Managing Cyber Risk in an Era of Cybersecurity, Ransomware and Coronavirus

"Man cannot be secure unless he has awareness of himself and the world around him".

Technology and access to information are happening at light speed today. The recent events have forced us to pause and realize despite all the advancements, a basic biological organism can bring us to our knees.

Like every other crisis or event, certain groups or individuals will be looking to take advantage of other people and companies. If the last few years have shown us anything it is how important protecting our information assets are to our future. This crisis will service as a key reminder. 

As we weather this storm and begin to come out of it, businesses will need to refocus their priorities and prepare for growth. A key item to the recovery will be to re-assess the financial impact of each risk as well as the cost of mitigation. Business leaders will need to determine if they can absorb or accept additional risk or how the mitigation each risk needs to be prioritized.

In preparing your organization, it is critical to ensure the company implements a sound Governance, Risk and Compliance (GRC) Strategy. Organizations need to assess the maturity of their programs and determine the priority of improving their Risk, Compliance and Security posture.

A sound GRC Strategy consists of the following:

·      Enterprise Risk Program

·      Contractual and Regulatory Compliance Program

·      Information Security Program

If you look at this at this as a pyramid, the foundation is your Security program, usually managed by the Chief Information Security Officer and is focused on identifying existing threats and vulnerabilities as well as protecting the organization’s digital assets. Layered on top of the Security Program, is the Compliance Program which ensures the organization is compliant with their contractual obligations and well as regulatory directives with respect to handling and sharing sensitive data. The Compliance Program is usually managed by the Chief Compliance Officer and is focused on identifying and remediating non-compliant controls. The top layer of the pyramid is your Risk Management Program. This program takes the threats and vulnerabilities from the Security Program and the non-compliant controls and through a process of measures and metrics performs a Quantitative Risk Analysis resulting in identifying the Financial Impact of each risk. 

I will layout below what each component should include and some of the challenges:

Risk Management Program

Business leaders must choose to either Accept the Risk, Mitigate the Risk or Transfer the Risk to a 3rd party such as Insurance or a Managed Services Provider (MSP).

A Risk Management Program is designed to identify Risks and quantify the financial impact of each risk. The result this process give business leaders the tools they need to prioritize how they will address each risks.  Additionally, mitigation costs will also be determined as part of this process. 

One of the big challenges for CIOs and CISOs, is to communicate effectively to the business leadership what the threats and vulnerabilities are and how they would impact the business. The problem is that although technology people clearly understand these concepts such as security threats and vulnerabilities, the business leadership understands and communicates in dollars ($). The main objective of the Risk Management Program is to translate IT/Security threats and vulnerabilities into financial impacts in terms of dollars. Leadership can then begin to determine their Risk Tolerance and prioritize the mitigation of each risk. 

In the Risk Management process, all the threats and vulnerabilities identified in the Security Program are imported into the Risk Management Program. The non-compliant controls from the Compliance Program are also added to create the Risk Registry.   All assets will be cataloged and grouped by function. This information is then run through a series of metrics and measures in order to determine the likelihood of occurrence and the asset values for the group of assets impacted by the Risk. The output will be a dollar value of the financial impact of the Risk.  

The Risk Management process is not a point in time process since risks change frequently and new Risks are occurring all the time. The Risk Management Program must include a process to constantly evaluate and update risks as they occur or change. A side benefit of the Risk Management process is that is becomes easier for CIOs and CISO to build their cost benefit analysis and business case with the data from the Risk Management Program. 

Compliance Program

In the current Cybersecurity climate and the frequency of third-party breaches, organizations have increased their scrutiny on how the vendors and partners are handling their data and accessing their systems. As a result, companies are being asked to demonstrate compliance with a variety of industry and regulatory standards such as SOC, PCI, HIPAA, HITRUST, Privacy, GLBA, DOD, FTC, FCC and various state regulations. Chief Compliance Officers(CCO) manage the various compliance obligations to ensure non-compliant issues do not financially impact the company in a negative way. One challenge CCOs have is to figure out ways to reduce the internal effort and redundant activities of managing multiple compliance standards. Many organizations are attempting to consolidate the controls of their security framework as well as their other compliance controls to build out a custom control set. This eliminates the stovepipe style management of these programs as well as eliminating the redundant activities across the various compliance standards. There are many compliance platforms currently out there that claim to reduce the effort that is required to manage multiple compliance programs. Unfortunately, I have seen companies purchase and treat these technologies as a black box without implementing a strict process and methodology. The result is the technology becomes an expensive document repository that never delivers the original benefits they purchased it for. Compliance Management like Security Management is mostly a process not a technology. The tools are only effective once the process is implemented. Things to consider when looking for Compliance Management technology are:

·      Ensure you have implemented a sound GRC process and it works without technology.

