Make the right cybersecurity investments
Published: Jun 28, 2017
Author: Ashish Thapar
How to balance cost and risk reduction.
These days, we all understand the need for better cybersecurity. Most organizations are facing the next logical challenge: how do I improve my security with the resources I have available? What’s the best way to reduce real-world risk without exhausting or overshooting an already-strained budget?
This blog is a compilation of insights we’ve gained from conducting risk assessments and forensic and remediation engagements around the world. We know you don’t have unlimited resources; we’re here to help you make the most of your cybersecurity investments.
You can’t control what you don’t understand
To control risk, you must first assess it accurately. Unfortunately, you don’t have a spy network relaying individual information on each attacker. Instead, we must pragmatically settle for knowing our own environments and improving our understanding of attacker tactics, techniques and procedures (TTPs).
Rather than ask who might attack you, the difficulty of attribution means it’s often more fruitful to ask, “what do I have that attackers might want?” The answer will be found in an asset inventory. A good inventory will help you understand what data your organization controls, and which of it is most valuable and desirable to those outside your organization. Knowing what you don’t know is a far better situation than not knowing what you don’t know. As described in the “Unknown Unknowns” scenario in the Data Breach Digest, we found that unknown systems, accounts, software and data act as landmines for enterprises. Hidden and ready to detonate, these unknown unknowns can explode any time, resulting in substantial impact to operations or public perception. Countermeasures from Critical Security Controls (CSC), such as CSC-5, CSC-6, CSC-7, CSC-10 and CSC-13, can help mitigate the risks from such threats.
Get to know your enemy
Once you know your assets, or shall we say, your crown jewels, you need to do what you can to understand how attackers operate: their TTPs. If you have information on previous attacks in your environment, you can use the A4 system to understand TTPs. The system is a way of correlating the actors, actions, assets and attributes involved in an attack (hence the name A4). It is based on the Vocabulary for Event Recording and Incident Sharing (VERIS). To see how you can use the A4 method to visualize attackers’ TTPs, see here.
One of the best ways of understanding attackers’ TTPs, however, is to get information and threat intelligence on their actions both inside and outside of your organization. Locking your doors and windows is one step toward being more secure, but being able to see potential attackers as they roam the neighborhood or create problems in another town can give you vital information that helps you understand what they want and how to protect yourself from them more effectively.
This is where a security services provider can be of immense help, particularly if that provider also offers networking and threat intel services. Network providers’ broad view of internet traffic lets them see what attackers are doing across the internet. In our white paper, Is the Network the New Firewall?, we show how these providers can then turn that information into security intelligence that helps make protecting your environment easier.
Don’t lose sight of non-technical controls
A defense-in-depth strategy is made up of layered technical, physical, and administrative and procedural security controls. Technical security controls get the most attention, but in our experience we’ve seen that it can, at times, be harder to hack a procedural control than a technical one.
There are technical vulnerabilities in any piece of hardware or software. On the other hand, it can take determined social engineering to crack rigorous administrative and procedural design, such as building air gaps or establishing least privilege and segregation of duties. These controls aren’t invincible either, but they can deter large numbers of opportunistic attackers.
For instance, while investigating business email compromise (BEC) incidents, we frequently recommend our customers go beyond technical controls and build in administrative and procedural controls in critical business processes to safeguard their investments. Requiring a simple out-of-band verification call can help save significant dollars that might otherwise be siphoned off using these BEC scams. We tell the story of how our Threat Response Advisory Center IR team helped a customer during a typical financial pretexting incident in the Data Breach Digest scenario “Financial Pretexting.” Countermeasures such as CSC-6, CSC-7, CSC-14, CSC-17 and CSC-19 are quite effective in mitigating the risks from such threats.
A managed security services provider (MSSP) is often seen as someone to manage technology, like your Security Information and Event Management (SIEM) system and other security control systems. But the provider can be just as important for the experience it provides in design and process improvements. MSSPs understand best practices for designing defenses and can help you implement these practices in your environment.
More importantly, MSSPs can provide valuable threat intel, cross-leveraging incidents that may be targeted toward a specific industry sector and helping you take advantage of collaboration efforts such as the Data Breach Investigations Report. How well they do this is critical to the efficacy of their services. In the best of cases, MSSPs essentially become well-trained additions to your staff. For better or worse, your people are your first line of defense.
What’s the total cost of ownership?
All too often, when an organization tries to calculate total cost of ownership (TCO), it fails to take in the true total. Here, as with security controls, organizations often focus on technological costs and forget other important issues. Not only are there costs for implementation, migration, maintenance and technical system upgrades, many organizations also forget the cost of implementing and continually improving security controls, of resourcing and training, or of funding recurring expenses related to day-to-day security operations.
This list of potential costs isn’t meant to intimidate. We believe that if you better understand your complete costs, you’ll be able to make wise decisions ahead of time and achieve a better return on your investments. But we also know that studying TCO will make some organizations realize the cybersecurity investments (time, money, effort) they need are beyond their capacity. That’s OK too. That’s what MSSPs are for.
Selective outsourcing can help you gain the security you need without taking on all the costs. Once you calculate the costs of upgrades, patching, operations and the other items we’ve highlighted, you may realize that it’s not worth it for your organization to attempt these tasks. Managed security services can provide a better return on your investment and an effective way of thwarting cyberattacks using their scale, experience, industry-wide global optics and actionable threat intelligence.
How to balance controls with user experience
The complexity of defense in depth has a cost that can’t be counted in dollars: the cost to users or administrators. Well-designed defenses don’t have to complicate the user experience, but poorly designed ones certainly will.
Human-computer interaction—security (HCISec) is a field specifically dedicated to this challenge. You don’t have to be an HCISec specialist to address the issue in your organization, though. Part of simplifying security for your users is considering what should be done in-house versus what should be outsourced. MSSPs can help you balance your controls across preparation, detection and response. Also, they can help you manage complexity and maintain documentation for all your controls.
Finding the right controls for your organization
With security controls, the devil is in the detail. So we know this blog can only be a start for you as you consider which controls will help you balance costs against effective protection for your organization. Implementing non-effective controls or just narrowly focusing on compliance requirements may lead to a false sense of security that could be far more detrimental than not having any controls. Luckily, with the help of the right security partner, it's possible to protect your organization without blowing your budget.
Ashish Thapar is a Managing Principal on the Investigative Response team at Verizon. He leads the team that is responsible for all supporting customer-facing computer incident response, digital forensics, electronic discovery and IT investigations in the Asia Pacific & Japan region.