How CISOS deal with advanced cyber threats

CYBER SECURITY INSIDER – EBOOK 2/3

A research report about the current state of advanced cyber security in Europe

How CISOs deal with advanced cyber threats

2CYBER SECURITY INSIDER – EBOOK 2/3

The changing face of cyber security



The faster IT evolves, the harder it becomes to secure.

So while IT’s recent evolution into a leaner, more agile business function has been thrilling for all the right reasons, it’s also made the CISO’s job exponentially harder.

For one thing, while the paradigm of companies hosting their own services, machines and networks had many flaws, it did give you full control over storage, network connectivity and security.

This kind of control and oversight is sorely missing now that you’re dealing with externally hosted cloud solutions, multiple network connections, huge volumes of data passing through applications from multiple vendors and a growing range of mobile devices.

More important, the attackers you’re up against are increasingly sophisticated and the nature of their attacks are increasingly innovative and unpredictable.

Securing your infrastructure and rapidly responding to breaches has never been harder – or more important.

To cut through all this complexity, we spent the past year conducting in-depth interviews with twenty-six CISOs, from several verticals, across Europe and the United States.

We talked to them about the challenges they’re facing, how they’re set up to deal with advanced cyber threats and targeted attacks and what their overall cyber security strategies look like.



Needless to say, the overall state of European cyber security is nowhere near where it can or should be. But you can’t deploy a comprehensive cyber security strategy without knowing what your options are. And you can’t compare yourself to everyone else until you know how everyone else is doing.

In this eBook, we’ll give you a summary of the most common trends and issues we uncovered through those twenty-six in-depth conversations. On the way, we’ll explain the limitations of some of the more common approaches to cyber security, as identified by your peers.

Let’s dive in.

Note: We don’t sell any of the solutions we’re covering in this eBook.

Europe still playing catch-up

Our research found some massive differences in the maturity levels of the US and European companies we studied.

On the whole, US companies were a lot more committed to cyber security, spending roughly twice as much as European companies.

In terms of approach however, US CISOs were largely doing their own research, buying their own products and implementing their own infrastructure.

While Europeans were mostly interested in purchasing managed services to deal with cyber security.

That may sound like US CISOs have it all figured out. But for reasons we’ll discuss later in this eBook, doing it all yourself isn’t necessarily the right move. So while European CISOs do need to catch up in terms of their commitment to cyber security, they are making some very smart choices.


The current state of advanced cyber security



Most of the companies we spoke to were struggling with poor levels of security awareness, insufficient defensive measures and severely impaired contingency planning.

That’s because, like most companies, they weren’t investing enough into getting cyber security right. So we compiled all the reasons CISOs and IT managers gave for not committing more to cyber security, and found five distinct groups:

All of our infrastructure is strictly regulated. Our servers

are not reachable from the internet. It’s impossible for anyone to hack us.

We have systems analyzing our emails. None of our employees

open spam. Cyber security is quite easy. We don’t let people bring in USB sticks or CDs.

1. The “old-school” crowd.

This group was under the assumption that their decades-old protection methods were still foolproof in 2016.



2. The “too small to fail” crowd.

This group figures they’re too small to be an interesting target – security through obscurity.

We’re too small to be the focus of organized crime

groups or foreign governments. We’re just not all that interesting. (A 3500 employee company)

We are not that big. Big companies are the ones that

we expect to be hacked. I don’t think we stand to lose a lot of money, even if we do get attacked.



3. The “security isn’t important” crowd.

This group believes they have bigger fish to fry.

Don’t bother me about that stuff. I’m migrating my

datacenter to the cloud.

Paying for security is like buying expensive insurance,

and there’s little need, since we’ve had no incidents.



4. THE “KNOW-IT-ALL” CROWD.

This group assumes an Incident Detection System (IDS) implementation from years ago has them covered because they aren’t seeing a whole lot of alerts coming out of it.

I think I would know if we were being hacked, although perhaps

not if the Russian government or NSA were doing it. We log everything. We are checking for specific patterns on the network. We’re safe.

I think we are in a good position regarding security. We have

less than two or three minor security issues per year. If it stays like this, I’m happy.



5. The “we get it” crowd.

This group knows the risks, and more importantly, knows they haven’t done enough to address the problem. They’re worried that they’ve already been hacked.

I think it’s likely we’ll be attacked at some point. We are probed

every day, but we’ve never seen any damage being done. Given that the risk is high, we’re investing money into trying to prevent attacks.

We would not know if advanced criminals were hacking us.