·      Evaluate technologies that align with your processes.

·      Determine both the cost of acquisition (2 to 3-year costs) as well as implementation and management costs – these costs will various significantly from product to product.

·      Evaluate integration capabilities with other security and IT products such as Vulnerability Scanners, Asset Managers, Policy Managers, Incident Response Managers, SIEM products and ticketing systems.

Information Security Program

A sound Information security program is critical and the foundation for implementing a successful GRC Strategy and protecting digital assets. It wasn’t that long ago where security meant having a Firewall and some Antivirus software, those days are gone. Malicious threats and bad actors have evolved dramatically over that last 5 to 10 years. These malicious groups are much more networked and collaborative than most businesses. They are using advanced technologies such as AI and Machine Learning to identify vulnerabilities as well as automation in executing their attacks.

Companies have typically utilized a defensive only strategy as the foundation of their security programs. This approach is destined to fail and eventually the attacker will find a vulnerability. If you think in terms of a military strategy, a defensive only strategy will be overwhelmed by a frontal attack unless they are combined with other strategies such as Flanking, Fragment or Feign. Companies must combine multiple strategies if they are to mitigate or stop a threat. Taking the words from Sun Tsu, “You must know yourself, your enemy and know the battlefield. Make sure you have a detailed understanding of the strengths and weakness of your Security Program and Infrastructure. You must also understand how bad actors think in order to defend against them. 

Organizations need to select a Security Framework to build their Security Program on. I recommend utilizing an industry accepted standard such as ISO 27001 or NIST CSF. There are number of other standards out there but these two are the most widely used. If your customers and partners are requiring you to submit a number of security questionnaires you might consider getting ISO 27001 Certified as this would likely reduce the effort in addressing the questionnaires and customers may even allow you to submit the ISO 27001 report instead of having to go through the effort of responding to the questionnaire.

A good Security program must encompass Governance, Operational Processes and Technology. It is also critical to perform a detailed Security Risk Assessment, based on a standard such as NIST 800-30, to identify and prioritize remediation of any risk and vulnerabilities with your current security program. The Security Risk Assessment is different from Business Risk Assessment as it is more Qualitative and based more on security controls. The main purpose is to help the CISO prioritize which risks/vulnerabilities they need to be focusing on. In addition, IT/Security executives need to provide meaningful data and recommendations to their Business Leadership and the Board about the financial impacts of each risk. Including a Quantitative Business Risk Assessment will provide detailed information about the financial impacts of each risk identified allowing Leadership to be able to make effective decisions on whether they should accept, mitigate or transfer the risk.

Governance

A good Security Program starts with identifying and understanding what data you are trying to protect. Performing Data Classification, Data Categorization and Data Discovery helps you understand what the sensitive data assets reside in your company, how these items should be handled, who needs access to this data and where it resides.  

The governance layer also includes building out the organization’s security policies. These policies define how information is accessed, by who and how employees and third parties must handle sensitive data. These policies also define how employees and contractors must conduct themselves with respect to security. How management and maintenance on the technical infrastructure that supports the information assets will be performed, is also defined in the policies.

Operational Processes

The second layer of the Security Program is building out the Operational processes and procedures which expands what is stated in the policies with specific detail on how things are to be performed for example, the policy stated that a Firewall review must be conducted every 6 months. The procedures will describe how the organization will perform that process. Unlike policies which remain relatively static, procedures can change frequently as technology or organizational changes occur.

Technology

The third component of the Security Program is the Technology layer. Typically, many organizations start with technology, which can give them a false sense of security with respect to the maturity of their security program. The Technology layer must be aligned with both the Governance and Operational layers.

A sound multi-layered strategy for security technology is key. Besides firewalls and intrusion detection, organizations need to implement Endpoint software such as EndPoint Detection and Response software (EDR). Advanced authentication and authorization systems need to be incorporated. Encryption should be utilized for transmitting or storing of sensitive data. The use of Multi-Factor authentication is now becoming common place. In addition, good segmentation and restricting end user devices from being able to install unapproved applications or software is critical. Compartmentalizing your network through segmentation is key.

As I mentioned previously, organizations should consider implementing a multi-strategy approach as opposed to just a defensive or fortress strategy. In addition, leveraging automation and reducing human interactions should be a priority. You can’t eliminate human interaction completely as there are still too many false positives being created and some decision regarding actions still need to be made by humans. 

There are many ways a breach or an intrusion can occur but if it occurs there are some common things to look for. Once an attacker finds a vulnerability to exploit and gets access to a node on your network, they will typically go into reconnaissance mode, looking for valuable data, what users are going in and out of that node and scanning for other nodes connected to that node. Once other nodes are detected they can move very quickly through the network, this is called “Lateral Movement”. Many intruders will wait for weeks or months just watching and looking for something of value before the launch. Identifying these intrusions as early as possible is critical.

