Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

4 mins to read

Enhancing Cyber Capabilities Using a Threat-Driven Strategy

Ryan McCarthy

Senior Director - Security and Privacy

Views
Larger Font
4 minutes to read

Senior leaders focused on cybersecurity recognize there is considerable guidance, best practices, frameworks, regulations and varied opinions on how programs should design defensive capabilities. In addition, depending on the day, the various pressures in the organization’s macro-environment may be greater or lesser and invite different priorities for time, team and budget. Despite these various pressures and guidance, there tend to be two schools of thought on how to approach the strategic path for a cyber program: a risk management-based approach, and a threat-focused approach. Today we’ll explore both, when one may be more valuable than the other, and key principles for how to incorporate each of them into an overall program.

Risk vs. threat

Risk is a word that we use daily in the security industry, specifically as we speak to our stakeholders including clients, shareholders, boards of directors, risk partners and, in some cases, regulators. This is because risk is generally well understood by these stakeholders and can be expressed in terms of likelihood and impact, and in some cases translated into dollar amounts (see Cyber Risk Quantification). The risk management approach to cybersecurity strategy focuses on the macro view of broad, consistent risks to technology and data, where best practice frameworks and regulatory guidance can be used to limit long-term likelihood or impact to the business from a cyber-attack, and then invests in areas where the program is weak within those frameworks. This is where publications like NIST 800-53, and various ISO/CIS publications focus their control recommendations and many organizations spread those controls out like peanut butter across their environment to ensure broad protection.

Threats are also used often in our stakeholder conversations, though generally as a scare tactic of what could happen, rather than a deliberate discussion about an actor and their tactics and techniques that could be realized against the environment. Often, this is because the audience may not be as familiar with the specific threat actor groups, or the tactics, techniques and procedures (TTPs) those actors typically use within the MITRE ATT&CK framework. The threat-based approach takes a micro-view of the technology attack surface, the vulnerabilities across those assets, and how an attack could be conducted against those assets using frameworks like MITRE ATT&CK to evaluate where their controls are most critical and where gaps can be exploited. Advancements in threat intelligence feeds and tools have adapted MITRE ATT&CK as well, further enabling this approach.

Why is a threat-based approach valuable?

To state it bluntly, an attacker doesn’t care whether a company is compliant with the latest guidance on best practices or how it rates maturity against its favorite capability maturity model. They care that they can exploit a particular vulnerability using a specific series of TTPs to achieve an objective. By taking a threat-based approach to cybersecurity, and seeking to understand the attacker’s point of view, organizations can better anticipate their tactics and enhance defenses that specifically relate to those tactics. This allows the company to be very efficient with its resources as it invests heavily in controls that relate to threats, and less so in controls that simply align with best practices. This is not to say that best practices and control frameworks should be ignored or thrown out, rather they should absolutely be leveraged. However, companies shouldn’t limit efforts solely to meeting high-level control objectives or complying with the latest regulatory guidance which wasn’t designed specifically for the company.

When should a threat-based approach be used?

Most senior leaders looking to understand how they can most effectively move their team’s capabilities to the next level should start with an evaluation of their controls by leveraging one or more of the frameworks previously mentioned to ensure the most likely risks that all organizations face are covered. Without this coverage across the foundational security controls, moving to a threat-focused strategy is likely to waste resources that are desperately needed to close those gaps. The next step is equally critical, which is to ensure that the deployed controls have complete (or mostly complete) coverage across the environment. Too frequently, I see cyber leaders believe that their malware controls, or data leakage protections, or {insert cyber security capability here} are fully deployed across the environment, only to find out (hopefully not the hard way via an incident) that technology, business or other drivers prevented the implementation of the control for large areas of their network.

Once (near) complete coverage of foundational control capabilities is established, it’s a good idea to start incorporating a threat-based approach to determine where resources should best be deployed.

How to implement a threat-based approach

Convinced that the evolution to threat-based cyber security is the path to greatness? Here’s how to start the journey:

  1. Know which assets are most critical to protect – partner with business and technology partners to ensure that there is solid governance of asset inventory, and a clear understanding of the value of those assets. Layer in an analysis of how exposed certain assets are to threats, based on how the network is architected.
  2. Understand threats and prioritize them based on their impact on the assets. Are there specific threat actor groups being tracked that target this industry? Continuously monitor and assess these threats via intelligence gathering (and sharing) and use that intel to enable defensive teams.
  3. Replicate attacks frequently – leverage professional penetration testing services and red team methodologies to simulate threat actor TTPs and learn where the organization is exploitable.
  4. Incorporate threat modeling into application development and architecture boards. By understanding threats before technology is fully deployed, the business will save a significant amount of money in remediation work.

Cybersecurity is a fast-paced industry, with an ever-evolving threat environment. By incorporating a threat-based cyber strategy to understand an attacker’s perspective, organizations can be more effective and more efficient in deployment of defensive controls, keeping the company off the front page of tomorrow’s newspaper.

To learn more about our cybersecurity and third-party risk management solutions, contact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

Ryan McCarthy

By Ryan McCarthy

Verified Expert at Protiviti

Visit Ryan McCarthy's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

This blog was originally posted on The Protiviti View. Like companies in other industries, energy and utilities (E&U) organizations want...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...

Article

What is it about

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory...