Things to Consider When Calculating the Return on Security Investment

Published on Securityintelligence.com
The return on security investment is a crucial calculation to help CISOs demonstrate risks in business terms and gain executive buy-in for security tools.

In a world where cyberattacks make headlines on a daily basis, security has become an urgent priority in every aspect of life, especially business. As a result, calculating the return on investment (ROI) of security solutions is a major challenge for enterprises around the world, across all industries.

Communicating Security’s Impact on the Bottom Line

Some of the most important questions chief information security officers (CISOs) must answer regarding the return on security investment (ROSI) include:

  • How does a business become secure?
  • How much security does the business need?
  • How can business leaders determine whether the investments are reasonable?
  • What is the appropriate amount of financing and time to invest in security?

Executive decision-makers are often indifferent as to whether firewalls or door barricades protect the organization’s servers and data. They just want to know how security impacts the business’ bottom line. The CISO must understand this mindset and communicate the importance of security in business terms. Common questions executives may ask include:

  • How much could a lack of security potentially cost the business?
  • What effect does security have on current organizational productivity?
  • What is the potential impact of a catastrophic security breach?
  • How would the recommended solutions impact productivity?
  • Are these recommendations the most cost-effective solutions?

The key is to calculate the ROSI not by comparing results from several solutions, but by considering the investment on a risk basis.

Breaking Down the Return on Security Investment Formula

Measuring the probability of a data breach and the associated security risk is a daunting task, and the risk of miscalculation is considerable. This computation is only as good as the analytical efforts that go into the ROSI formula, which must include the cost of the security solution as well as the annual loss expetency derived from risks:

ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution

The components of the ROSI formula quantify the investment’s impact to the bottom line. This metric is critical to gain executive buy-in when presenting the return on investment.

The best way to understand the ROSI formula is to break down its components. Let’s start with the annual loss expectancy (ALE), which is the total financial loss expected from security incidents. This is the control number that demonstrates how much money could be lost without the security investment.

The ALE is calculated by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE). ARO is the probability of a security incident occurring within a year. This is a judgment call by the CISO based on historical incidents. SLE is the total financial loss from a single security incident. This component is based solely on data assets that have value within the organization. It also represents the direct costs of financial loss and the indirect costs associated with data breach fallout.

Finally, modified annual loss expectancy (mALE) is the ALE plus the savings the security solution delivers. This represents the percentage of threats halted by the security solution.

For example, let’s say a security solution has an annual investment of $75,000 to remediate 20 security incidents that resulted in $10,000 in data loss. According to the vendor, the solution will block 95 percent of cyberattacks. This scenario is computed as follows:

ROSI = ((20 x 10,000) x .95 – $75,000) ÷ $75,000

ROSI = 153.3 percent

The formula suggests that the security investment will generate of a return of 153.3 percent, or about $115,000 annually.

The Role of Security Metrics

Another common method used to determine the effectiveness of security investments is security metrics. These metrics track controls within the security infrastructure, such as antivirus, intrusion prevents system (IPS), firewalls, identity and access management (IAM), data loss prevention (DLP), security information and event management (SIEM), and more. The drawback is that security metrics are based on data collected over a long period of time. Therefore, the return on those security investments is influenced by past events and do not reflect advancements made to keep pace with emerging cyberthreats.

However, security metrics are crucial when it comes to calculating the ARO in the ROSI formula described above. When considering upgrading or implementing new solutions, these metrics allow security leaders to justify security investments in terms that executives can understand.

Security Awareness Tips for The Holidays

Published on LinkedIn.com

The weather outside isn’t the only thing that’s frightful this time of year. Awareness is key knowing the dangers of online shopping protecting yourself from identity theft, spyware, hackers, and other Grinchy things.

Awareness during the holidays is crucial as this season is on course setting new records for cyberattacks to occur exploiting the bad habits of unaware users in companies and individuals alike. Cybercriminals can defraud and monetize their actions with little effort. During the Christmas holidays, more than other times of the year, a growing number of users make and plan their shopping online, through mobile and social networks.

Online Shopping and Identity Theft

The single biggest concern is identity thief where their Personal Identifying Information (PII) along with credit card information saved on a website can be hacked using malware to steal data. This season is set to break new records for online shopping with a majority planning to visit a retailer website.

These are the most common cyberattacks to be aware of while shopping online:

Pharming – is a malicious and illegitimate website where it redirects to a bogus URL. Even if the URL is entered correctly, it can still be redirected to a fake website if is compromised with malware. This is also a form of DNS Hijacking where malware redirects the query to a fake domain name server (DNS) by overriding a computer’s TCP/IP settings.

Phishing – is a common tactic attackers use sending victims emails that appear to originate from a legitimate source. For example, emails masquerading a well-known retailer contain an altered Universal Resource Locator (URL) address where anyone who clicks on the link is automatically sent to a fake site designed to collect personal information.

