“Can we defend against this threat actor? If not, what should we do about it?”
On the surface, it’s a basic question and senior leadership expects their CISO to give a quick answer.
If answering that question is what we’re paid to do, why do most of us suck at answering it?
Something to consider are the constraints security teams are working under. It’s difficult, if not impossible, to get the insights needed for a quick response. As a CISO, if you are hearing back from your security team with any level of speed, you have to question the accuracy of that information because it’s very likely they are guessing.
Walking through the process required to answer the question helps explain why this is so difficult.
An Arduous Process
Modern Security teams need to know:
- If a certain threat actor group targets businesses that match their profile
- What specific behaviors that threat actor is currently using
- Of these behaviors, what subset does the business need to care about
- If they have security controls in place to defend against these behaviors
- If not, what they should do to fill gaps ideally with the existing controls
The reality is most security teams don’t have the data they need and the systems in place to fully understand if they can effectively defend against a particular threat and how to address gaps in coverage that might exist.
But there are multiple opportunities to simplify and accelerate the process with Threat-Informed Defense and build a bridge to your senior leadership.
A Labyrinth of Threat Intelligence
To get started, security teams need threat intelligence to gain a degree of confidence that they know what a specific threat actor does. Most threat intel platforms provide data on the types of businesses a threat actor targets. But when it comes to the tools the adversary uses and specifically what behaviors or tactics, techniques and procedures (TTPs) they are using today and which present the most risk, that takes additional research.
Large companies tend to have threat intel teams that can help, but most companies don’t. They buy threat intel from vendors because it’s an important tool to have in their defensive stack but focus their limited resources on chasing vulnerabilities and alerts. Time and expertise are scarce to do anything more than look up a certain group to see the types of companies they target and what behaviors they use.
Businesses with security teams that can get to this point have a baseline understanding of their risk and, by extension, the techniques they need to be able to defend against. However, to arrive at a meaningful answer they also need to know which techniques and sub-techniques represent greater risk than others. That level of expertise is not implicit in the threat intel platform they are buying. It’s typically embodied in highly skilled analysts at the largest companies or within governments. For most security teams it’s extremely difficult to distill the hundreds of techniques a threat actor is known to use down to the 20 that are actually relevant to the organization and have to be defended against.
A Threat-Informed Defense approach continually collects, evaluates, and maps cyber threat intel from multiple sources to provide a current picture of relevant threats and new behaviors.
Mapping Security Controls to Relevant Behaviors
Next, teams need to know which of these behaviors they can either defend against or detect and, perhaps more importantly, where the business is exposed. This requires an exhaustive view of the capabilities that exist within each tool that the security organization owns, which is easier said than done.
Historically, vendors haven’t shared information about what’s in their black box systems. Recently, however, they have begun moving in that direction, due in large part to efforts by MITRE to drive the community to structure and normalize capabilities. Vendors who do this can communicate with some degree of consistency what their products do. All vendors need to get onboard as customers need that information to understand the risk reduction they are getting from their investments.
Drilling deeper, security teams also need to know what these tools do as they are configured. Some platforms have dozens or more policy settings which means hundreds of permutations. Teams have to know how each tool is configured and how those configurations impact a tool’s effectiveness against a specific threat actor. In addition, tools don’t operate in a vacuum. It’s important to understand what their combination of tools in their current configurations are doing in aggregate – and how much risk is left.
The final step is recommending how to address that residual risk. Of the tools the organization has spent money on, the team needs to figure out if something can be reconfigured or if a policy can be turned on to close coverage gaps. Achieving further risk reduction is often a painstaking process of toggling settings and testing.
Threat-Informed Defense tools automate these steps, mapping the coverage of your existing security tools and configurations, determining the value each tool brings, identifying gaps, and making recommendations to squeeze the most out of your investments.
Providing Reliable, Fast Answers
As a CISO, you must be able to respond to the most basic question quickly with a trustworthy answer. But the environment you operate in is incredibly complex and opaque. Without the right data and systems in place it can take weeks of analysis to unpack the threat landscape and your defensive capabilities to arrive at a complete answer, not hours or even days.
This is the problem Threat-Informed Defense is designed to solve in a practical way, so we can finally stop guessing.
Tidal Cyber’s approach combines relevant cyber threat intelligence with details of an organization’s defensive stack as it is deployed, to build and maintain a coverage map. Your security team can have a collective view of the effectiveness of defenses against specific threats that illuminates residual risk with recommendations for how to reduce it.
We can finally do what we’re paid to do: respond to the most basic security question quickly, accurately, and with confidence.