On the whole, while a fair number of the CISOs we interviewed did understand the risks of targeted attacks, most CISOs are being forced to use a great deal of creativity and corner-cutting to make their tight budgets work.

On the one hand, this speaks to the challenges of getting management buy-in for your cyber security needs. But it also indicates how little most business leaders know about the very real threats to their business.


Static defenses: predominant but not enough


Our study found that the following preventative measures were the most commonly deployed:

• Centrally managed endpoint protection• Firewalls or next-generation firewalls• Network segmentation• Well-configured access control lists• Application white-listing mechanisms• URL blocking mechanisms• Mandatory disk encryption• Frequent over-the-network backups• Enforced VPN connectivity to the company network


The first thing you’ll notice is that most of these defensive measures are static in nature. That is, they’re simply preventative measures that bolster your perimeter. The problem is that while static defenses do hinder attackers, they aren’t guaranteed to prevent them.

As a result, it isn’t enough to build and maintain a solid defensive perimeter. Your cyber security strategy needs to be dynamic and proactive enough to deal with modern threats, leveraging situational awareness, incident response, contingency plans, and extensive, up-to-date threat intelligence to be comprehensive.

Put another way, you need to be able to answer the following questions if you want to implement a robust security architecture:

- Can I track everything moving through my internal network?

- Which communication paths are encrypted and which aren’t?

- How can I spot known malicious traffic or analyze traffic patterns in my network?

- How can I find out if something malicious happens on an endpoint?

- Do I know about all of the software on my network and whether it is patched?

- How can I forensically investigate a system when it gets compromised?

- How do I find out what is happening on my web or application servers?

- How do I track the creation of accounts on each machine in my organization?

- How can I track all authentication attempts in the systems on my network?

- Can I see when a user tries to access a file they don’t have permissions to access?

- Can I identify when someone abuses privileges to gain access to data they normally shouldn’t be touching?

- Do we have a coherent incident response plans?

Static defenses: predominant but not enough

The static defensive measures we listed above, while popular, simply cannot help CISOs answer these questions.

Which is why so many CISOs turn to more proactive solutions for incident detection and security operations, the likes of which we’ll discuss in the next chapters.


SOLUTIONS IN FOCUS: SOC and SIEM


For many years, purely defensive security measures were considered enough. But the increasing complexity of corporate infrastructures and the growing sophistication of attackers mean that if you aren’t proactively looking for incidents, you’re bound to miss out – and likelier to get hacked.

The good news is that a lot of the CISOs we interviewed were planning to or had already deployed Security Operations Centers (SOCs) and Security Information and Event Management (SIEM) systems.

That’s important, because a properly configured SIEM gives SOC staff a comprehensive data set with which to detect intrusion attempts, breaches and anomalous behavior inside a network.

Even beyond detecting threats, they also make it a lot easier to audit an organization’s IT and security infrastructure so you can manage and maintain compliance with local or industry regulations.

But here’s the thing: an SIEM is only useful if it’s configured and fine-tuned to trigger alerts on valid events.

And configuring an SIEM to provide relevant, actionable incident reporting information can be a painstaking process that ultimately involves a lot of trial and error. The trouble is if you get this early configuration process wrong, you’ll be drowning in false positives.

SOLUTIONS IN FOCUS: SECURITY OPERATIONS CENTERS (SOC) AND SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) SYSTEMS


Configuring an SIEM

1. SIEM systems must first be set up to capture and aggregate data from multiple sources within the organization.

2. Then, events must be correlated over multiple separate streams so you can identify suspicious or anomalous activity across multiple boundaries.

3. Finally, since you’re dealing with such large volumes of data, you need to fine-tune the system to cancel out all the ‘noise’ and capture real incident indicators.

While your SIEM can eventually be configured to aggregate data from a wide range of sources, it only ever gives you a fraction of the picture at any given point in time.

That’s because you need to be pruning your information streams as they arrive to make sure huge volumes of data aren’t overwhelming your team and your infrastructure. In fact, if you need to store detailed historical data for audit trails or forensics, you’ll only find yourself drowning in more data.

So while SIEMs do give you the kind of comprehensive data set you need to analyze the state of your corporate infrastructure, if you aren’t careful, they could end up flagging so many false positives you actually ignore the real, advanced, persistent threats.

An important – but incomplete view



Getting SIEMs right

Our advice: when it comes to configuring your SIEM, start by carefully constructing a set of use cases based on an in-depth knowledge of the threats and tactics, techniques and procedures that are most likely to target your region and industry vertical.

