All organisations face varying degrees of cyber-threat in an increasingly digitised world. In fact, there were over 300 million ransomware attacks recorded in the first half of last year.
To mitigate these threats, the Chief Information Security Officer (CISO) is tasked with securing their organisation against breaches perpetrated by bad actors. However, nearly half of all UK businesses experienced a successful breach during the pandemic, and cybersecurity incidents rose by a staggering 600%.
The threat landscape is expanding, but as innovation in the cybersecurity space affords new opportunities for the industry, businesses should be savvier than ever when choosing how to secure their infrastructure and seek to transition from a reactive, to a proactive, threat-informed defence.
Creating a threat-informed defence
Organisations across the UK are spending heavily on cybersecurity, with medium and large businesses in the UK alone spending over £800 million on their defence in 2021. However, a study by PurpleSec found that 75% of companies infected with ransomware were running up-to-date protection, meaning that organisations investing large amounts of funding into their cybersecurity programme are not tackling the real problem: testing and validating the controls they already have.
According to the 2021 Verizon Data Breach Investigations Report, CISOs have an average of over 70 security controls at their disposal, up from 45 just four years ago – but with controls failing often and silently, they cannot be validated if they are not continually tested.
A multitude of budgetary cybersecurity solutions exist, but with the global average cost of data breaches reaching over £3 million in 2021, organisations must configure comprehensive cybersecurity solutions that can effectively remediate real-world threats. An illustration of this is the HAVEX strain of malware, reportedly used by the Russian government to target the energy grid. Companies should be running attack graphs that emulate these known threats end-to-end to bolster their cybersecurity preparedness in the event of an attack.
To counter these sophisticated threats, using automation to test organisations’ security controls continuously, and at scale in production, is the key to unlocking a threat-informed defence. Automated security control validation can leverage new threat intelligence about adversary tactics, techniques, and procedures (TTPs) through knowledge-based frameworks such as MITRE ATT&CK.
This strategy allows for the deployment of assessments and adversary emulations against their security controls at scale, enhancing visibility by enabling organisations to view performance data continually, and allowing them to track how effective their security programme is performing.
Organisations aiming to successfully achieve a threat-informed defence should put Breach-And-Attack Simulation (BAS) systems at the centre of their cybersecurity strategy. A good BAS platform uses the MITRE ATT&CK framework to enhance, assess and test threat detection and threat hunting efforts by simulating real-world behaviours.
Through the performance data gained from continual security control testing, CISOs and their teams gain visibility into the efficiency of their cybersecurity programme, and can more accurately report their findings to the board.
Cybersecurity cannot live in a silo
Co-operation and data sharing are also crucial tools for mitigating control failures, and creating a threat-informed defence. Traditional security team structures use threat-focused red teams and defence-focused blue teams to test security controls in tandem. However, teams often work in silos, and exercises are typically only performed once or twice a year, insufficient for a rapidly-changing threat landscape.
A relatively new security team structure is purple teaming, where testing is aligned through a shared view of the threat, and the systems that they are supposed to defend. Purple teaming combines red and blue teams to run adversary testing against an organisation’s most important controls by understanding which controls are most likely to impact an organisation’s operations.
Successful purple teaming has a goal of sharing performance data after the exercise is complete, which transforms a traditionally siloed structure into a collaborative effort, breaking down operational barriers and increasing cybersecurity effectiveness.
CISOs as valuable partners
The role of the CISO within an organisation is to be a valuable, trusted partner of the c-suite. This means CISOs are required to definitively demonstrate that the security controls they implement are working as expected, all the time. CISOs have the responsibility of informatively reporting the cybersecurity health of a company to the Board of Directors, but this is challenging without data-driven, quantifiable insights into what is and is not working in their defence architecture.
Decision making made through data driven insight is invaluable to a business. Using Breach-and-Attack Simulation platforms, organisations can meet the needs of a mercurial threat landscape by continuously testing and validating their security controls.
Validation efforts work like continuous fire drills for an organisation’s defences, emulating adversary behaviour, and ultimately evolving defences to meet the needs of a modern threat landscape, with the aim of creating a comprehensive, resilient cybersecurity strategy. ‘Evidence Based Security’ is now the focus.