This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The Target data breach of 2013 was a wakeup call for many corporate executives and boards of directors. Target's sales fell off a cliff at the crucial holiday time, the stock price plunged 11% on the breach announcement, and both the CIO and the CEO were held accountable and dismissed. It was then that leaders at other companies began to realize that cybersecurity is an overarching enterprise issue and not simply an IT risk.
This has put many executive leaders in an uncomfortable position. They need to understand and manage their cybersecurity risk, but they lack the information to know their actual risk posture. They can look at the budget dollars going toward IT security controls, but this doesn't answer the question, "How vulnerable are we to an attack that could lead to a serious data breach?"
Analysts and experts advise executive leadership to strategically invest in security controls that are most relevant to today’s advanced attacks. It's good advice that isn't easily put into practice. How can leaders be sure they are investing in the security controls that address their organization's specific risks? Further complicating the matter is the fact that risks shift based on attack trends.
Most enterprises already have a significant security infrastructure consisting of tools such as firewalls, IDS/IPS, DLP, SIEM, web application firewalls, sandboxes, network access control and countless other point solutions. These tools monitor and correlate network activity, user behavior, anomalous access, and so on. They are the vital tools of the trade for information security practitioners who need to understand the minutiae of indicators of compromise.
Now there is a set of tools from Cytegic that works at a more strategic level to help executives understand their cybersecurity risk posture. While other tools monitor the network, Cytegic's tools determine the enterprise's level of security maturity based on the existing controls and the threats that are relevant to this specific organization. Executive leaders can view a dashboard (see Figure 1) to quickly determine the organization's overall cybersecurity posture. From there they can understand where to strategically apply investments to reduce the risk of a breach.
There are three tools in the Cytegic toolset that work together to deliver a holistic view of the enterprise security posture.
The first is called Dynamic Trend Analysis (DyTA), an intelligence analytics platform that automates the gathering, processing and analysis of external threat data. DyTA takes the threat data from about 1,000 online open sources and technical cyber feeds from around the world and generates specific and actionable cyber threat forecasts based on built-in pattern analysis capabilities. This tool uses an open platform so that an organization can include its own preferred threat feeds; for example, one from an industry-specific Information Sharing and Analysis Center (ISAC).
An example use case for DyTA is to understand the threat trends in a particular industry. Recall the situation a few years ago when numerous banks were getting hit with DDoS attacks. DyTA is supposed to be able to spot this trend at its outset and forecast the risk for companies in this industry. As a financial institution sees its own risk of an attack going up, it can dial up the controls to mitigate the risk. Figure 2 shows an example of a threat trend graph that DyTA produces.
The second tool is called Cyber Maturity Assessment (CyMA), a unified cybersecurity management system that is said to automate the collection, processing and analysis of organizational security control data. CyMA is designed to enable a CISO to assess cybersecurity maturity levels based on aggregative data and indicators of maturity collected from the organization's own security controls.
As CyMA collects data from an enterprise's security infrastructure, it analyzes the state of three major categories of control.
* The "detective controls" mostly come from tools that detect indicators of compromise—SIEM systems, user behavior analysis, fraud detection and so on.
* The "preventive controls" category looks at tools that are intended to prevent unwanted access or activity. This includes firewalls, anti-virus, intrusion prevention systems, data loss prevention, network access control, etc.
* The third category is "infrastructure control" and this involves the soft processes around security. For example, policies, procedures, training, user awareness, software development lifecycle, and so on. In all, CyMA tracks more than 50 key controls pertaining to enterprise security.
To calculate the indicators of maturity, CyMA collects anywhere between 20 and 100 different indicators from each control and provides a sense of how well those controls have been implemented in the specific environment. The controls are measured against a collection of industry best practices from sources such as NIST, ISACA, ISO 27001, and regulations like PCI DSS. For example, specific indicators of maturity from a firewall can provide a sense of whether or not that firewall has been implemented in a way such that it is sufficiently hardened. A firewall with a default configuration would earn a low maturity score.
All of these indicators are rolled up into the three categories – detective, preventive and infrastructure – to present the organization's scores for security maturity level. A dashboard view of this information is shown in Figure 3. CyMA also presents maturity levels for the individual devices and controls.
The third product in the toolset, the Cyber Decision Support Systems (CDSS), looks for relevancy within the organization. Once the CISO understands the major threats and trends that could affect the organization, and after he gets a picture of the existing controls and the maturity level to which they have been implemented, he needs to know if the controls, as they are, can withstand the relevant attack vectors, and where the weakest links in the armor are. This tells him if and where the company is vulnerable, and where to make investments in security controls. This is all presented through a the dashboard view shown in Figure 1.
The Cytegic CDSS solution enables business IT managers to simulate “what if” scenarios for potential cyber threats and determine optimal resource allocation to mitigate risk for each asset. For example, the organization could simulate what would happen if a new control were put in place, or if a specific kind of attack were to happen. Suppose the enterprise has a problem with SQL injection attacks and it wants to know if implementing a web application firewall would help. The company could test a scenario of installing a WAF with a maturity level of 50% to see how that would affect the risk level of a SQL attack. This helps the company decide if the investment in time and effort of implementing the WAF controls is worth it.
The Cytegic toolset is aimed at helping enterprises get a good understanding of their overall security posture and make strategic decisions about their security controls environment.