Every champion has an adversary; an appropriate adversary. Mohammad Ali had Joe Frazier as his adversary – the undisputed world champion, not Brian London who he knocked out in 3.12 seconds flat. People have used adversaries to set their goals and prepare appropriately.
CISOs have an opportunity to embrace the reality that threat actors come in different shapes and sizes – sophistications and motivations - and use those characteristics to calibrate their program.
Threats are central to security and cyber resilience strategy and operations decision making. In fact, they are one of the key dimensions that drive the costs of a security program.
Even with limited knowledge, many of our non-security business peers instinctively understand the relative capability of different threat actors. A nation state is much more sophisticated than an organized crime unit who, in turn is more sophisticated than a sole hacker.
It’s time CISOs leverage the relative sophistication of threat actors and use it to base their security story and communicate in an easy common language.
The risk/impact model in security and cyber resilience should consider these three dimensions as they calibrate their program to different levels of threat actors.
Different levels of threat actors
Not all threats are the same, some are less sophisticated, like tailgating into an office building, while others are more sophisticated, like organized crime having an operative be recruited and working in the target organization; or more technically, gaining access to a device via default password vs. developing a zero-day exploit.
Likewise, it is generally more expensive to counter more sophisticated threat actors because controls must handle more, and more complex, attack and breach scenarios. In this way, threat sophistication is a cost slider. Metaphorically speaking, this sophistication level of the threat is the height of the wall.
Threats target asset surfaces
These could be network services, devices, facilities, people, vendors, applications, accounts, and information. Threats leverage tactics of various sophistications to breach these assets and surfaces to move between assets and surfaces to gain access as desired. Security controls are deployed across these assets and surfaces to counter these threat tactics.
However, one of the key flaws in deploying any control is the incomplete coverage. Your rollout of control typically follows the 70-30 rule – It’s relatively easy to deploy it over 70% of the attack surface, but the remaining 30% is left unprotected. Many breaches have resulted from such incomplete coverage of these assets and surfaces.
This exposes another common strategic and tactical flaw – over fixation on media sensationalized breaches and the belief that they are usually from sophisticated attackers. This has the detrimental effect of redirecting focus and resources in an attempt to secure against more advanced attacks, while diverting attention away from less sophisticated. This leaves holes – in capability and coverage – to counter less sophisticated threats thus leaving the organization actually MORE exposed to breach.
As a tragic-comedic twist, those ‘advanced’ threat actors can easily leverage these low hanging gaps to breach and, in the case of attribution, argue that the breach was so simple anybody could have done it – why blame them?
In a large financial services company, a pen tester discovered a case where laptop disk encryption failed open on repeated password failures. That led to device breach, account breach, domain breach, and ultimately enterprise breach including trade secrets and regulated data. It was an outlier laptop, most of the other laptops failed securely.
Edge cases are the bane of security operations but a goldmine for threats. In this way, control coverage is a cost slider. Continuing the wall metaphor, let’s call the coverage the width of the wall.
Harmonizing Controls for shared goals
Controls rarely work independently. They work in supporting ecosystems – sort of like a military campaign leveraging air force, navy, marines, army, satellites, and intelligence. In security speak these commonly break down, from an earlier to latter control layer into predictive, preventive, detective, responsive, and recovery capabilities.
If we think of the depth of defenses, the greater the capability of earlier layers, the reduced effort, typically, of latter layers.
However, economically, earlier layers may be much more costly than latter, thus, by strongly calibrating these costs to sophistication levels and coverage, we can prioritize investment to different layers, and to specific control outcomes within each layer. In this way, control layers are a cost slider. Let’s call the control layers the depth of the wall.
We’ve introduced three intuitive dimensions of security controls: using the wall metaphor, these are height, width, and depth. These dimensions, generally, have the greatest influence on the cost of a security program, and of the degree of threat preparedness, the security program delivers.
A CISO that is better informed of these costs to preparedness variables can develop and pitch more robust business plans and budgets to executive leadership, can predict breach outcomes, and can better guide budget expenditure and security operations to expected threat preparedness outcomes.
Photo courtesy of #WOCinTech