The phrase ‘time to…’ is often associated with the expression ‘time to market’. In the security industry it has been mentioned in relation with ‘time to monetize’ exploits by criminals. In their updates to the industry, security vendors have shown for many years, among other examples, how malware writers have been decreasing the time between the discovery of a vulnerability and the availability of an exploit. The criminals making use of these exploits have been focusing on reducing their ‘time to’ for all the services they offer, as well as those they receive from others in the underground economy.
Research has shown how the underground economy is very organized, specialized and geared to respond very quickly to the changing needs of its users, based on the changing needs of the end targets: you, me and the organizations we work for, use, trade with, buy from, etc. The basic principle of this phrase ‘time to…’ is that there should be a very short time frame before achieving the desired result, and that if this period decreases over time, it provides additional competitive advantage.
For those operating in the underground economy, this is a very important point. Not only do criminals want to quickly attack a target without being detected, but they also want to do it before their competitors (i.e., other criminals). To do this, the cybercriminal’s tools will have to provide a better ‘time to’ factor than the ones used by the competition.
In the online world, “criminality has taken advantage of agility to get their ‘product’ to market”, asserts John Walker, chair of ISACA’s Security Advisory Group for its London chapter. The visiting professor at Nottingham Trent University compares this to decision making in the enterprise environment, an approach he characterizes as the “water-falling of decisions”.
If we contrast this type of competition with that of the business world and relate it to security, my experience shows that, in most cases, an enterprise doesn’t want to have the best security among its peers – it just wants to be above average. And if we read between the lines of what this thinking implies, it leads to a mindset that assumes ‘as long as there are other organizations that have worse security than ours, they are more likely to have a successful breach than we are’.
Nevertheless, even where having a good security posture isn’t about simply having above-average security, countless reports each year illustrate how – regardless of any approach – security just isn’t working for many organizations. One only has to take a look at the Data Loss Database, or the recently published ‘ENISA Threat Landscape Report’ (which pulls together around 120 reports from 2012). Data breaches are not only on the up, but the implication is that they will remain so for a long time to come.
Competing Conventions
It’s always been obvious that security professionals will never be able to play by the same rules as criminals, but what has changed to make the rules seem so far apart?
Certainly, these factors have not changed and have been known for many years:
- Security professionals must use a risk-based approach on how they spread their resources so, consequently, they don’t aim to protect everything. Criminals, on the other hand, only have to find a single point of weakness. This still applies, as it has always done.
- Security professionals operate in an environment that is slow to make decisions, but a criminal does not have to go through a corporate decision-making process and is therefore more agile.
- Security professionals not only have to ensure their actions are within the law, but they also have to comply with industry regulations. This has not changed.
- The surface area that needs to be secured by security professionals has been growing at a breakneck pace, which makes the work of identifying a way into an organization’s network easier. This, too, has been known for some time.
- The publicly available tools used for penetration testing or hacking are getting better, and they are accessible to both pen testers and criminals. However, those tools available to criminals in the underground economy will leverage vulnerabilities with exploits at an increasingly faster rate. This has not changed.
- The creative technique used in newer malware is copied/shared by other malware writers. No change here.
This list could go on, but it does illustrate the point that as security professionals, we are smart enough to identify these and other boundaries that we have to work within.
What has changed most significantly is that many security professionals haven’t factored in the cumulative effect of all the aforementioned factors on their ability to quickly respond. To express these many points as a single statement: With regulatory compliance and governance policies and procedures, and the risk management approaches we use to get the best out of our budgets while newer technologies demand our attention, security professionals are not geared to make very fast decisions. So, by default, over the last several years our “time to…” has been getting longer.
For a criminal, on the other hand, tools have improved, greater connectivity has meant more applications with more vulnerabilities, the attack surface has enlarged, many people use more than one IP-connected device, and there are more people supplying increasingly specialized services. As a result, the default for cybercriminals over that same time period is that their “time to...” has been getting shorter.
Carlos Solari, former White House CIO and consultant with Incoming Thought, agrees with this observation. “The trending direction”, he says, is that the “criminal market has improved its ‘time to’,” while both public and private sector organizations “worry more, spend more, yet get worse at the essentialness of the conflict, which is improving time to detect and respond”.
