Escolar Documentos
Profissional Documentos
Cultura Documentos
Cybersecurity Beyond
Technology
Introducing Business Threat Intelligence
Authors:
Nikolaos Tsouroulas
Head of Cybersecurity Product Management, Telefonica
Igor Garcia-Tapia
Cybersecurity Expert Analyst, Telefonica
Gartner Research:
Rob McMillan
Research Director, Gartner, Inc.
2
In this issue
Executive Summary 3
The Implications of Digital Transformation 4
Executive Summary
Source: Telefonica
4
As a consequence, both IT and Information Security Information Security department, assuming it has
Chiefs are experiencing increased pressures and Threat Intelligence capabilities, will probably identify
responsibilities as the enablers of practically all the leak first and sound the alarm. The incident would
business activities, as well as being the repositories need to be reported to the highest levels where a
of the organizations technological knowhow. This point person or department would be assigned to
last point is particularly true for Information Security coordinate a response. The Legal Counsel will have
departments, where the struggle to protect the to participate because they need to analyse the legal
organization from constantly evolving threats requires implications of the incident. The Marketing and
analysts to be agile and creative thinkers with a Communication areas may have to make an official
broader understanding of digital technologies to keep announcement and face intense media scrutiny. The
one step ahead. Customer Service teams will need to prepare for an
avalanche of complaints by affected customers, and
These new relationships are also forcing CISOs the list goes on and on. The CISO will be the person
to develop new skills that go beyond technology. that each department will go to for answers. How bad
Modern CISOs need to be experts in big data and the is it? Who did this? How? Why? What should we
associated implications. They need to understand tell affected customers? What can we do to avoid it
the legal and regulatory issues associated with the occurring again?
exploitation of customer information. They need
to understand the physical security aspects that Incidents like this are ever-present and can severely
are related to their technologies and they need to damage the reputation of a business. Unfortunately,
understand how to analyse their supply chain security. prevention and security plans will never be completely
Similarly, they need to be aware of the impact security infallible and budgets will always be limited.
breaches have on digital marketing, public relations
and brand reputation. They also need to be able to For this reason, security must be handled the same
translate all of these differing issues into coherent way as other business risks. Security strategies must
risk management strategies. Gartner coined the term shift their focus from the virtually impossible task of
Digital Risk Officer (DRO)1 to describe this evolved protecting all the assets of the organization against all
CISO role. known and future threats. Instead, moving to identify
and assess all the potential risks and threats the
Cybersecurity Both as a Business Risk company faces and subsequently prepare strategies to
and Business Enabler manage those identified potential risks.
1
Gartner, Create a Digital Risk Officer Role in Your Organization, Paul E. Proctor, May 2016
6
Infoxication
It is sometimes difficult for humans to see the
forest for the trees. This is true in the sense of
being so focussed on details that they miss the
big picture, as well as in the sense of becoming
overwhelmed by the ever increasing data that
surrounds them (the trees) that it obscures the
view of the context (the forest). While this state
of Infoxication, a combination of the words
Information and Intoxication, can apply to all
facets of human activity, it is especially prevalent
when dealing with complex problems.
7
In the realm of traditional threat intelligence, data makes it difficult to understand what to do with
a Security Manager may, for example, overly it. Some authors define this moment with a curve
emphasize drilling down on the details related to the called the Capability Chasm2.
what, where, when and who aspects of what
they are seeing, rather than focussing their efforts Part of the cause of this chasm is the fact that the
on answering the why. This distinction is important prevention approach does not differentiate between
as strategic decisions and risk assessments depend incidents that can be ignored, or whose processing
heavily on the latter. can be delayed, from others that actually matter
in terms of impact on the business. Data is not
Similarly, organizations with concerns about their necessarily equivalent to useful information, nor
security tend to acquire huge amounts of data in an does it necessarily provide any kind of useful insight.
attempt to cover as many threats as possible. While In other words, when hundreds of malware hashes
this practice is initially useful, soon the amount of are being received through a Threat Intelligence
Effort
Source: @JohnLaTwC
2
https://twitter.com/johnlatwc/status/597466313280225280
8
feed, how do you determine which one is the most While these types of capabilities that look to the
dangerous for your business and therefore the one past should still be considered a necessary part
that most urgently requires your attention? of a defence strategy. It is true that they cover
known threats that can cause significant damage to
The reality is that most organizations are only systems, reputation and income, but they generally
capable of digesting a limited amount of data, do little to prepare organizations against risks
converting it into actionable information. As an lurking in blind spots that could be key to gaining
ever increasing amount of data becomes available, a competitive advantage or detecting new potential
investments have to be made not only in big data threats such as black swan events.
technologies for the gathering, processing and
visualizing of the data, but also in data science New data science techniques can change the
knowhow, to extract insights based on potential paradigm, by incorporating more future-looking
business impact. analysis to identify abnormal patterns and risks.
Threat Intelligence should be able to warn about new
This is extremely important as there is always a and un-known threats. For example, abnormal traffic
finite amount of capacity available. Making every last patterns can be indicative of a new type of attack,
inch of an organization secure while not affecting increased chatter on the dark web might alert about
productivity and collaboration is of course a noble a new fraud mechanism or other weakness in some
goal, but the reality is that limited resources require part of the company or a new threat actor to take
priorities to be made, and productivity should always into account.
come first.
