Continuous Cyber Attacks: Achieving Operational Excellence for the New Normal

2

Cyber-attacks are nothing new, but their consequences have recently become more significant. The expansion of the Internet of Things (IoT), the proliferation of connected devices and the growth of cloud computing all mean that an organization’s “attack surfaces” are growing. For example, by linking their ATMs to their networks, banks have made them accessible to hackers; and oil and gas companies are connecting refineries, plants and pipeline management systems across networks, sometimes using the internet to enable vendor system management, which opens the door to cyber-attacks. This target-rich environment makes it easier for hackers to find an entry point into organizations. At the same time, the consequences of security breaches are increasing for CEOs and CIOs, raising the personal and professional stakes for top managers.1

Achieving best-practice operational effectiveness can deliver a wide array of security-related benefits, ranging from fewer successful incursions to faster response times to quicker recoveries when attackers do hit. A strong security ground game can also reduce costs and risks for the business. However, many companies continue to struggle to attain this level of performance for a variety of reasons.

Organizations lack critical technologies and skillsExperience suggests that security operations lack sufficient rigor and consistency, and that key people remain unaware of company vulnerabilities. Organizations often employ a grab bag of ad-hoc processes and capabilities that offer varying levels of effectiveness. What’s more, many still don’t practice good enterprise-wide “security hygiene”—including basics such as access control, two-factor authentication, rigorous vulnerability management and password policy compliance. And for most, the number one operational problem boils down to people and skills—both in the business at large and among security professionals. In the current high-turnover environment, firms often expose themselves by having only one person responsible for a security area, such as malware reverse engineering or incident response. If that person leaves, all of the knowledge goes with him or her.

Another issue is that the cyber defense capabilities at many organizations exhibit increasing amounts of “noise” that mask valid threats coming both from outside and within the organization. The constantly changing IT environment that characterizes most large enterprises can make it extremely difficult for the security team to keep track of and protect critical information. For example, most leaders intuitively know what the company’s digital “crown jewels” are—they may be customer data, a secret “recipe” or operational algorithms. Ensuring that the security team knows where to find these resources, however, requires robust information asset-management approaches, which can prove challenging because of business needs that may require the IT infrastructure to flex and change to meet new demands. Keeping track of such issues requires security staff to improve their “soft skills” in order to become more effective in engaging and partnering with the business.

What’s more, new approaches such as software-defined infrastructure (SDI), which deploy network, compute and storage resources as services, can make assets more dynamic in terms of where they reside and what they can do within the network topology. While SDI can boost infrastructure security, it can also blur the context that security teams rely on at the operational level to understand normal versus abnormal behavior.

Likewise, security often has insufficient visibility into the organization’s “asset landscape” due to the limitations of the tools and processes it uses. For instance, a security analyst might receive an alert that a potential attack is happening on the network, but because of limited access to the necessary information and people, he or she will spend hours or days attempting to figure out the problem. Yet another hurdle is time itself: Where most breaches happen within a few days, the industry takes seven to eight months on average to detect them. Closing this gap should be a mandate.

@AccentureSecure

Even the best cyber defense strategy will fail if it’s not executed effectively. A security team’s “ground game” will determine how well it detects and responds to cyber-attacks, but many organizations fall short in this area. They lack the right mix of talent and capabilities as well as a robust cybersecurity model that can drive appropriate action when threats appear.

3

Achieving operational excellence in cyber defense Organizations have a number of specific steps they can take to improve their security operations, which range from fundamental actions to advanced measures such as the use of “sparring partners.”

• Assess security capabilities. Evaluate the security processes the company currently uses in terms of their effectiveness when responding to a threat. The arrival of major new sources of data such as the Internet of Things and cloud computing are complicating this challenge. While many organizations understand the issue from a theoretical perspective, introducing real-world elements such as the use of “sparring partners” (see below for description) can help security teams test the practical effectiveness of their defenses.

• Invest in talent where it makes sense. Given the almost daily reports of new, high-profile cyber-attacks, demand for top security talent has skyrocketed, making it increasingly difficult to attract and retain good security talent. Organizations need to create new value propositions that go beyond compensation, such as providing access to cutting-edge tools, training, and peer and industry knowledge sharing. Other incentives include the chance to participate in conferences and opportunities to innovate by adapting tools and technologies to new applications. Given budget realities, organizations also need to understand which capabilities really matter and outsource those that do not.