A phishing attack is a form of social engineering designed to trick you into divulging your PII. Other forms are phone calls from a telemarketer who asks for information or someone claiming to be from your bank who wants to check a fraudulent charge. These are the robocalls that dial a set of sequential or random phone numbers and catch the unaware who answer the calls. Once answered they receive a recorded message or connected to the person who tries to bait them into their scam offering high-pressure bogus discounts.

The Data Cybercriminals Want

Social Security Number – is one of the most valued PII because the social security number (SSN) is a government-based identity asset an American has in their possession. Once your social security number is stolen, the identity thief can either sell it to undocumented workers or use it to impersonate the victim obtaining property and money. With this credential, they can also access opportunities and services available only to social security holders. In addition, the identity thief will use your PII to forge fraudulent documents like passports or open credit card accounts.

Driver’s License Number – is another state issued government identity card where once stolen it can be sold off to other criminals who look similar to you. State issued identification (ID) cards are also issued to individuals who are not operating a motor vehicle. These identification documents are also used to impersonate a victim’s identity to hide or protect their own identity if they are caught in a compromising or dangerous situation. In addition, the state ID can be used to access a victim’s opportunities and services with corroborating information online.

Financial Accounts – is one of the most common types of online PII thief where a person’s credit card and bank account information is stolen and used to purchase goods and services. It can also be used to open bank accounts and additional credit cards that result in significant loss of money. This form of attack can also prove hazardous to an individual’s future purchasing power or financial security.

Insurance and Medical Accounts –  these two forms of identity theft are closely related where a victim’s PII and PHI (Protected Health Information) such as medical identification numbers are used to access medical services and prescriptions. This is one of the most prevalent forms of identity theft and can lead to financial losses as well as becoming dangerous from life-threatening incorrect information present on a victim’s medical history.

Types of Identity Thefts

Tax Identity Theft – these are fraudulent tax refund returns where cybercriminals use the victim’s SSN and name. This can cause significant delays in the return being properly processed and loss of funds among other issues.

Child Identity Theft – this occurs when a child’s SSN number is stolen and used defraud the government for services, student loans, and other services that affects children directly. The implications are identical as with all forms of online identity theft.

Synthetic Identity Theft – is one of the most sophisticated using the SSN and all other forms of identification in combination with fake information. These are used to create a new identity to open new credit card accounts, bank resources and apply for jobs. Synthetic identities are also the most difficult to detect since the identity is deceptively mixed in with fake information.

Tips to Thwart These Attacks

User awareness is the best tool avoiding issues with shopping and providing personal details online. Paying attention is critical and shopping from large, reputable merchants that have a history of providing exceptional customer service. The online retailer by being competitive maintain the highest standards of security and customer satisfaction. For the general consumer always make sure that web pages requesting your personal details are secure are to check for the “HTTPS” rather than “HTTP” at the beginning of the URL. The “S” indicates that it is a secure connection using encrypted Secure Socket Layer (SSL) protocol to safeguard the information that is entered. The third-party Certificate Authority that issued the SSL certificate has properly identified and vetted the web site domain owner as legitimate and will be designated on the browser.

With phishing attempts, never respond to any request for personal information via email and inquire to the organization by phone to confirm requests for personal information is legitimate. Most organizations will be concerned with fraudulent phishing attempts and will never ask for such information via email.

Antivirus and anti-malware software prevent malicious apps from being inadvertently installed on your computer or mobile device and recording the entry of your personal data into online forms when making a purchase.

Always protect your PII and PHI data and teach children good internet security habits when surfing the internet and to never divulge or be bullied into giving up their personal information to anyone, especially on social media. Have them be aware of the dangers and to notify parents or law enforcement authorities if they suspect malicious intent or become victims.

Quit Your Day Job: Filling the Cybersecurity Skills Gap With Freelance Security Professionals

Published on Securityintelligence.com
Hiring freelancers can help companies close the cybersecurity skills gap, reduce overhead and infuse a fresh perspective into the organizational culture.

In my 21 years as an independent contractor in the security industry, I have seen hiring strategies evolve from traditional methods to the heavily outsourced model of today. In fact, I foresaw this shift back in 1996 when I witnessed the emergence of specialized demands within the industry. Today, many organizations are turning to freelance and temporary workers to address the growing cybersecurity skills gap.

The gig economy is not for everyone. It demands an entrepreneurial mindset, thick skin, a Rolodex of contacts, perseverance and, above all, family support. Like any other business, freelancers are responsible for acquiring their projects as well as back-office administrative work such as legal, accounting, procurement of office facilities and computer equipment, transportation, insurance and more. This is how an independent worker operates.