We have identified situations where monitoring
Over-reliance on Hindsight information that in theory is not related to
cybersecurity, for example customer sentiment
Another limitation is that traditional Threat
and events that affect the image of a company,
Intelligence, and security services in general report
can be indicators of what a CISO should prepare
incidents and threats that are already catalogued
for in terms of campaigns against the companys
in their libraries. They evolve by incorporating
infrastructure. We have seen how banks, retailers,
new threats only after an incident has occurred
governments and many other organizations have
somewhere and a post-incident analysis has been
been victims of different types of attacks (DDoS,
conducted. In other words, they operate by looking
defacements, attack to VIPs, breaches, etc.) as a
to the past and not dedicating sufficient efforts
result of public discontent. This discontent that can
to proactively identifying new threats before they
be monitored online and used in order to understand
actually cause harm.
the why behind future attacks and therefore
anticipate the likely who, how and when.
Analysing these types of incidents can provide useful
insight about the threats facing an organization,
allowing policy to evolve with the tactical situation Business Contextualization
and providing data for the formulation of new This highlights another typical shortcoming of
strategies. However, focussing on past events in this existing Threat Intelligence approaches. Security
way presents a risk in itself as security chiefs may teams tend to focus too much on data that helps
fall in the trap of preparing to fight the last war. describe a certain threat from a purely technological
9
and security perspective, providing limited business affect their sector, technology or geographic area or
context. In this sense, the term business context the link is not explored or understood. Furthermore,
means linking a threat directly to the core business in many cases an assumption is made that what
and not just to the technology. affects an electricity company in Asia, for example,
must also affect the entire sector worldwide. While
Threat Intelligence Services that focus more on this may be the case it is in no way a certainty nor
research and less on producing feeds, dont usually should the risk be assumed to be the same. When
provide context that is specific to the customer. A this is the case, an explanation that goes beyond
Threat Intelligence Service may provide excellent shared technology is not provided.
threat analyses every month, but none of which are
relevant to a customer because they either do not
Source: Telefonica
10
The Importance of Data Science However, a haphazard attempt to try and crawl the
entire internet will generally result in failure as efforts
Modern organizations that have invested in Digital
become too widely stretched. A clear understanding
Technologies and the Internet as integral parts of
of the strategic uncertainties that decision-makers
doing business are exposed to numerous and increased
are facing allows for a methodical and prioritized
number of risks. They generate massive amounts of
approach to data collection focussing on information
data internally and are both exposed and affected by
relevant to the known uncertainties, referred to as
what is going on the Internet as the whole.
known-unknowns.
Educating People and Organizations However, this interplay between security and the
business that we are describing will only succeed if
Nevertheless, technology on its own cannot solve all
companies are prepared to effectively understand
of these issues. Business Threat Intelligence can only
and enable cybersecurity as a business priority. The
succeed if supported by a team of multidisciplinary
security vendor or internal team brought on-board
analysts with the required abilities to understand both
to deliver Business Threat Intelligence will need to
the security technology and the business.
work in an environment where awareness, openness,
transparency and commitment to change in terms of
Big Data, Data Science, Machine Learning, Deep
Cybersecurity and Digital Risks are present throughout
Learning as well as intelligence professionals are
the organization. All the C-Level executives and their
just a few of the specializations that can be used to
teams need to contribute and work with the CISO and/
build a team of intelligence analysts. They each have
or DRO in order to fully identify business risks and work
the capabilities necessary for identifying strategic
together in the strategy to implement them.
blind-spots and new threat actors before they strike
by using the latest technology and best practices
to support other departments as well as corporate Source: Telefonica
decision-makers in a common business language
everyone understands.
13
Conclusion
Source: Telefonica
3
https://www.elevenpaths.com/technology/cyberthreats/index.html
14
Key Findings
The leading indicators of risk to an
organization are difficult to identify when
an adversarys thoughts, capabilities and
actions are unknown.
Recommendations
CISOs should plan for current security threats,
as well as those that may emerge in the longer
term, such as three years from now.
Definition
Unsecure operational or business processes
Threat intelligence is evidence-based knowledge,
including context, mechanisms, indicators, Unsecure acts committed by staff or other
implications and action-oriented advice about an people, by a mistake or a by deliberate act
existing or emerging menace or hazard to assets. This
intelligence can be used to inform decisions regarding The threat is the agent (that is, a menace or hazard)
the subjects response to that menace or hazard. that takes advantage of the vulnerability. In most
cases, CISOs have no direct control over threats to
Context their organizations. They can only be aware of the
Two conditions are necessary for a security incident threats and be prepared for their arrival. They can
to occur (see Figure 1): exist in a variety of forms, including:
A vulnerability or weakness must exist in some People for example, hackers actively working
element of an organizations operations or its to inflict damage to the physical, financial or
supply chain. intangible assets of the organization
A vulnerability may exist in a variety of forms, for The term intelligence has several meanings (see
example: Note 1), the two that are the most relevant to this
research are:
Unsecure software due to a bug, bad
programming practices or a bad design Information communicated, news, notices or advice
Knowledge imparted or acquired through study, Conditions under which the threat is likely to
research or experience general information successfully exploit a vulnerability
https://twitter.com/TelefonicaB2B
Contact us all entitled Gartner clients. 2017 Gartner, Inc. and/or its affiliates.
All rights reserved. The use of Gartner research in this publication
does not indicate Gartners endorsement of Telefonicas products
and/or strategies. Reproduction or distribution of this publication in
any form without Gartners prior written permission is forbidden. The
For more information contact us. information contained herein has been obtained from sources believed
to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information. The opinions expressed
herein are subject to change without notice. Although Gartner
https://www.telefonica.com research may include a discussion of related legal issues, Gartner
does not provide legal advice or services and its research should not
be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests
in entities covered in Gartner research. Gartners Board of Directors
may include senior managers of these firms or funds. Gartner research
is produced independently by its research organization without input
or influence from these firms, funds or their managers. For further
information on the independence and integrity of Gartner research, see
Guiding Principles on Independence and Objectivity on its website.