Delivering information defence in breadth 

BAE Systems Applied Intelligence Read time: 4 mins
Identifying security threats is an age-old problem facing any organisation. Gary Poole and Kieran Cassidy explain why a holistic approach holds the key to effective defence – pandemic or no pandemic
Global Executive Client Forum blog Historians and scholars will long analyse the impact of COVID-19 on 2020 society. Its repercussions have been felt everywhere – from schools to soccer, governments to grandparents.
But as our colleague Adrian Nish has pointed out, one thing the pandemic hasn’t done is pause the danger of cyber-attacks from near and far. Social distancing may still dominate our daily discourse but for organisations across the public and private sectors so, too, does the ongoing threat. 
In these COVID-shaped times, we know that threat actors are increasing activity and taking advantage of the fact that organisations have been slightly upended by people working in different ways and in different places. This means that effective defence has become all the more critical – which is where Security Threat and Risk Assessment (STARA) comes in.

Seeking security in breadth, not just depth

STARA is a methodology we’ve developed which seeks to help organisations strengthen security across physical, cyber and people – all of which need to be connected together in order to create an effective security posture.
Its genesis was about a decade ago when BAE Systems decided to undertake a threat and risk assessment of its business. We operate in a federated model, with a number of companies all making up the business as a whole, all run by separate management teams and operating in different ways. This means the threats are different, the assets are different and the organisational cultures are different.
STARA was a way of looking across the business and attempting to pull together security across a unified picture.  It is a true holistic risk assessment process and we have deployed it to organisations around the world across the public and private sectors. 

Methodology matters

Threat is the golden thread that runs through the whole of the STARA methodology. Without threat there is no risk and so we seek to understand the threat to all organisations at the start of the STARA process. 
So why is threat so important? Threat actors are varied and each will seek to attack organisations in a number of different ways and we need to understand what that threat is before identifying the risk to an organisation. Therefore, we undertake a security threat and risk assessment of our own before validating its outputs with security agencies and our own threat intelligence team. This allows us to understand who wants to gain access to an organisation’s information, and what assets are most likely to be targeted by threat actors.
The reason we look across all three pillars of security – cyber, physical and people – is that when a threat actor uses a specific attack methodology for cyber, for example, and fails they will look for other ways of getting the asset they’re after. This may include gaining unauthorised physical access to a facility or recruiting an insider to do the work for them. The bottom line is that threat actors will not stop when one attack fails – they will remain in pursuit.
Through a variety of technical and physical assessments STARA enables organisations to identify, understand, measure and report comprehensive and evidence-based risks, moving an organisation to adaptive and hybridised defence in depth.
In phase one, we identify, understand and define the current threat landscape in which an organisation operates. In phase two we review and understand all documentation and assets – inclusive of people, technical and physical. Phase three sees us measure the potential attack surface of an organisation by simulating realistic threat scenarios, identifying vulnerabilities and risks. And in our final phase we bring together all of our outputs.

The big picture

What’s key, though, is to view the organisation as a whole in order to truly understand its threats, capabilities and vulnerabilities – rather than the more traditional approach of meeting compliance standards and reviewing silos in isolation.
Defence in breadth requires holistically understanding all domains and all hazards – only then will true security be achieved.
About the authors
Gary Poole is Head of Managed Security at BAE Systems Applied Intelligence
Kieran Cassidy is a Cyber Security Consultant at BAE Systems Applied Intelligence
Global Executive Client Forum

Explore more content from our Global Executive Client Forum

Opportunities and challenges associated with Cyber Defence, Digital Transformation and supporting the National Security Mission
Find out more

Recommended reading:

Gary Poole, Head of Managed Security and Kieran Cassidy, Cyber Security Consultant BAE Systems Applied Intelligence 30 November 2020