Freelancing is not ideal for those seeking a steady income, but many professionals are forced to freelance due to widespread furloughs and outsourcing of work to third parties. Others who have extensive experience in the industry may think of it as a grand opportunity to provide and deliver sorely needed wisdom and experience to organizations that lack these insights. The gig economy can also benefit millennials seeking to gain a foothold within an organization as well as mid-career professionals seeking job flexibility.

A Paradigm Shift for Hiring Managers

The gig economy grew out of the combination of digital platforms that leveraged underutilized assets. For example, key players in various industries, such as Uber and Airbnb, are tapping into underutilized human assets by using cloud technology. Companies from around the world, along with their consumers, have jumped into this phenomenon head-first, embracing the easy access and variety of choices available from their mobile devices. As a result, the gig economy has evolved from a business-to-consumer (B2C) to a business-to-business (B2B) industry.

Today, employers are in the midst of a paradigm shift from the traditional employee career path to a temporary on-demand model, which lowers costs and generates more competition for talent. This includes executive-level positions such as virtual chief information security officer (vCISO). These opportunities are often available in organizations that lack the internal expertise to augment the executive staffing requirements on a temporary or interim basis. They typically involve delivering a security program, developing and assessing the security posture, producing a road map to achieve maturity goals and conducting other CISO-related responsibilities.

The gig economy mentality also exists internally within many organizations. A CISO might offer freelance opportunities to current employees working in other areas of the business. For example, a network or application engineer may want to gain additional experience by participating in a security project. Likewise, a security application engineer may want to learn more about enterprise resource planning (ERP) systems by diving into mainframe applications such as common business-oriented language (COBOL).

According to Upwork’s “Freelancing in America 2017” report, 57.3 million people freelanced this year and contributed roughly $1.4 trillion to the U.S. economy, an increase of 30 percent since 2016. Security leaders must tap into this growing workforce to fill the expanding cybersecurity skills gap.

Advantages of Hiring Freelancers

There are many advantages to hiring freelance workers. Perhaps the most obvious is that employers are not required to pay taxes or insurance. Most independent contractors carry their own insurance and provide their own equipment. Other freelancers operate under an umbrella organization or staffing agency that provides such assurances.

Furthermore, freelancers are experienced and able to hit the ground running to deliver the skills necessary to complete the project at hand. Some temporary workers are even versatile enough to help with other projects within the enterprise.

One of the most appealing benefits of hiring freelancers is reduced overhead, which vastly improves the contractor’s experience and, in turn, the quality of the work. It also minimizes the need to screen employees for cultural fit.

Finally, freelancers are independent and thus more likely to dazzle with their experience and work ethic. These employees are the masters of their own destiny, so they are typically highly motivated to meet clients’ expectations and needs.

Closing the Cybersecurity Skills Gap

Despite the benefits described above, the transient nature of the gig economy could potentially create security risks. Freelancers often use their own equipment and mobile devices, which could introduce threats into the corporate environment. However, this also holds true for full-time employees working remotely or from personal devices, and security consultants who are responsible for protecting their own data are more likely to advocate and follow security best practices.

Today, the gig economy represents one of the best opportunities for security leaders to close the cybersecurity skills gap. Many seasoned freelance consultants see themselves as part of the businesses with which they work and identify with the values of those organizations. They are valuable resources capable of blending seamlessly into a wide variety of workplace cultures and working in tandem with full-time employees to best serve the organization’s security needs.

Security Awareness Training Is a Team Effort

Published on Securityintelligence.com
To promote security awareness throughout the organization, CISOs should invite employees in disparate departments to help design training materials.

A security awareness program is a critical part of any security strategy. It is not enough to simply hold everyone in the organization accountable. Chief information security officers (CISOs) must first train employees to practice proactive, conscientious security behaviors by convincing them that security affects them directly, not just the business.

Building Better Cybersecurity Instincts

While most people practice cybersecurity as a self-preservation instinct at home, they often take it for granted at work. This disconnect can be boiled down to ownership: People rigorously protect their prized possessions at home, but business assets feel like somebody else’s property and, therefore, somebody else’s problem. Security leaders charged with training employees must demonstrate how one weak link in the company can compromise everyone’s privacy, not to mention the business’s bottom line.

In most organizations, security awareness training is ongoing and constantly evolving to address new threats as they emerge. These threats affect all employees within an organization, not just the IT department, so training programs must be particularly robust for employees in marketing, legal, finance, HR and especially the C-suite.

When assessing the organization’s security awareness program, CISOs should ask the following questions:

  • Does the security policy address security awareness?
  • Do all functional departments enforce employee training and accountability requirements?
  • Does corporate governance address awareness and training across the organization?
  • What practices and technologies do employees use to detect a security breach?
  • Do employees know about the security policy?
  • Do employees know what to do if they discover a security violation?
  • Are executives and upper management embracing the awareness program?

