Drinking From The Hydrant

In order to stay on top of all the current cyber threats, use a bit of intelligence.

“You are not going to win, you do realise that, don’t you? There are far more of them than there is of you”, as I was once told by an experienced cyber security professional, who was in charge of a major security operations centre (SOC). He was referring to the sheer number of new and existing cybersecurity threats that are out in ‘the wild’ of the internet.

A rudimentary internet search on ‘current known cyber threats’ will throw up a cacophony of statistics, threat qualification and categorisation methodologies, league tables on the most damaging and a few of the cybercriminals greatest hits by name such as WannaCry and Petya. But even the most dedicated cybersecurity professional is going to tire quite quickly at this sheer quantity of threats. Conservatively there are around 23,000 and 35,000 new strains of ransomware a month, then add to that the known vulnerabilities in existing systems that could be exploited and to cap it all there is the user / human error / disgruntled employee / privileged insider threats to consider.

When discussing this with the aforementioned expert, I was told that the only way to get board members and those who are still hesitating to take the threat seriously is to consider that endeavouring to keep on top of it is the equivalent of trying to drink from a fire hydrant! Nobody is going to last long doing that!

Like all cyber related issues there is an answer to this challenge and odd as it may sound, in order to resolve this technical challenge is to utilise (more) technology. The technology in question is ‘threat intelligence’. Although this sounds like it emanated from the basement of MI5, it is in fact an increasingly used strategy of companies both large and small to keep the criminals at bay.

Gartner, the technology research organisations, defines threat intelligence as “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard”

In short, a company will purchase a threat intelligence solution from a major IT supplier, which monitors emerging threats from around the globe. It does this by tapping into threat databases and other sources of information from known and trustful sources – including many of the ransomware companies. It will also monitor devices within even the most complex of IT infrastructures to determine any unusual behaviour, such as runaway log files, vast data transfers, or repeated access attempts.

All of this information can then be provided to skilled overseers and cyber specialists who in the event of incident can take action before it takes hold of a network and cripples an organisation.

In many of the SOCs that I have been fortunate enough to visit, alongside the ‘mission control’ style screens of network maps, data flows and other such graphs, they also monitor the twitter feeds of selected security companies and news organisations to get early warning of global style outbreak.

And SOCs have to run 24/7 to be effective, because cyber criminals operate around the globe and around the clock. The threats continually develop and adapt to any resolutions that may be implemented.

Does that mean that a business now needs to find a space where their IT team can develop such a secret and secure bunker style operation? Well, you can if you want, however like so many other complex IT tasks this can be outsourced to a provider of choice. There is a plethora of companies in existence that have the skills, technology and operations centre in place to remotely take this task on. This is cybersecurity ‘as a service’. For a monthly fee a business can be informed on an hourly, daily or weekly basis about threats to their organisation. Some of these providers will even offer a remote mitigation service as well, enabling a business’s network to almost ‘self-protect’.

With the rise of so many other IT tasks to a service based model, it was inevitable that cybersecurity would do the same using threat intelligence as its foot in the door.

But before you hastily scribble that purchase order, there is one potential downside. That being that once up and running week in and week out a business may find that they receive reports that their network is safe and they have nothing to worry about. But isn’t that what you want? Yes, but be prepared for apathy to kick in after a while. When paying good money for a service to protect your business against unknown and faceless criminals and then not seeing any attack. Companies I have spoken to feel that they may have been sold the technical equivalent of snake oil, but tempting as it may be to cancel the service after an initial 12 months, don’t.

Why? Because as the SOC manager I spent time with told me, that the SOC has to be ‘lucky’ every second, of every day, of every month to keep threats at bay. Whereas a cybercriminal has to get lucky just once. That’s not a threat, that’s intelligence!

Share: Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone