Since the COVID-19 pandemic, we’ve seen rapid development in role transformations across the C-suite, the CISO included. Ross Brewer, Vice President of EMEA and APJ for AttackIQ, explains how CISOs can benefit from data-driven insights through the use of automation, to secure their organisation against cyberthreats.
Securing an organisation against an increasingly sophisticated threat landscape is a complex, yet crucial function in helping to protect the key assets of a business. The UK Government’s 2022 Cyber Breaches Survey found that almost 40% of UK businesses experienced a cyberattack in the last 12 months, with almost a third of those experiencing an attack at least once a week.
An organisation’s Chief Information Security Officer (CISO) is responsible for configuring a cybersecurity programme to protect against these threats, but they are currently fighting a cyberwar on multiple fronts. UK Prime Minister, Boris Johnson, stated last year that: ‘As cyber power is evolving on a greater note, we also need to bring changes in the way we are dealing with attacks. The way we are dealing with the situation is just like (how) we used air power 100 years ago’.
The modern CISO should utilise the advancement of technology in the industry that now allows for organisations to test their cybersecurity programme at speed and scale, and through the use of automation allows businesses to move from a reactive, to a proactive, threat-informed defence.
The problem CISOs and organisations face
The cost, complexity and frequency of cyberattacks is increasing, as cybersecurity breaches are set to cost the world US$10.5 trillion annually by 2025. This emphasises the need to stay one step ahead of attackers, by shifting from capability development to outcome-driven cybersecurity readiness and proactivity, when building an organisation’s strategy.
The effective testing and auditing of security controls is crucial in maintaining a successful cybersecurity defence as attacks increase. According to the 2021 Verizon Data Breach Investigations Report, CISOs now have an average of over 70 security controls to manage, an increase of almost double from just four years ago. But with misconfigured controls failing often, the cybersecurity tool sprawl CISOs face is compounded by a dynamic threat landscape that clouds their visibility into what is and is not working within their programme. A study by PurpleSec found that 75% of companies infected with ransomware were running up-to-date protection, showing that uninformed defences are not effectively testing and validating the controls they already have, a solution that goes beyond investing in additional tools that further overcomplicate the system.
Automating cybersecurity defences
Organisations aiming to get the best out of their security controls should be running a threat-informed defence, utilising automated platforms such as Breach-and-Attack Simulation (BAS) to continuously test and validate their system. Like minute-by-minute fire drills, BAS garners performance data into which controls are failing, allowing organisations to remediate the gaps in their defence and gain data-driven insight into their cybersecurity readiness. Last year, Gartner included BAS in its list of top security and risk management trends of 2021 due to its ability to help proactively identify and resolve gaps in security postures.
Security Optimization Platforms such a BAS can utilise knowledge-bases such as MITRE ATT&CK to simulate attack paths in a real-world environment. This process runs attack graphs based on the techniques, tactics and procedures (TTPs) used by bad actors, collecting valuable performance data, arming organisations with information on how well their security programme is performing against known threats. An example of this is MuddyWater, an Iranian threat group that has historically targeted the telecommunications sector. The MITRE ATT&CK framework can list and inform security teams of commonly used techniques to, for example, bypass User Account Controls (UAC), or enumerate domain users.
Purple teaming
The MITRE ATT&CK platform acts as a single repository of threat behaviour that security teams can use to align their testing around a common threat framework. Commonly, security teams made of offensively oriented red teams and defensively oriented blue teams, conduct testing infrequently and are often adversarial in nature, which can hinder information sharing, crucial for staying one step ahead of a mercurial threat landscape.
While red and blue teaming are well known notions in cybersecurity, purple teaming aims to change this structure, by building a shared view of the threat, and the systems and high-value assets such as confidential data or critical infrastructure that they must defend. Teams then share their real-time performance data and threat intelligence after the exercise is complete. This collaborative approach aids in breaking down the barriers of a commonly siloed activity, improving an organisation’s resilience against cyberthreat.
As cybersecurity becomes a board-level issue for many companies, CISOs must arm themselves with tangible data and insight. Utilising automated breach and attack platforms to build a threat-informed defence enables CISOs to answer board-level questions on cybersecurity investment planning, or current risk level due to the performance data and visibility they have into their controls. With evidence-based security, budget can be spent more astutely and data-driven insight can inform high-level decision-making, improving an organisation’s posture and preparedness in the event of an attack.