This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
On April 1, the president of the United States issued an executive order to sanction malicious cyber actors who profit from stealing sensitive information from U.S. businesses, government agencies and individuals. President Obama said cyber threats "pose one of the most serious economic and national security challenges to the United States" and the executive order declared a national emergency pertaining to online threats.
This announcement comes on the eve of the annual RSA Conference, where tens of thousands of IT security practitioners will gather to peruse the latest and greatest security solutions designed to help protect digital assets.
At no time in history has there ever been such a concentrated focus on the importance of cyber security, and for good reason. The 2015 Global State of Information Security Survey says the compound annual growth rate of detected security incidents has increased 66% year-over-year since 2009. That's just what has been detected. According to the 2014 Trustwave Global Security Report, as many as 71% of compromises go undetected. Thus it's no surprise that the World Economic Forum declares the theft of information and the intentional disruption of online or digital processes to be among the leading business risks that organizations face today.
CISOs know that not every attack can be stopped at the network perimeter—or what's left of it. They've got to operate under the assumption that "if we are not compromised already, we could be at any time." This makes rapid detection and mitigation of threats an important aspect of any cyber security defense program. The sooner a threat inside an environment can be detected and mitigated, the less damage it is likely to do.
LogRhythm CTO Chris Petersen says there are two key metrics for measuring the effectiveness of an organization's security capabilities. One is Mean-Time-to-Detect (MTTD), which is the average amount of time it takes an organization to identify threats that present an actual risk and which require further analysis and response efforts. The second metric is Mean-Time-to-Respond (MTTR), or the average amount of time it takes an organization to fully analyze the threat and mitigate any risk presented.
"Many organizations operate in a mode where MTTD and MTTR would be measured in weeks or months," Petersen says. Enterprises that have already been compromised are at high risk during this time. If they want to reduce the risk, they need to move the needle on these key metrics—from weeks or months down to hours and days, and ideally to hours and minutes.
Research from Trustwave backs up this assertion. Analyzing 691 data breach investigations from around the world, Trustwave learned that 71% of the compromised victims didn't even detect the breach themselves. Often law enforcement agencies and other third parties informed the breached organizations of the incident. In this particular study, the MTTD was 87 days, and the MTTR was a week. According to Trustwave, self-detection of a threat can shorten the timeframe from detection to containment from 14 days down to one.
An organization's key to lowering its MTTD and MTTR is through Security Intelligence, Petersen says. "Just as Business Intelligence has helped numerous organizations clear the fog of too many points of seemingly extraneous business data to find previously unknown business opportunities, Security Intelligence does much the same thing with threat information. It enables companies to clearly see the threats that matter. The main objective of Security Intelligence is to deliver the right information, at the right time, with the appropriate context, to significantly decrease the amount of time it takes to detect and respond to damaging cyber threats."
Petersen describes the importance of Security Intelligence, as well as the two metrics and how to lower them, in a new white paper where he details a Security Intelligence Maturity Model (SIMM). This model is similar to the Department of Defense Cyber Security Maturity Model.
LogRhythm's SIMM describes various stages of Security Intelligence capabilities and organizational and risk characteristics that together determine how well prepared (or not) an organization is to reduce the likelihood of a harmful breach. As an organization advances in its maturity level, it increases its capabilities for detecting and mitigating threats and thus reducing its MTTD and MTTR and its overall risk posture.
The Security Intelligence Maturity Model is illustrated in an extensive table in the white paper, but here's a sample of the maturity levels and what they mean:
* Level 0: Blind – MTTD measured in months, MTTR measured in weeks or months. The organization has basic firewalls and anti-virus but nobody is really watching for indicators of threat and there's no formal incident response process. If the company has intellectual property (IP) of interest to nation-states or cyber criminals, it has likely already been stolen.
* Level 1: Minimally Compliant – MTTD measured in weeks or months, MTTR measured in weeks. The organization does what it must to comply with regulatory mandates. Areas of high risk might receive more security scrutiny, but the company is still generally blind to most insider and external threats. IP of interest has likely been stolen.
* Level 2: Securely Compliant – MTTD and MTTR measured in hours or days. The organization has deployed sufficient Security Intelligence capabilities to move beyond "check box" compliance and toward improved security assurance. Resilient to some threats but still highly vulnerable to advanced threats.
* Level 3: Vigilant – MTTD and MTTR measured in hours. The organization has significant capabilities to detect and respond to threats. It actively hunts for risks via fully monitored dashboards. Resilient to most threats, even those leveraging APT type capabilities.
* Level 4: Resilient – MTTD and MTTR measured in minutes. The organization has holistic Security Intelligence capabilities and a functional 24 x 7 SOC. Though the organization is a high value target, it can withstand and defend against the most extreme types of adversaries.
Each organization needs to assess for itself the appropriate level of maturity based on its own risk tolerances. Not every company needs to reach Level 4. For example, organizations with limited budget and higher risk tolerance can achieve significant improvement in their risk posture by moving towards a Level 2 posture.
With cyber threats now being labeled a matter of national security, the important thing for companies is to keep growing their security maturity and reducing their overall risk posture.