You can get this data through research or tactical threat intelligence feeds (more on these later). Once you’ve constructed these use cases, you’ll know which data sources to collect, how to correlate them, how to configure alerts, what data to prune, and how long to retain collected data.

As a final step, you should test your system against real-world attack scenarios to make sure your strategy is sound.

Of course, you should be repeating this whole process regularly, as the threat landscape changes.



Deploying SOCs and SIEMs

If you haven’t already started deploying an SOC or an SIEM, our advice would be to look into Managed Security Service Providers (MSSPs). With an MSSP, you can avoid the costs and lengthy projects required to research, purchase, deploy and configure SOC and SIEM. You’ll also spend less time and money hiring a staff of competent security experts.

The importance of SOCs

A well-configured SIEM presents a series of dashboards and ‘radiators’ conveying critical counters, graphs and alert indicators. Of course, all this well-organized information is of little use unless you’ve got people monitoring it around-the-clock.

Some of the companies we interviewed had set up a Security Operations Center (SOC) as a central point for security experts to efficiently communicate, collaborate and keep their eyes on the right data.

An SOC is great because it promotes an environment where experts can share their knowledge of the organization’s infrastructure, security alert levels, and the global threat landscape.

SOCs are traditionally manned in shifts, and some compliance regulations require a minimum number of staff at any given moment. Although establishing and operating an SOC can be expensive and resource consuming, it does make sure cyber security is constantly evaluated and monitored, so you can respond to incidents in a quick and efficient way.



SOLUTIONS IN FOCUS:IDS and IDP


Due to a relatively low barrier to entry (there are a number of commercial IDS solutions that come as stand-alone solutions or managed services), a lot of the CISOs we interviewed had already deployed an IDS on their networks.

In practice, IDS and IDP systems provide a slightly superior level of visibility into opportunistic and targeted attacks than SIEMs.

The trouble is that most companies turn to network-based IDS systems. These systems, unfortunately, have three crucial limitations:

They can’t cope with noise on the network, and are therefore prone to false alerts. Since real attacks happen infrequently, indicators of these attacks will often go unnoticed.

They can’t process encrypted network traffic, which is becoming increasingly common both on the Internet and on company internal networks.

They’re susceptible to protocol-based attacks and can’t properly process faked IP packets.

SOLUTIONS IN FOCUS:INTRUSION DETECTION SYSTEMS (IDS) AND INTRUSION DETECTION AND PREVENTION SYSTEMS (IDP)

But perhaps the most important issue with network-based IDS systems is that the nature of corporate networks is changing. Today, employees switch between different devices, use a range of public and private cloud applications and use different network connections for different services.

The edge of the network is incredibly dynamic. So a network-based IDS system is only useful if it can account for all this variability.

And while the IDS industry has matured quite significantly over the last few years, with the latest IDS systems adopting new approaches to network security, they still lack the agility

and intelligence needed to protect against modern threats.

Specifically, they still struggle to deal with large amounts of noise and give you way too many false positives. So attackers can still evade most signature-based IDS systems.

The issue with an IDS is similar to the one we described in the previous section on SIEMs: unless it’s carefully configured, it can’t provide the useful, actionable alerts you’re expecting.

Our advice: follow a similar configuration approach to the one we described for SIEM, or, alternatively, choose a managed IDS service.


SOLUTIONS IN FOCUS:Threat intelligencefeeds


Only a few of the companies we interviewed were planning to use threat intelligence feeds. And even fewer were actually using them. In fact, only US-based companies had started to embrace threat intelligence.

Here’s why we believe they’re so important.

SOLUTIONS IN FOCUS:Threat intelligence feeds

When you build and staff an SOC and then deploy SIEM and IDS solutions, you give your staff a huge amount of data and alerts relevant to the security of your infrastructure.

But even a team of well-trained experts will have a hard time crunching, filtering and interpreting the vast amounts of data being collected by these systems.

Threat intelligence feeds – basically information about different types of attacks and attackers – give your team context about the ‘who’, ‘why’ and ‘how’ of cyber threats. That way, when your team’s looking at a vast amount of data, they know which connections will help them identify anomalies and credible threats.


Threat intelligence falls into a wide range of categories, from extremely high-level political and strategic advice all the way down to fine-grained technical data in easily parsed formats. And there are a number of threat intelligence feed services to pick from.

The feeds that most private companies source to support their security infrastructure come from tactical and technical threat intelligence.