As part of this assessment, the CISO should document the gaps and formulate an action plan accordingly. This starts with presenting a convincing business case to demonstrate the enormous benefits of a security awareness program to the C-suite and board of directors. Include examples of actual root causes mapped to the findings outlined in your assessment, and emphasize the potential damage of a user-inflicted security breach.

Collaboration Drives Greater Security Awareness

Input from disparate departments throughout the organization is crucial when formulating a security awareness program. Involving employees in the process is a great way to help them develop natural security instincts and understand the far-reaching impact of a seemingly isolated security weakness. It also helps the CISO deliver more personalized education and address concerns specific to those departments.

Documentation is equally important. Security leaders must outline the program’s objectives, define the security issues, determine how to address them and manage the implementation with milestones and metrics. They should also strive to make all training materials consistent in messaging and branding.

When employees help build a security awareness program, they are more likely to understand their integral role in safeguarding the organization’s data. Instead of resisting IT requirements, they will become advocates of security and think twice before opening suspicious attachments, reusing easy-to-guess passwords and neglecting to update outdated systems.

Put simply, the success of a security awareness program largely depends on how it is delivered. Cybersecurity training must be the domain of the CISO and other IT experts within the organization, not the HR department. Positive reinforcement, open communication and interdepartmental collaboration are the keys to spreading security awareness throughout the enterprise.

Don’t Let Organizational Politics Derail Security Initiatives

Published on Securityintelligence.com
For IT professionals, gaining executive buy-in for information security initiatives requires masterful navigation of organizational politics.

Information security is vastly complex, both technically and from a governance, risk and compliance (GRC) perspective. When workplace politics come into play, security best practices become more complicated and risk management is weakened significantly.

Security professionals commonly meet resistance when they attempt to implement IT initiatives that do not align with the organization’s political culture. Such an environment makes it extremely difficult to manage these initiatives. Security teams must recognize the obstacles they face and work to gain buy-in from key stakeholders.

The Problem With Organizational Politics

Denial can impede IT efforts — especially when C-suite executives are insulated from the realities of the security landscape. In many cases, when executives say that security is not in the budget, they simply mean that it is not on their radar and, therefore, doesn’t matter.

Other obstacles include hidden agendas and power struggles that prevent employees from sharing information with others. For example, some employees might withhold information as a tactic to ensure job security, while another staffer might use it as organizational currency to buy influence. Chief information security officers (CISOs) may encounter this behavior during red on blue exercises when red team members refuse to divulge vulnerability test results to the security operations center (SOC) team, or at the very least aren’t totally forthcoming about their exploits.

Pushing the Right Buttons

No department is immune to the effects of organizational politics. Security professionals must thoroughly understand the political landscape and devise more effective ways to communicate risks to C-level executives. This communication must occur in business terms with a focus on the end business goals.

To successfully navigate organizational politics, IT professionals must gain their colleagues’ trust, which takes time. Start by forming personal connections with fellow employees or subordinates. People have their own individual interests and concerns, and leveraging them can go a long way toward building positive rapport.

The bottom line is that if IT professionals have the organization’s best interest in mind, executives and other stakeholders are less likely to question their motives. This trust enables them to foster alliances and more effectively advocate for security. The CISO can take it a step further by acting as a mediator to help employees in other departments find common ground when disagreements arise.

Organizational politics require security professionals to be adaptable. As executives and employees come and go, the political landscape shifts accordingly. The key is to understand what you’re up against and use your experience to keep security top of mind throughout the enterprise.

The CISO’s Guide to Minimizing Health Care Security Risks

Published on Securityintelligence.com
CISOs must possess skills and expertise in multiple areas to combat health care security risks in this age of ransomware and connected medical devices.

In an ever-changing, dynamic threat landscape, a chief information security officer (CISO) in the health care sector must have knowledge in multiple areas and understand that data breaches have severe repercussions that affect employees, patients and the organization at large. To respond effectively to health care security risks, a CISO must possess well-rounded experience in several areas that go beyond privacy and security.

Health Care Security Risks on the Rise

Cybercriminals often target health care organizations because they are notoriously vulnerable to identity theft. Personal health information (PHI) is lucrative, and fraudsters relentlessly attack networks, systems and applications that have been misconfigured or poorly maintained. These threats can pose life-or-death situations if they target heart monitors, intravenous pumps or other hospital devices that can be disabled or altered.

Threat actors have also been known to inject fraudulent data or otherwise falsify patients’ health records. They might modify a record to show, for example, that a patient has a serious condition from which he or she does not suffer, or that the patient requires medication that could be dangerous.

Ransomware is one of the most dangerous threats to health care security because it can disable workstations, medical devices and critical record-keeping systems. Hospital employees are often too busy to apply patches and update applications, and workstations are typically operated by several different clinical staff members, all of whom are more focused on patient care than data security. This environment creates a virtually unlimited number of attack vectors for threat actors to exploit.

