I made this statement often: To me a good and sound threat intelligence, which is linking to the business will be absolutely key in the future. Therefore we entered into agreement to acquire iDefense – so read on.
A study we published last autumn made it clear: We are investing more and more money in security, our management is fairly confident regarding the state of their defenses and yet one out of three attacks are successful. If you want to know more, just click on the picture:
In my opinion, it is time to reboot security and change what we do. We need to think different.
The question is, how? On the one hand side, it is about testing, testing, testing. Test your defenses, see how your teams react and what they do (if they discover the attack) and then learn. This is way bigger than the classical penetration test. You need an adversary, who really simulates the criminal comparable to our Adversary Simulation (delivered by Fusion X, an Accenture company).
On the other hand, make sure you understand how the link between business and the changing threat landscape works. This means clearly that your CSO needs to get more business focus. I sometimes try to draw this on the whiteboard:
Let me try to explain (it is way easier doing it while drawing): So, the upper line represents your business and your business strategy. Hopefully for you, the business is growing at a steady pace and sometimes, discrete events like a merger or an acquisition make the business jump. In parallel (the lower line) the threat landscape changes steadily as well. Again, there might be discrete events, which change the threats immediately like a merger or a public statement by your CEO or anybody form your upper management drawing attention by the bad guys. Security is somewhere in between. The job is to predict the changing threats in the light of the business strategy and to understand what needs to be done today to keep the business with acceptable risks in this context.
Let me give you an example: Let’s assume you are a life insurer and think about insuring the president of the US. This might be a really interesting business opportunity. However, you all of a sudden will get in the focus of certain new adversaries. The role of security in such a content is to understand the adversaries and their capabilities. This now might change the exposure and you might need to factor certain protection into your business case (or decide not to do the business at all). Doing this, changes the value of security and the perception of the CSO in the business.
Now, the key question is, how you get there and especially how you get the relevant threat intelligence? Typically, the feeds and information you get are extremely technical: It is easy to find malicious URLs, IPs, hashes of malware etc. etc. What you do not get easily is information about adversaries and their capabilities as well as actionable information on this.
To work focused towards the vision I just painted above, we just announced yesterday that we entered into an agreement to acquire ifDefense from Verisign. To me, this is an outstanding step forward and we will not only leverage the new platform and our new colleagues but to enhance the platform with additional feeds to driver towards the business value described.