Use a Multi- Strategy approach

As mentioned previously, incorporating additional approaches/methods other than just being defensive can greatly improve your ability to detect and respond to attacks. Some in the industry advocate implementing or adding an offensive strategy approach. This makes sense if we are talking about security testing but responding to an attack by attacking the attacker is fraught with its own risks. Besides opening yourself up to significant retaliation, legal and international jurisdictional issues may also come into play. 

New Technologies to Watch

Advanced Deception Technologies

Incorporating a Feign or deception strategy by utilizing deception technology as part of your technology infrastructure makes sense. The purpose is to be able to identify a potential threat inside the infrastructure before the actual attack. In addition, some of these technologies will slow down the attacker by making it more difficult to identify real targets within the network. In many situations this delay will allow the Security Operations Center (SOC) team enough time to respond to the attack and potentially mitigate it. Lateral movement of the malicious software moves in seconds which makes it impossible to defend against it with just human resources. Slowing down the attacker before they can deploy malicious content and early identification of the intruder are key to evening the playing field. There are several promising deception technologies now in the marketing that can help. Unlike the first-generation deception technologies such as Honey Pots, the new technologies do not try to attract attackers to a specific node or location but instead create thousands of fake or phantom nodes around each real node in the network. Once the attacker touches a phantom node your team is immediately alerted of the presence of the attacker. I encourage you to research technologies like these and how they can improve your ability to respond to threats.

SOAR Technologies

One other technology that has promise is in the Security Orchestration (SOAR) space. SOAR as with Middleware and RPA, promises seamless integration of disparate systems in order to reduce human effort. In the Security space that means integrating various disparate technology as well as consolidating event and log data. One of the biggest challenges the Security Operation Center has is that a good portion of detection and response effort is still manual. SOAR promises to automate this. Based on feedback from several groups who have implement SOAR technology, it is clear these products still need to evolve before they can truly automate the detection, response and mitigation activities within the Security Operations. Implementations can be difficult and expensive with limited success, mainly due to the large number of Security technology vendors within the organization. We will continue to watch how this technology evolves as the need is critical to reduce the time to respond to an attack.

The Importance of Security Event Information Management. Who’s Watching the Doors?

A critical activity all organizations need to perform is watching what and who is coming in and going out of your network 24X7. Implementing a Security Information Event Management (SIEM) platform that can consolidate all the logs and correlate them can help reduce the effort in identifying threats. Many of these technologies have advance AI and threat detection capabilities that can help reduce the number of data points your team needs to look at. If you do not have a SIEM or the resources and expertise needed to monitor the inbound and outbound activity, you need to strongly consider contracting with a Managed Security Services Provider (MSSP). These organizations become your front-line to identifying potential threats. Not all MSSPs are the same, you will need to research what capabilities you need as well as whether their pricing model matches your budget.

Other Critical Security Programs Components of Your Security Program

Training

Implementing a good Security Awareness Program is critical as the weakest link in your security program is you end users. More than 85% of all breaches involved human error of some kind. It is critical to ensure your employees understand their role in protecting sensitive data and how to recognize a potential breach. Phish and social engineering attempts are increasing dramatically in the time of Coronavirus and are directly targeted at your users and the ability to recognize this is critical. Training should be ongoing as well as onboarding and periodical testing of comprehensive is important. Many Security Awareness platforms incorporate Phish Testing.

Testing

An Information Technology infrastructure in not static. Changes to systems and networks are daily routine. Every time a change is made there is a potential of introducing a new vulnerability into the environment. Regular vulnerability scanning, both internally and externally need to occur at least quarterly. Penetration Testing needs to be performed at least once a year or when a major system is upgraded or new system is added. Security Officers should also consider performing a detailed Application Penetration test annually and before deploying a new or revise application. 

Incident Response and Business Continuity Plans

Every organization such build both an Incident Response (IR) plan and a Business Continuity(BCDR) plan prior to experience and security event. The IR plan details the process needed to respond to an event. The steps needed to be taken, who needs to be contacted. The BCDR plan details the steps and actions that need to be taken if one or more locations/functions of the organization can no long function.  Both the IR and the BCDR plans should be tested annually to determine their effectiveness.

Conclusion

In summary, organizations looking to mature their Governance, Risk and Compliance Strategy must ensure they implement all three programs (Risk Management, Compliance Management and Information Security). Omitting any of these steps will leave large gaps in your ability to manage the threats and vulnerabilities within your operation. In addition, it will limit critical information needed by Business Leadership to make decisions on how to address their risks. 

Lastly, my recommendation is to find a partner who has the experience and a holistic view of how to implement a Governance, Risk and Compliance Strategy and can guide you through the process.