Most of these health care security challenges can be attributed to a lack of awareness. According to Harvard Business Review, the medical industry has been slow to adopt effective strategies to protect medical data stored on stolen or lost mobile devices. As a result, many health care workers are ignorant to security risks that threaten the integrity of patient data.

The increasing use of connected medical devices in home care and other medical services further complicates security. If compromised, these devices can potentially lead to widespread attacks and directly impact the individual’s physical well-being. Additionally, health care professionals may take medical data off the grid when they use personal devices to increase productivity.

Mitigating Threats to Health Care Security

To combat these health care security risks, the CISO must develop a holistic approach to security. The security leader should take a page out of the financial industry’s incident response playbook, which calls for a focus on information sharing, stronger authentication and education about cybersecurity risks.

Security professionals should also ensure that the organization’s security program is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), which continually update as new cybercriminal tactics targeting health care data emerge.

Of course, one of the most basic data security tactics is encryption. Health care security leaders should invest in strong encryption solutions and restrict privileges to employees who must access sensitive data to perform their jobs. The same goes for third-party vendors. Other effective health care security measures include multifactor or biometric authentication on workstations and mobile devices, chip cards to streamline patient identification and blockchain to verify recorded transactions between multiple parties.

The CISO is responsible for protecting patients’ health data, which requires collaboration across the organization and with business partners such as vendors and insurers. For the common good of the health care industry at large — which includes individual practitioners, third parties and, most importantly, patients — all health care organizations must invest in solutions and strategies to protect PHI and manage risks to critical systems.

When Responding to a Data Breach, Cooperation Is Nine-Tenths of the Law

Published on Securityintelligence.com
When responding to a data breach, the CISO must work closely with the legal department to minimize the risks of litigation and reputational damage.

In recent years, several high-profile breaches involving customer data have led to long and costly litigations. These events demonstrated that data protection is more than just a cybersecurity concern.

When responding to a data breach, legal teams have to work closely with the chief information security officer (CISO) to ensure that security policies, regulatory compliance and response plans are adequate to effectively protect sensitive data. Together, these departments can develop a sound incident response strategy that protects both the organization’s data and its legal interests in the event of a breach.

Potential Legal Repercussions

In addition to the obvious operational and financial repercussions, a data breach can result in class-action lawsuits from customers, federal and state government actions, and even international ramifications. For instance, the cost of the infamous Target breach of 2013 reached nearly $300 million after the company settled with 47 state governments.

Corporate data repositories continually grow and can be on-premises or in the cloud, which adds significant legal complexities, especially when crossing international boundaries or jurisdictions. The CISO must consider these risks with regard to data integrity.

Additionally, the CISO must work with legal counsel to negotiate with government agencies investigating a breach. Breach investigations often involve personnel policies, security policies, corporate governance, cyber liability insurance, breach scenarios, negative publicity and government inquiries. Failure to diligently address all of the above when responding to a breach can result in costlier litigation and reputational damage.

When responding to a data breach, privilege maintenance is crucial. Knowing the differences between a possible incident, an actual incident and a confirmed breach will determine the appropriate response. This requires working with attorneys to help design a response plan that determines who speaks to whom, when and about what. Remember that once a breach is confirmed, litigation will be filed immediately. This represents a high risk factor to consider when formulating a response plan.

For example, it is not enough for a CISO to simply say the organization is in compliance with best practices and regulatory requirements. The government will look at how well-prepared the organization is to detect and appropriately respond to an intrusion. Are the attacks registered? Is the data encrypted? It is critical for the government to treat the breached organization as a victim of the attack to determine whether it had adequate security programs in place.

The Battle in the Boardroom

The CISO must communicate the business benefits of a comprehensive and well-rehearsed incident response plan to the board. Many board members are unwilling to invest time and money without understanding the return on investment (ROI). A risk-based assessment program adequately explained to executives, along with the corporate attorney’s support, can help generate security awareness among board directors.

CISOs can demonstrate the importance of risk management by comparing the security investment with the potential for significant financial exposure should they neglect data protection. Security leaders can also remind business executives of their fiduciary responsibilities and accountability should a breach occur. For example, the Target breach exposed the company’s board to ramifications that led to the departure of its CEO and shareholder demands to drop other board members.

Collaboration Is Crucial When Responding to a Data Breach

The CISO and legal department must work as a team right from the start to develop an incident response plan. From a risk approach, the added focus on risk assessment and management are vital to protecting the organization in the event of a breach.

The planning should take into account the organization’s total protection in areas such as:

  • Governance;
  • Compliance;
  • Data protection;
  • Litigation; and
  • Public relations.

One of the most important steps is to know where your data repositories are and protect them. When a breach occurs and a crisis erupts, management and mitigation are critical. This can only be achieved by engaging all departments within the business to contain the leak, communicating with customers and implementing the proper procedures to limit any reputational and legal damage.