Tactical threat intelligence feeds typically describe the TTPs (tactics, techniques and procedures) used by threat actors. They allow your security experts to make decisions about how to configure your systems, which technologies to deploy, and which technical threat intelligence feeds to source.

Technical threat intelligence feeds typically contain lists of malicious data such as URLs, IP addresses, phishing email patterns, C&C server addresses, file hashes, and indicators of compromise.

You can feed them directly into systems (like SIEM) via scripts and automation. The data provided by these feeds is then correlated against other incoming data streams so the system can identify anomalies and threats in your infrastructure.

TACTICAL AND TECHNICAL THREAT INTELLIGENCE FEEDS



Choosing the right feeds

In order to pick the feeds your business needs, you have to start by assessing your processes, your infrastructure and your security requirements. This should include research into the types of threats your region and industry vertical typically faces.

Once you’ve defined your requirements, you need to assess all the available threat intelligence feeds from different vendors to figure out what data, service levels and additional features you’ll need.

Keep the following points in mind:

- The quality of threat intelligence feeds can vary substantially. They can be subject to industry biases and can often contain numerous false positives.

- Although most feeds are provided in standard formats so you can include them into various security systems like firewalls, SIEM and other appliances, some vendor feeds are tied to specific hardware or software.

- Threat intelligence feeds typically follow subscription-based models and are tied to the number of nodes being protected, making them pretty expensive. So it makes sense to interview the feed providers themselves and, if possible, their customers, before you make a final decision.

- You’ll probably need to subscribe to multiple feeds, in the long run, in order to make sure you have access to an appropriate amount of threat intelligence data.

- Once you’ve chosen the right feeds, run further analysis on the feed and automate the process of turning feeds into usable data sources.



Our advice: determine the type of threats your organization is likely to face and then use that information to determine which set of feeds you’ll need to detect those threats.

Additionally, we’d recommend turning to threat intelligence feeds only when you deem them necessary to your security strategy. That moment will become apparent once you have enough infrastructure deployed and running.

By waiting until you need a certain type of feed, you’ll be more likely to make the right choice. And as usual, once you have your feeds in place, test them against real attacks to ensure your strategy is solid.



Threebig lessons


1. If you aren’t seeing security incidents, you aren’t doing the right things.

2. If you’re not constantly improving your cyber security infrastructure, you’re falling behind.

THREEBIG LESSONS

If you’ve gone long periods without any suspicious activity on your network, you should be worried. It’s nice to think that might be down to the fact that not a single thing has gone wrong and no one’s even trying to breach you. But it’s most likely because you just can’t properly detect breaches and intrusions. If you aren’t seeing any incidents, you need to look closer.

The global threat landscape is not only fluid; it’s evolving rapidly. Keeping up with these changes can be an arduous, ongoing process. But it’s crucial. So even if you have SOC, SIEM, IDS and threat intelligence feeds to support you, you need to stay on top of things. That means reading white papers, talking to industry peers, re-testing your systems, evaluating and deploying new technologies and threat intelligence feeds, and constantly accumulating fresh information on the global threat landscape. Cyber security’s a process.


3. Processes and technologies are easy to come by. People are not.

1. Make sure the technology you have in place is carefully configured so you reduce the amount of noise and false positives your people have to deal with.

2. Make sure you work with a small, trusted group of experts, rather than a large group that lacks the right skills.

Good security experts aren’t just hard to find, they’re hard to keep. You’ll want these experts manning your systems at all times, but you aren’t going to get your senior experts doing shift work very easily – they’ll inevitably end up moving into jobs that allow them to work normal office hours. One way to address this dilemma is to scale the reach of your people with the help of technology. The more advanced, artificial intelligence-based automation you have in place, the easier it’ll be for your staff. The key to getting this right is two-fold:

THREEBIG LESSONS


Planning for advanced cyber security


The prevalence and danger of advanced persistent threats has forced CISOs throughout Europe into quickly re-thinking their cyber security strategies.

Our interviews with CISOs from companies in different verticals across Europe and the US revealed that they are approaching the situation by:


- Building and staffing SOC - Deploying SIEM - Installing IDS - Sourcing threat intelligence feeds.

That might sound fairly straightforward. But it isn’t.

In fact, we’ve found that implementation projects of this scale typically run between three and five years. They require planning, industry research, deployment of new products, and massive systems integration efforts involving numerous, complex moving parts.

In fact, because you often need new expertise to achieve all these goals and then to maintain and improve your infrastructure, companies also have to recruit and retain experienced security experts.

So the costs are meaningful.


