Why it’s time to change tack in cybersecurity and replace
Fear, Uncertainty and Doubt with an evidence-based, data-driven approach
With 30 years’ experience in cyber security, Ross Brewer, now Vice President and General Manager EMEA and APJ at AttackIQ, has seen his industry grow and grow, often through FUD (Fear, Uncertainty and Doubt). That approach has worked for the industry, but does it work for customers? Brewer thinks not and is calling for a more data-driven approach that he believes will strengthen businesses’ defences and improve dialogue between cybersecurity professionals and business leaders.
AttackIQ operates in what Gartner has coined the ’breach and attack simulation’ market, though Ross Brewer prefers to think of it as ’a continuous security controls validation’ opportunity.
“Breach and attack simulation is where we started, and we were one of the founding fathers of that market. But breach and attack simulation focuses on the adversarial red teaming aspect, whereas if you think about most organisations, they’ve got a lot more blue teams –defenders – than they have internal attackers. Even if you’re using external red teams, your addressable market and who you can help is a lot bigger if you can work on the blue side. So we tend to think of this as more of ’a continuous security controls validation’ opportunity.”
“Over and above that, we use the telemetry that we gather to drive a different style of cybersecurity – an evidence-based, data-driven style of cybersecurity, rather than one driven by fear, uncertainty and doubt.”
One of the key enablers for this approach is the publicly available MITRE ATT&CK framework, which collects information on the changing tactics and techniques of threat actors and provides security professionals with a matrix they can use to evaluate the effectiveness of their defences and identify areas that need strengthening.
This framework underpins the AttackIQ Security Optimisation Platform, which allows organisations to test and measure the effectiveness of their controls and validate the performance of their firewall, DLP, EDR, SIEM etc. in an automated fashion, at scale and on a continuous basis, rather than manually, haphazardly or through quarterly or annual Red Teaming exercises.
“What we’re talking about here is control effectiveness and how you measure the efficacy and efficiency of your cybersecurity controls, which ultimately points to the efficacy and efficiency of your cybersecurity programme, because it’s the control failures that allow hackers to continue their activity,” explains Brewer.
“The first failure is the initial access – phishing, someone clicking on something, what MITRE calls ’assumed breach’. But that’s not where the action is. The important question is ’If they got to your laptop, could they get to your data, could they get to your contacts, could they get to customers’ personal information?’ It’s about understanding where they can start from and where they can get to, and if you can measure that, find those gaps before the hackers do and fill them in, then you’re less likely to become a headline.
“We recently surveyed customers who were able to measure their controls with AttackIQ and found that their controls were 0.25%, either failing or degraded. If you think about the IT side of the business, we’re all chasing three, four, five 9s (.9999%), whereas in cybersecurity, we’re running at .75%. Is that acceptable?”
AttackIQ’s revenue growth in EMEA and APJ – up more than 600% in the year ending January 2022 and predicted to grow by another 300% this year – would indicate that many think not.
The company’s core market is government organisations and large enterprises – national infrastructure, energy, banks, technology companies, computer manufacturers, retailers – but it also addresses the needs of SMEs through a network of system integrators and service providers.
Growing awareness of the cyber security risk facing these businesses – and
their supply chains – is one reason for rising interest in the AttackIQ platform. Another, according to Brewer, is a greater emphasis on, and appreciation of, threat-informed defence.
“If you go back to the beginning of the industry, it was really about capabilities – let’s get some firewalls, let’s get some EDRs, let’s get some SIEM to protect ourselves. That was the proactive thing. Then it became a question of responding to the activity that was generated, being reactive by looking at incident management and now SOC.
“But in doing this we actually missed a step, which was to take what we now know about the tools, techniques and procedures (TTPs) of hacking groups, which are really well documented by the MITRE organisation, and replay those against our infrastructure to make sure that our defences are actually intact so we don’t have to exercise our incident management as much.