Rehearsals of the plan should include the legal, IT and security teams to ensure all are working together. They must reach the common goal to mitigate the breach as quickly as possible and establish lines of communication early on. In the event that an incident results in litigation, the corporate attorney must be involved at the onset, along with close cooperation from other teams, to minimize the risk. If evidence needs to be collected for an internal investigation, close cooperation with the corporate attorney can help organizations avoid costly delays.

Breaches affect the entire organization, so an effective response to a cyber incident requires interdepartmental cooperation. Support from the C-suite and board are vital — otherwise, the CISO is fighting a losing battle. Involving the legal department in security can help CISOs gain the executive support they need to adequately protect the organization from legal and reputational risks.

The CISO’s Guide to Managing Insider Threats

Published on Securityintelligence.com
To effectively manage and remediate insider threats, the CISO must establish a comprehensive approach to governance, data analysis and incident response.

Critical digital and physical assets are becoming increasingly vulnerable due to accelerated connectivity, differing global regulatory requirements, joint ventures and business partnerships and security weaknesses within complex multinational supply chains. These factors have led to a rise in insider threats for enterprises across all industries.

An insider threat is an employee or third-party vendor that has access to a company’s network. While some insiders seek to compromise sensitive corporate data for monetary gain or out of spite, others do so accidentally due to negligence or lack of awareness.

According to the “2016 Insider Threat Report” by Crowd Research Partners, 75 percent of survey respondents estimated insider threats cost their companies at least $500,000 in 2016, while 25 percent reported costs could exceed that amount. The study also found that 74 percent of organizations are vulnerable to insider threats. Of that number, 7 percent reported that they were “extremely vulnerable.”

Common Behavioral Indicators

The most common indicator of an insider threat is lack of awareness. For instance, employees with savvy IT skills often create workarounds to technology challenges. When employees use their own personal devices to access work emails, they often create new vulnerabilities within the organization’s physical security processes and IT systems.

The chief information security officer (CISO) must be aware of these patterns to detect suspicious motives, which requires a holistic and layered approach to user behavior analytics (UBA). The following are examples of behavioral indicators:

  1. Downloading substantial amounts of data to external drives;
  2. Accessing confidential data that is not relevant to a user’s role;
  3. Emailing sensitive information to a personal account;
  4. Attempts to bypass security controls;
  5. Requests for clearance or higher-level access without need;
  6. Frequently accessing the workspace outside of normal working hours;
  7. Irresponsible social media behaviors;
  8. Maintaining access to sensitive data after termination;
  9. Using unauthorized external storage devices;
  10. Visible disgruntlement toward employers or co-workers;
  11. Chronic violation of organization policies;
  12. Decline in work performance;
  13. Use of mobile devices to photograph or otherwise record computer screens, common work areas or data centers;
  14. Excessive use of printers and scanners;
  15. Electronic communications containing excessive use of negative language;
  16. Installing unapproved software;
  17. Communication with high-risk current or former employees;
  18. Traveling to countries known for intellectual properly (IP) theft or hosting competitors;
  19. Violation of corporate policies;
  20. Network crawling, data hoarding or copying from internal repositories;
  21. Anomalies in work hours;
  22. Attempts to access restricted areas;
  23. Indications of living beyond one’s means;
  24. Discussions of resigning or new business ventures; and
  25. Complaints of hostile, abnormal, unethical or illegal behaviors.

Remediation Pain Points

Insider threats are costly to remediate because they are very difficult to detect. A thorough investigation often requires companies to hire forensic specialists to determine the extent of a breach. It is also challenging to distinguish malicious activity from regular day-to-day work. For example, users who have elevated access privileges interact with sensitive data as part of their normal jobs, so it can be virtually impossible to determine whether their actions are malicious or benign.

Users who have elevated access privileges often cover their tracks by deleting or editing logs, impersonating another user or using a system, group or application account. Proving guilt is yet another pain point, since offending users may claim ignorance or human error.

Steps to Combat Insider Threats

Most organizations lack procedures to deal with internal threats. Moreover, security architecture models have no room for insider threats. Security infrastructures primarily prevent outside attackers from gaining entrance to the network undetected, operating under the false assumption that those who are granted internal access in the first place are trustworthy.

To properly account for and remediate insider threats, organizations must establish a comprehensive, risk-based security strategy that includes the following four elements:

1. Information Governance

It is of paramount importance to protect critical data assets from insider threats. Information governance provides business intelligence that drives security policies and controls. This improves risk management and coordination of information management activities. A solid information governance foundation enables organizations to adopt a risk-based approach to protecting their most valuable assets and installing sound data management procedures.

2. Advanced Forensic Data Analytics

User-based analytics are indispensable tools that provide detection and predictive measures to thwart insider threats. These solutions incorporate artificial intelligence and machine learning technologies that objectively analyze insider behaviors and generate risk rankings within the user population.