- The cost of purchasing, deploying, configuring and maintaining SOC, SIEM or IDS is roughly 1,000,000 EUR per year.

- The cost of employing two skilled security experts will often exceed 200,000 EUR per year.

- Individual threat intelligence feeds can run as high as 25,000 EUR per year, and you will need several of these.

THREAT INTELLIGENCE

INTERNAL NETWORK DETECTION (IDS)

SITUATIONAL AWARENESS (SOC/SIEM)

PREVENTIVE (END-POINT PROTECTION & FIREWALLS)



As you deploy and configure these systems and services, you’ll start to experience incremental improvements in your ability to detect attacks and breaches. But if you want to see a tangible improvement in security, you’ll have to wait till the entire project is completed.

These projects move forward slowly, and during the course of a project, costs increase, corners are cut, people leave, reorganizations happen, and delays become inevitable.

We bring up all these challenges because it’s important you don’t take this kind of an implementation lightly.

Some of the organizations we met had performed research, purchased a solution, put it into use and then just left it alone. By purchasing an IDS or SIEM, they had lulled themselves into a false sense of security, even though they weren’t actually seeing any tangible benefits from it.

The waste and inefficiency of all that spend and effort is bad. But what’s worse is taking cyber security for granted and leaving your organization susceptible to attack – even after such serious investment.



Given the massive undertaking and cost involved in implementing a working cyber security strategy, some CISOs are outsourcing parts of the solution to Managed Security Service Providers.

By taking this route, CISOs can eliminate part of the cost and complexity of the implementation work, and worry less about the need to hire and retain a large staff of experts. These services are often more cost-effective and provide better security than an in-house solution.

Since managed security services are deployed relatively quickly, they also provide a quick return on investment when compared to going it alone.

As we said at the start of this eBook, European CISOs are more likely to outsource parts of their cyber security strategy to managed service providers. On the back of all this evidence, that sounds like a good move.

Making your cyber security strategy work



THE BEST DEFENSE IS PROACTIVE


If you haven’t started implementing a cyber security strategy based on the things we’ve covered in this article, don’t panic.


THE BESTDEFENSE IS PROACTIVE

You now have what most other CISOs don’t have: a solid overview of the solutions other CISOs are turning to, and an understanding of the pitfalls involved in the implementation and deployment of those technologies and services.

Plan your strategy carefully, learn about the threats your organization is likely to face, and become acquainted with the options available to you. The more you know, the easier it’ll be for you to make informed decisions, create a solid plan and present convincing arguments to your leadership team.

Your company’s upper management spend most of their time thinking about how to keep their business profitable, growing, and ahead of the competition. To do this, they constantly re-evaluate the company’s goals, vision and strategy, and make organizational and strategic changes accordingly.

Cyber security should be treated in the same way. Your competitors are the threat actors, and they’re becoming more sophisticated, organized and ingenious all the time. You need to know what they’re doing and how they’re doing it so you can use that knowledge to stay ahead of them.


We’re f-secure

And we’ve been a part of the security industry for over 25 years. It’s why we’ve become a trusted advisor to both industries and EU law enforcement agencies across Europe.

In fact, we’ve been involved in more European crime scene investigations than any other company on the market.

Our Cyber Security Services help companies react faster, learn more and respond more intelligently to threats and breaches of all sizes. So if you’re one of the smart ones and you’re getting serious about cyber security, we should talk.

Next in thE CYBER SECURITY INSIDER series

Read the first part of this series, ‘The Chaos of a Corporate Attack’ eBook to find out how one company was breached and how it impacted them.

In the third and final part, we’ll take you through the top five critical requirements for protecting your organization against advanced threats and breaches. Read ‘Five Imperatives for Advanced Cyber Security’ now.

https://business.f-secure.com/get-in-touch/

https://business.f-secure.com/the-cyber-security-insider-series/




About the cyber security service design study

F-Secure’s cyber security service design study was run during 2015 with the help of an external partner. Here’s a breakdown of the survey demographics:

Companies surveyed: 26

Regional breakdown:Finland: 23%US: 20%Germany: 30%Other (EU): 27%

Company size breakdown:Largest company size: 40,000Smallest company size: 500Average company size: 4000

Industry verticals breakdown:Financial, Insurance, Real Estate: 6Educational: 2Industrial: 2Healthcare: 3Technology: 4Global Non-Profit: 1Media: 2Pharmaceutical: 1Retail: 2Governmental: 2Gaming and Gambling: 1

Software

How CISOS deal with advanced cyber threats