline IT security teams and senior executive leads exists in organisations across Europe and beyond. This gap is routinely blamed on a lack of focus on cyber security from the execs; but it’s reasonable to challenge this argument.
This entails analysis of whether the IT security personnel are communicating with their senior executives in as intelligible and effective a way as possible. Cyber security is a complex, yet vital aspect of business operations, so lack of communication on the subject is a missed opportunity when it comes to aligning from the ground up – and prioritising efforts to match the core mission of the business in question – while all the while keeping business data secure.
To address this disparity, organisations’ teams need work up and down to consider a range of key areas when it comes to cyber security. The cyber security team must ensure it is effectively flagging the threats it defends the organisation against and communicate how these threats directly align with the risks assessed as the main focus by the senior executives.
Frontline security teams typically focus on defence against all threats, and in many cases this mission is not synchronised with the key risk areas identified by the senior executive and upper management teams. Prioritising the threats and aligning these to the key risk focuses of the leadership team helps to close the communication gap, to ensure the work the security team is doing is aligned with the overall business mission – and therefore understandable to c-suite and boardroom.
That said, all threats need to be addressed, detected and prevented from entering business networks; but with the ever-changeable threat landscape, it is difficult to prioritise all threats. We are seeing an increasing change in the cyber crime ecosystem: nation-states look constantly to mature their offensive capabilities; and opportunistic threat actors try to monetise unauthorised access.
Prioritise cyber security threats
Threats can no longer be treated with equal emphasis; therefore the mission of an organisation’s cyber defence needs to be aligned with the risk areas identified as the most crucial by the organisation. Many security operation centres now handle alerts where they prioritise all of them equally or where they struggle to sort the severities based on the motivation of the threat faced.
With the lack of alignment between, what you are defending against, and what matters most for the business, the information communicated to senior leadership often gets under prioritised, even perhaps plain ignored. Given this operational context there are key questions the cyber security team would do well to address.
First, do we understand who is targeting us right now, and how well-informed are we about their tactics, techniques and procedures (TTPs)? These days, many threat actors share the same TTPs. By understanding the motivation behind a cyber threat, security teams can start to prioritise alerts. For instance, a highly-organised cyber criminal collective might be more motivated to attack your organisation if you have data they can monetise, such as credit card records. Likewise, a potential nation-state sponsored cyber espionage threat group might target your organisation if you are a government agency that holds sensitive information.
Second, have we built a threat profile which factors in the business and environment, identifies and tracks cyber threats and exposure? By understanding the threat landscape and having a clear view of the business risks, security teams can start to identify the cyber threat actors who are most likely to target their organisation before they attack.
Furthermore, enterprise security teams can begin to track their cyber adversaries by collecting available information on how they operate, and then map that against their exposure. This puts security teams a step ahead of the adversaries, allowing them to communicate awareness about the potential threat, before it becomes a serious risk.
Cyber threat intrusion detection plan
Third, how do we measure our defensive capabilities? How do we detect or deny the threat on intrusion stage? Regardless of motivation, most breaches happen in the same stage. The pace of an attack might change depending on the sophistication and capabilities of the attacker, but usually, a breach and potential loss of data starts with:
- Initial compromise of an employee by sending phishing emails, which can be more generically created or tailor-made towards the specific target.
- Establishing a foothold by leveraging malware or publicly-available tools.
- Escalate privileges to ensure attackers have the right permissions to navigate the infrastructure and gain access to information and assets.
- Completing the mission by stealing the data. There are of course many varieties of the foregoing points, and therefore it is also vital to understand the motivation, rather than just the TTP.
A fourth question is: do we know the individual stakeholder’s requirement for cyber threat information? And when security teams provide information to stakeholders outside the cyber security cohort, have they ensured that it is the information that is relevant to the stakeholder? For example, does the information provided to senior leadership address business risks and does it give a forecast on the likelihood of impact due to the threat landscape. Both financial and business efficiency impact should be considered.
For the senior executive team, meanwhile, it’s nothing new to acknowledge that cyber security needs to be a wider business focus, not one just for the IT team. “C-suites and boardrooms now worry about the damage to reputation and brand equity that may result from a data breach, more so than the potential of heavy fines introduced by incoming legislation such as General Data Protection Regulation (GDPR),” writes FireEye blogger Duncan Brown, Research Director/European Security Practice at market intelligence firm IDC. “Boards often do not understand the technical details of security, given that board members are unlikely to come from a deeply technological background, and cyber security gets very technical very quickly.”
Brown continues: “Senior executives do understand risk, however. The expression of a cyber security strategy articulated in terms of risk means that board members are more likely to understand both the importance of what is being proposed, and the consequences of paying insufficient attention to defence against cyber attack.”
Breach detection time is 177 days
From the perspective of the senior executive team, it is key that they question how they build their business risk profiles and communicate these to the cyber security team. In many cases, risk focuses on the likelihood and impact, which is usually based solely on internal values and analysis.
Some organisations may get additional input by budgeting for third-party validation and penetration tests. In this area, there is an opportunity for senior leadership in understanding the threat landscape, and by following the threat landscape, involving who, what, and how threats are targeting their industry based on different motivation, they can start to factor those outputs into their ongoing risk analysis.
FireEye’s M-Trends 2019 report, based on information and data collected from FireEye’s Mandiant GDPR Incident Response efforts indicates that, for 2018, the median time for the detection of a breach (a.k.a., the ‘dwell time’) in the EMEA region is 177 days (largely unchanged from 175 days in 2017) and, in many cases, organisations are relying on external notifications which increases the detection time significantly.
It also reflects the changing trend in the EMEA region. As noted, organisations, and in particular c-suites and boards, are taking cyber security governance much more seriously. This has been driven in part by regulation such as GDPR, but also due to increased recognition of the risk presented by targeted cyber attackers.
The underlying data shows that while many organisations are dealing with advanced threat actors much faster than ever before, security teams are still uncovering historical attacks. Therefore, the increased Internal and External dwell times reflect the attention that organisations surveyed by the report are placing on effective security measures.
The gap between internal and external notification reinforces the importance for organisations to have strong detection and remediation strategies in place. External notification cannot be relied upon as a meaningful detection strategy. Greater collaboration and understanding from the security teams and senior executives can help to address the gap between intrusion and detection, by carefully analysing what causes such attacks and devoting to this the time and attention it requires.
Jens Monrad is Head of Intelligence EMEA at FireEye.