• Automate intelligently. Understand the time-consuming and frequent tasks within security operations that occupy staff, and investigate the prospects for automating them in order to focus talent on tougher challenges. Hackers clearly hold the high ground today as attack surfaces proliferate. Consequently, good security organizations are taking steps to replace their current reliance on “eyes-on-glass” with automation that can help them to deal with basic threats like “spear phishing,” where the attacker personalizes emails sent to recipients. Currently, many organizations do this work manually. However, with organizations having to address rapidly increasing volumes of security data, they need to scale their responses appropriately using automation to address the “noise” in security.

• Contextualize the collected threat data. Security teams often lack situational awareness when an incident occurs. They need to know what it means for the business, who the players are, what the priorities are, and whether they can act based on the information at hand. Organizations must determine whether the security team understands

Accenture.com/CyberDefensePlan

enough about specific assets to contextualize threat data effectively. For example, as the business expands, security needs to know what to look for in the threat feeds and how it ties to the growing attack surface. They also have to keep things up to date: one organization created a security monitoring system but failed to update it on a timely basis, with the result that within a year the system covered only 70 percent of the expanding service.

• Know what you don’t know. Identify the types of questions that security can’t answer with its current capabilities, and then pinpoint the data needed to operate effective analytics and provide clarity. It’s also possible that the company isn’t asking the right questions, or doesn’t have the visibility required to see the needed data, especially given the rapidly expanding digital attack surfaces it needs to cover with the growth of the cloud and other network elements. The ideal complement to strong situational threat awareness is a comprehensive understanding of the company’s defense capabilities and the ability to control them effectively.

• Invest in a highly efficient operating model. Several models exist that align IT services with the needs of an organization’s business side, providing a touchpoint for developing effective security operating strategies. Given the near-constant rate of change that IT functions undergo as companies integrate massive new cloud and IoT assets into their networks, companies need to manage the evolving role of the security organization in terms of risk management, business liaisons, the use of “hunting teams” and staff job rotations. Furthermore, experience confirms the importance of creating a balance among the time spent running the security operations, implementing new technologies, and testing the organization’s security posture. Companies also need to establish a strong feedback loop that updates their defenses when incidents do occur.

• Find a sparring partner. It can be difficult to improve the maturity of cybersecurity capabilities without the equivalent of a boxer’s sparring partner. For example, after mastering static “punching bags,” firms need a life-size opponent to drive additional improvements. The sparring partner needs to apply all of the attacker’s creativity and intent to ensure that the company’s security innovations keep pace with the latest hacker advances, which continue to increase exponentially. That means engaging all of the business stakeholders: insurance, risk management, marketing and communications, legal staff, the fraud team, and so on. Done right, the sparring partner approach replicates real-world attacks to a far greater degree than is possible by running tabletop exercises, working through compliance checklists or conducting an annual penetration test. The approach reflects a statement by Joe Louis, past heavyweight boxing champion, who declared, “Everybody has a plan, until they’ve been hit.”

Defining an effective operational model

4

A successful cyber defense plan hinges on a 360-degree approach and a relentless focus on business impact. Enterprises need well-trained employees who can react to clear-cut incident response plans and procedures on how to handle everything from a zero-day vulnerability (an undisclosed computer application vulnerability) to a large-scale, public breach. Best practices demonstrate what truly sets a good cybersecurity operating model apart. Such a model will assist the security team to prepare and protect for a breach by providing usable threat intelligence and actively managing vulnerabilities. It then enables security to defend and detect intrusions using advanced analytics and by monitoring critical assets. Finally, it makes it possible for the organization to respond and recover effectively by employing active defense strategies and actively managing security incidents.

Leading organizations drive their security operations based on actionable threat intelligence. Consequently, they need a model that’s capable of informing security about current threats. Specifically, cyber defenders need to understand what tools, tactics, and procedures attackers are using against the organization on a daily basis. In other words, once something trips a trigger, what does security do about it? Block it using automation, contain the system, and study the intrusion—or all three? The only proven way to determine the correct response is to practice and train for different types of incidents on a constant basis. That’s because organizations typically can’t accumulate enough generalized knowledge to deal quickly with new attacks from an enterprise-wide perspective.

Key elements of the model include:

• Forward-thinking capabilities that help to scale security activities in order to deal with anticipated threats and prepare teams for the challenges driven by new IoT, cloud and product development realities.