A Clear Focus
One of the questions that arises out of this observation is: ‘So what?' On the one hand I’m telling you it’s inevitable that you are going to get hacked, and on the other I’m telling you that we are where we are, and that the gap between both sides in this battle will continue to widen. So what?
Well, it doesn’t have to be this way. There are organizations out there that have used metrics to change their internal procedures to decrease their ‘time to…’ and respond to risks on a year-by-year basis. They made conscious decisions that focused on reducing their time to respond to any activity that may have costly implications.
Organizations that lack this focus suffer from structural deficiencies says Solari, an observation he insists is well understood among cybersecurity experts. “Clearly, the choice to give up is not a choice at all”, he adds. “We could – if it were not so damned inconvenient that it would mean giving up on things like national
economic competitiveness, or the viability of critical infrastructure”.
The challenges of reducing an enterprise’s time to action do not simply lie in having that focus, but also in getting the pre-requisites right.
The pre-requisites to help focus on reducing an enterprise’s time to respond include:
- A good understanding of all assets and their value to the organization
- The value assessment will help provide a list of what needs to be patched, patches that are up to date, but also where the latest patches should not be used (as they may interfere with other critical business applications); work-arounds should be identified and documented for all applications in use
- Having tested and optimized business continuity management and disaster recovery plans
- Employing technology that facilitates quality network intelligence
- Establishing procedures that respond to new technology uses
- Maintaining a single, centrally held risk register
- Security policy and procedures that are customized for the organization (even if they have been downloaded from the internet)
- Established incident response procedures
This list doesn’t seem to onerous, but it is surprising that many large organizations still have not let their security managers put many of these items in place. But, what is the next step if an organization has these things in place, and what are the benefits?
Training for Speed
The next set of activities that need to be considered are completing this pre-requisite list, which will provide an organizational baseline. It is important that a baseline is established and that it is recognized as such, as it can and should be improved upon. Then create an organization-specific threat model register, which identifies all perceived threats (documentation to include: assumptions; entry points; assets affected; rankings of the threats; controls; threat analysis; counter measures; and mitigation strategies). The key here is to test these items appropriately and keep them up to date.
Threat modeling for applications has been around for more than a decade, but it has most recently been applied to wider security threats. Use the risk register and create a ‘Paranoid Risk Register’; this one is the not-so-conservative version, and you should create a list of the major differences between the two. This register, as always, will need updating as conditions change.
"Criminality has taken advantage of agility to get their 'product' to market" |
John Walker, ISACA |
It is also wise to bring existing vendors in to help fine tune the intelligence you get from your technology, so that they are in line with the outputs from your threat models and the Paranoid Risk Register.
Finally, determine those areas where agile decision-making is possible, and those areas where it is not. This will help provide a list of items you will want to decrease the response time for action over a defined period.
What are the benefits an organization can expect by doing this all effectively? The first positive byproduct is producing a current security baseline for the organization. This process will also help streamline current threats and risks to technology to produce intelligence of what is known and unknown.
Some of the output from the threat models will identify which emerging technologies need a watchful eye, and the responses that may be required.
Rounding out the benefits, you will develop a prioritized list of actions, activities, and decisions that can be improved upon by your organization.
What I believe this will provide is a continuously improving ability to detect and appropriately identify situations that require a response, with various response options based on good intelligence. In other words, the ability to improve the security function’s ‘time to’ responses.
The recent analysis of the Red October threat by Kaspersky Labs showed how a piece of malware had been spying on several organizations – for up to five years in many cases. The security industry must tackle this type of event or risk losing the confidence of budget holders. Security professionals must have the intelligence to respond to a successful attack much sooner than several years after a breach.
Decreasing the security department’s response time is a challenge, and it’s not one set by me, employers, law enforcement or regulators. It is a challenge that is in response to criminals getting ahead, and being able to respond quickly because of the underground economy’s streamlining.
Sarb Sembhi is the chair of the ISACA Government & Regulatory Advisory Sub-Committee for Europe and Africa, and a past-president of its London chapter. He is currently the director of consulting services at Incoming Thought.