3. Incident Response and Recovery

External and insider breaches have their own nuances, but the impacts are similar and should leverage the same response program in anticipation of a major breach. Organizations must strive to build as strong an insider threat program as possible. It’s also important to develop an incident response program that considers both internal and external breaches.

4. Legal Considerations

An insider threat program cannot be successful without careful legal and regulatory considerations. For example, privacy laws pertaining to employee monitoring vary across national boundaries. In the U.S., the Electronic Communications Privacy Act (ECPA) allows employers, under certain provisions, to monitor their employees’ emails and other electronic communications. Meanwhile, the member states of the European Union (EU), in compliance with the European Convention on Human Rights, adhere to privacy laws under the Data Protection Directive, which regulates how organizations within the EU process personal information.

A Cross-Organizational Challenge

Combating insider threats is an organizational issue that crosses people, processes and technology and requires a detailed understanding of the organization’s assets and security posture. It also demands a clear separation of duties, continuous monitoring of employee behaviors and a formal insider threat program that includes IT, human resources, legal and all other business groups. With the proper resources in place, a CISO can gather the actionable intelligence needed to thwart internal attacks and gain visibility into the highest-risk users.

Why Machine Learning Is an Essential Tool In the CISO’s Arsenal

Published on Securityintelligence.com
To protect their networks from malicious insiders, user negligence and other threats, CISOs need advanced machine learning capabilities such as UBA.

The chief information security officer (CISO) faces threats such as compromised users, negligent employees and malicious insiders. For this reason, one of the most important tools in the CISO’s arsenal is user behavior analytics (UBA), a solution that scans data from a security information and event management (SIEM) system, correlates it by user and builds a serialized timeline.

How UBA Works

Machine learning models build baselines of normal behavior for each user by looking at historical activity and comparing it to peer groups. Any abnormal events detected are aggregated through a scoring mechanism that generates a combined risk score for each user. Alerts from other security tools can be used in this process as well.

Users at high risk are flagged with information such as job title, department, manager and group membership to enable analysts to quickly investigate that particular user’s behavior in the context of his or her role within the organization. By combining all of a user’s data from disparate systems and utilizing artificial intelligence (AI) to gain insights, UBA empowers analysts with new threat hunting capabilities.

This technology is not new, but its application is new in the security environment. Many endpoint products offered today are cloud-based to provide seamless mobile device protection outside the organization. Given the evolving attack landscape and the new challenges faced by security teams, the application is growing rapidly, and it is quickly becoming the best practice for enterprise security teams.

Machine learning technology uses techniques that harness AI to learn and make judgments without being programmed explicitly for every scenario. It is different from static, signature-based products such as SIEM because it learns from data. The technology is capable of providing a probabilistic conclusion, which can then be converted into a binary signal. The likelihood of a decision being accurate can be interpreted as a measure of confidence in that conclusion. Security analysts can also validate these conclusions and investigate others that fall into gray areas.

The mathematic algorithms are complex and computer resource-intensive. Since there is no single model that applies to every attack technique, the selection of the model and data is crucial. This is one reason why these new, evolving endpoint products are based in the cloud and conceivably draw upon data globally from every industry.

Establishing a Behavioral Baseline

Among the advantages of this technology is the ability to quickly and easily distinguish anomalous events from malicious events. Employees change jobs, locations and work habits all the time. Machine learning alleviates the overwhelming volume of false positives and provides the behavioral baseline DNA of each user.

Machine learning also enables analysts to interpret subtle signals. Behavioral analytics can flag most attacks that pace themselves and act in small steps, but attackers know that analysts have tools to find telltale attack signatures. For instance, SIEM correlation rules that look for the signature attack behavior can be easily bypassed by signature deviation. A correlation rule may look for five failed logins in one minute as an indicator of an abnormal access attempt. An attacker could bypass the rule by deviating the attempt one second after a minute elapsed.

Finally, analysts can use machine learning to gain insights beyond individual events. Cyberattacks that have already infiltrated the network might slowly follow the kill chain of reconnaissance, infiltration, spread and detonation. AI pieces together the whole picture to make decisions and aid in incident response.

Evaluating Machine Learning Solutions

There is a lot of marketing noise associated with machine learning technology. Below are some useful approaches to evaluating AI-enabled security solutions.