• An IT strategy that specifies what an asset is, which means using advanced operational monitoring techniques to move beyond the hardware and where it’s “plugged in.” Security teams also need to gain a greater understanding as to the identities, data sets, and technical and business functions that reside in their environment. They need strong vulnerability management capabilities to know which security threats can greatly affect the business as a whole, and how different elements of these threats relate to each other.

• High powered analytics capable of preempting and detecting incidents. Companies need the ability to identify changing behaviors that indicate security risks in systems, networks, users and business processes. In fact, recent fraud cases show that changes in the execution of processes within a business can be threat-related.

• An emphasis on visualization to identify anomalies quickly as the volume of security data increases. From an operational monitoring perspective, reading through logs and text to understand what’s happening is too slow today, given the flood of digital information coming from the IoT and the cloud.

• Platforms that guide security operators in hunting for unknown threats within security data, to help companies to detect incursions more quickly.

• A focus on training the same way that the company fights attackers offers the best way to prepare the security team for real-world adversaries. Activities should exercise both the security operations and the tie-in with strategic channels in the business.

The models used by organizations with effective cyber defense operations share a number of attributes. They start with a big-picture strategy of how security efforts support business performance and include detailed, proven processes and roadmaps customized to the organization. They establish effective communication channels and relationships with IT, the business and outside service providers. They clearly define the roles and responsibilities of the teams that manage the cyber defense capabilities regarding how they need to work together. They conduct security operations monitoring with a consistent focus on what matters to the business. They concentrate on incident response, threat intelligence, technical intelligence and vulnerability management. Proactive organizations also include security analytics and active defense measures. Finally, they address governance and decision-making issues, staffing requirements and ways to measure success on a comprehensive basis.

@AccentureSecure

RESPOND

PREP

ARE PROTECT

DEFEND &

DET

ECT

Incident Response

Remediation

Strategy & Business Alignment

Assessment & Architecture

Governance, Risk & Compliance

People & Culture Change

Application & Data Security

Platform & Infrastructure Security

Digital Identity

Vulnerability Management & Threat Intelligence

Advanced Adversary Simulations

Security Monitoring

Cyber Threat Analytics

T RA

NS

FO

RM

ATIO

N

S T R A T E G Y

MA

NA

GE D

S E C U R I T Y & C Y B E R D E F E N S E

Cyber Security Lifecycle Model

5 Accenture.com/CyberDefensePlan

6

ConclusionAn organization’s cybersecurity game plan needs the right mix of talent, skill, capabilities and technology. However, it also requires something more: a robust operating model that focuses the company’s risk management strategy to accomplish three goals:

1 Prepare and protectPrepare and protect for the challenges ahead by delivering useful threat intelligence and providing a vulnerability management program that supports the company’s business strategy

2 Defend and DetectDefend and detect threats using a combination of advanced security analytics and advanced operational monitoring capabilities

@AccentureSecure

3 Respond and RecoverRespond to and recover from attacks quickly and with the least exposure possible by employing state-of-the-art security incident management approaches and adopting an active defense strategy

There are few signs that the brutal assault on the digital assets of companies and institutions worldwide will diminish anytime soon; in fact, the opposite is probably true. Given this risk-filled environment, firms need the best operational security capabilities possible if they hope to attain the cohesion and clarity required to defend the organization’s most valuable digital assets.

7 Accenture.com/CyberDefensePlan

Contributors

Bill PhelpsManaging Director, Global Security Servicesbill.phelps@accenture.com

Ryan LaSalleManaging Director, Security Growth & Strategy Leadryan.m.lasalle@accenture.com

Kevin OswaldManaging Director, Global Cyber Defense and Managed Security Services Leadkevin.j.oswald@accenture.com

Harpreet Sidhu Managing Director, Cyber Security Lead - Energy North Americaharpreet.sidhu@accenture.com

Patrick JoyceSenior Principal Information Security, Global Security Servicespatrick.j.joyce@accenture.com

Matt CarverSenior Manager, Security Research & Development matthew.carver@accenture.com

About Accenture

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With approximately 373,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.

DISCLAIMER: This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

Copyright © 2016 AccentureAll rights reserved.

Accenture, its logo, and High performance. Delivered. are trademarks of Accenture.

References

1. Secure State, C-Level Executives No Longer Immune to the Effects of a Security Breach, July 31, 2015. https://www.securestate.com/blog/2015/07/31/c-level-executives-no-longer-immune-to-the-effects-of-a-security-breach