Historians and scholars will long analyse the impact of COVID-19 on 2020 society. Its repercussions have been felt everywhere – from schools to soccer, governments to grandparents.
But as our colleague Adrian Nish has pointed out, one thing the pandemic hasn’t done is pause the danger of cyber-attacks from near and far. Social distancing may still dominate our daily discourse but for organisations across the public and private sectors so, too, does the ongoing threat.
In these COVID-shaped times, we know that threat actors are increasing activity and taking advantage of the fact that organisations have been slightly upended by people working in different ways and in different places. This means that effective defence has become all the more critical – which is where Security Threat and Risk Assessment (STARA) comes in.
Seeking security in breadth, not just depth
STARA is a methodology we’ve developed which seeks to help organisations strengthen security across physical, cyber and people – all of which need to be connected together in order to create an effective security posture.
Its genesis was about a decade ago when BAE Systems decided to undertake a threat and risk assessment of its business. We operate in a federated model, with a number of companies all making up the business as a whole, all run by separate management teams and operating in different ways. This means the threats are different, the assets are different and the organisational cultures are different.
STARA was a way of looking across the business and attempting to pull together security across a unified picture. It is a true holistic risk assessment process and we have deployed it to organisations around the world across the public and private sectors.
Methodology matters
Threat is the golden thread that runs through the whole of the STARA methodology. Without threat there is no risk and so we seek to understand the threat to all organisations at the start of the STARA process.
So why is threat so important? Threat actors are varied and each will seek to attack organisations in a number of different ways and we need to understand what that threat is before identifying the risk to an organisation. Therefore, we undertake a security threat and risk assessment of our own before validating its outputs with security agencies and our own threat intelligence team. This allows us to understand who wants to gain access to an organisation’s information, and what assets are most likely to be targeted by threat actors.
The reason we look across all three pillars of security – cyber, physical and people – is that when a threat actor uses a specific attack methodology for cyber, for example, and fails they will look for other ways of getting the asset they’re after. This may include gaining unauthorised physical access to a facility or recruiting an insider to do the work for them. The bottom line is that threat actors will not stop when one attack fails – they will remain in pursuit.
Through a variety of technical and physical assessments STARA enables organisations to identify, understand, measure and report comprehensive and evidence-based risks, moving an organisation to adaptive and hybridised defence in depth.
In phase one, we identify, understand and define the current threat landscape in which an organisation operates. In phase two we review and understand all documentation and assets – inclusive of people, technical and physical. Phase three sees us measure the potential attack surface of an organisation by simulating realistic threat scenarios, identifying vulnerabilities and risks. And in our final phase we bring together all of our outputs.
The big picture
What’s key, though, is to view the organisation as a whole in order to truly understand its threats, capabilities and vulnerabilities – rather than the more traditional approach of meeting compliance standards and reviewing silos in isolation.
Defence in breadth requires holistically understanding all domains and all hazards – only then will true security be achieved.
About the authors
Gary Poole is Head of Managed Security at BAE Systems Applied Intelligence
Kieran Cassidy is a Cyber Security Consultant at BAE Systems Applied Intelligence
Opportunities and challenges associated with Cyber Defence, Digital Transformation and supporting the National Security Mission
Recommended reading:
- Stepping up on Cyber Defence. Christine Maxwell is a woman on a mission – a cyber mission. She tells Mivy James about overseeing the ever evolving challenge of Cyber Defence and Risk at the UK’s Ministry of Defence
- The Cyber Threat: before, during and after lockdown. No sector of society has proved immune to the spiralling effect of Covid-19 – and that includes cyber security. With the kaleidoscope shaken and pieces still in flux, Adrian Nish examines its impact so far
- Strength in numbers: forming federations in cyber defence. Federations of Security Operations Centres can deliver a step-change in cyber security, says Chris Holt. He explores how to turn barrier into breakthrough
- Spotlighting the solutions for cross domain security. While repelling cyber attackers is never easy, the application of Cross Domain Solutions has a key role to play in safeguarding data sharing, explains Richard Byng
- Mapping the cyber impact of Covid-19. The Covid-19 pandemic has uprooted all our lives but what about its national cyber and policy implications? RUSI’s Rebecca Lucas examines its impact so far
- How to stay ahead in the cyber arms race. With many countries moving significant funding towards developing offensive cyber capability, Dr Mary Haigh examines what needs to be done to stay ahead of adversaries