  • Use case definitions: Determine what you want out of the solution and tailor it toward specifics such as spear phishing attacks, privileged users, malware, etc. This will help formulate a short list of solutions you’re targeting.
  • Pick organizational subsets: Scaling is often a consideration, but for a proof of concept (PoC), consider establishing a small group to evaluate two or three vendors.
  • Get source access: These solutions will need access to certain infrastructure, such as active directory log files, to operate. Ensure that the solution has all the appropriate access privileges it needs to function.
  • Understand the results: Machine learning solutions deliver probabilistic results based on a percentage. The solution must provide supporting evidence when it flags an event so that analysts can act on it.
  • Ensure classification accuracy: Evaluate the number of correct predictions as a ratio of all predictions made. This is the most common metric for classification problems — and also the most misused.
  • Evaluate logarithmic loss: Logarithmic loss is defined as a performance metric for evaluating the predictions of probabilities of membership to a given class. It can be a measure of confidence for a prediction by an algorithm, for example. Predictions that are correct or incorrect are flagged to the confidence of the prediction.
  • Determine who will own it: Common considerations include whether the tool will be a standalone solution or integrated with an SIEM. It can also be part of a security operations center (SOC) with red and blue teams harnessing it or another layer in the architecture where resources are tight.

Augmenting Human Intelligence

Always remember that these technologies are not silver bullets. Buyers of enterprise security products need to educate themselves on the basics of these technologies to avoid succumbing to the hype. Two standard deviations from the mean do not constitute machine learning, and five failed logins in one minute do not constitute artificial intelligence. In the absence of other information, there is no predictive value in seeing, for example, that an employee visited a website based in Russia.

These solutions provide a probability that a certain conclusion is accurate depending on its algorithm model. The real outcome is somewhere in the middle. Despite the hype surrounding artificial intelligence, all it does is provide mathematical suspicions, not confirmations. To maximize the effectiveness of artificial intelligence for cybersecurity, machine learning must be paired with savvy security analysts.

Hire a Team of Hackers to Identify Vulnerabilities

Published on Securityintelligence.com
Many companies have adopted the practice of recruiting a team of hackers to poke holes in their networks and assess their incident response capabilities.

It’s common to hear the phrase “never leave security to chance” in business. Given the rapid advancement and persistence of cybercrime, chief information security officers (CISOs) need the ability to deploy offensive security measures to protect their networks. One way to do this is to employ a team of hackers to proactively protect the organization’s data and infrastructure.

A capable offensive hacking team can conduct advanced penetration testing and bug discovery within the organization and deliver technical leadership when executing tactical, comprehensive assessments. Members of this team of hackers should have an affinity for advanced attack techniques and a passion for spotting vulnerabilities.

Encouraging Information Sharing

In organizations that have a security operations center (SOC), a red team is deployed to continually prod the organization’s security posture. This can also be a specialized third-party entity tasked to emulate cybercriminal behaviors and techniques as realistically as possible. In return, the red team shares intelligence with the blue team, which defends against these mock attacks.

Due to the attitudes and practices inherent to each role, there are many challenges surrounding the relationship between red and blue teams. Here are a few examples:

  • Red and blue teams have ideological differences. Often, neither team is properly trained to share information with the other, thus defeating the purpose of the exercise. Moreover, blue teams tend to be risk-averse, while red teams are typically more reckless.
  • Red teams are absorbed within the organization and limited in their ability to conduct assessments, which diminishes their charter and value considerably.
  • Red on blue exercises are not always seen as integral to the organization’s ability to combat vulnerabilities. As a result, metrics are commonly not shared between the teams and management.

To address these challenges, security leaders should consider installing a purple team to act as a crucial bridge and facilitate information sharing between the red and blue teams.

Assembling the Right Team of Hackers

When building red and blue teams, it’s important to ensure that candidates are willing to work in harmony and share ongoing metrics related to their activities. It is not enough to simply conduct routine penetration testing in lieu of hiring a red team to go against your blue team defenses. CISOs should take the following steps to overcome these obstacles:

  1. Chose teams members carefully. Candidates should be highly skilled in discovering vulnerabilities and defending against attacks. Above all, these team members must be willing to share information with their counterparts.
  2. Get the teams together. At the onset, gather the team members to get consensus and buy into the overarching strategy. Instruct them to conduct a thorough analysis of risks and vulnerabilities and then devise a response plan. The overall goal is for the teams to practice discovering vulnerabilities and reporting metrics to management.
  3. Spread awareness. People are the weakest links in any security program. Even with the strictest controls over your data, adversaries can exploit employees’ behaviors. Red teams should conduct unannounced exercises, such as staging phishing email campaigns to determine which users might click on a malicious link or open a malware-laden document.
  4. Go beyond your perimeter. Cloud solutions introduce additional security challenges. It’s important to consider all the legal implications, such as service-level agreements (SLAs), to determine whether the red team has the right to test against the provider’s defenses.

Seasoned CISOs understand that information security is always a moving target. Adversaries are extremely sophisticated and will stop at nothing to breach your organization. Moreover, the organization’s network infrastructure, applications and employees are always changing and adding complexities to your security program. Each one of those changes presents a far different attack footprint, and teams of hackers are well-equipped to discover those vulnerabilities and predict unintended consequences before they can damage the organization.