“Instead, we loosely installed the protection mechanisms and then relied heavily on incident management, which failed in a lot of cases – I think the statistic is that in 80% of breaches the information was in the logs but the organisations failed to see it. The missing step is to test those defences and to find gaps before the hackers find them. Organisations are now starting to recognise that the assumed breach methodology from MITRE and using the MITRE matrix to measure efficacy and efficiency is the way forward. This is called a threat-informed defence.”
Brewer argues that this approach is gaining ground because the top-down, risk-informed defence that has prevailed for the last 30 years and is all about governance, risk and compliance (GRC) has failed so dramatically. As evidence points to the fact that there were 300 million ransomware attacks last year and 81% of victims surveyed by the BBC said they paid the ransom.
“There’s a major problem here; we’re losing the fight and organisations recognise that and realise that they need to augment that GRC approach with a threat-informed approach to find out what would happen if a hacker got onto a company laptop, where could they get to and could we shut down their activity?
“That’s the new movement in the industry. It’s not about a product. It’s about all the holistic platforms, the firewalls, the SIEMs, the EDRs, working together as a single organism, rather than just being a bunch of siloed technologies that don’t talk to each other.”
The changing role of CISOs
The other big change taking place in the cybersecurity world cited by Brewer is
a stronger focus on cybersecurity from regulators and at board-level, which he says demands a new approach from Chief Information Security Officers (CISOs).
“Boards and regulators like the Bank of England’s Prudential Regulation Authority (PRA) in the UK are getting a lot more savvy about the testing and validation that they do. They invoke what’s called a CBEST test, which doesn’t involve a university graduate with a clipboard asking ’ Do you have a password? Do you have a firewall?’. Instead, the question is: ’Take XYZ hacking organisation: they use these TTPs, show us how you would defend your organisation against that activity’. That’s a very different question that requires much more scenario-based analysis.”
Brewer points out that while regulators and boards are changing their approach, there is still a disconnect with CISOs who have come up through the trenches and are often too technical and too details-oriented.
“They want to talk about how many hacks there have been and from which countries. That’s irrelevant to a board; the board are only interested in the
risk to the business, what’s being done to solve the problem, what industry peers are doing and whether the right amount of money is being spent. There’s a disconnect between the technical language that the security teams talk and the risk language that the boards talk,” he said.
To illustrate the kind of approach he would like to see from CISOs, Brewer compares the data-driven boardroom presentations of CFOs and CMOs to the speculative declarations of CISOs.
“In the boardroom, the CFO comes in and has every detail: this is how much money we have, these are our creditors, these are our debtors, this is our balance sheet, this is our growth, this is what we’re expecting from collections, this is our cash flow. The marketing person walks in and says this is how many people have hit our website, this is how many people have downloaded our white paper and so on. The logistics person walks in and says we’ve got GPS in vans and this is what it tell us. When it comes cybersecurity, we just don’t have feedback on what’s working and what’s not working. We don’t have that evidence, that data. So we go in and say ’We’ve kind of bought everything we think we need; we think we’re OK’.
“That’s no longer acceptable. Boards need cybersecurity to act like every other function and CISOs, especially the newer ones, to talk in data-driven terms, not fear, uncertainty and doubt. Instead of saying there’s all this geopolitical activity happening, we need to spend more money on cybersecurity, they should be saying ’we’re in energy; these are the groups that are targeting us; these are the things they’re going to do against us; we’ve measured our environment and we’re about 76% effective. If the board would like us to get to 86% effective, we need another couple of million pounds. Do you want to accept the risk at 76% or do you want to spend another couple of million pounds to get us to 86%?’. That’s like the conversation you have with finance: ’We’re going to buy this building, we’re going to retire these two buildings, and that’s going to reduce our rent by this, our liabilities by that and it’s going to increase our profit by this’. It’s a very different conversation.”
Brewer says that in educating C-level cybersecurity professionals to talk more effectively to the board, we are starting to see the emergence of a new type of CISO who takes a threat-informed defence approach and uses data and evidence to drive their decisions rather than buying yet another shiny widget to put in their arsenal of other shiny widgets that individually are fine, but collectively don’t provide the protections that organisations need.
AttackIQ feeds into the movement towards threat-informed defence and the new data-driven way of doing evidence-based security.