Protecting against advanced attacks: Planning for successful cyber security

We all know that targeted attacks are on the rise. But contrary to what you may hear, there is no silver bullet. A good cyber security program requires a well-defined strategy, talented resources and a coordinated set of security tools. 
Forrester's Targeted-Attack Hierarchy of NeedsWe all know that targeted attacks are on the rise. But contrary to what you may hear, there is no silver bullet. A good cyber security program requires a well-defined strategy, talented resources and a coordinated set of security tools.
A report from Forrester has become something of a touchstone for this approach. The Targeted Attack Hierarchy of Needs, as shown here in the graphic, reiterates the need for a comprehensive strategy, and presents a six-step approach to combat targeted attacks. We conducted a webinar with Forrester late last year on this topic.
This blog will touch on the first three steps of the process, and provide examples of how to provide a strong defense against what, for many organizations, is a rapidly changing landscape of advanced threats. Part two of this blog series will cover the remaining three steps.

Step 1: A Coordinated Security Strategy 

The first step in preparing a cyber defense is ensuring you have a well-defined security strategy that includes an understanding of your environment (from the inside out) and the threat landscape (from the outside in). From my perspective, a good strategy also requires an understanding of both your current state and future goals. 
Look to define the following:
  • What are your business priorities? 
  • How will the cyber security strategy support business priorities?
  • What is the current level of cyber security maturity?
  • Which risks could have the greatest impact to business operations and reputation? 
  • What is the future vision for cyber security?
One example of the benefit of a joined-up strategy is a payment processing company that we worked with recently. The company hadn’t revisited its security strategy in over two years, and senior management had concerns over the business risk with payment processing and back end systems. After a holistic risk assessment and cyber threat landscape review, a number of vulnerabilities and systems changes were identified to improve their cyber security and better align to business priorities. The result was a cyber security strategy and prioritization plan to both improve the current process and help the internal business teams assess and review risks as new processes come online, so that new gaps in the defenses didn’t go undetected.

Step 2: People

The life blood of an organization is its people. Improving their skills and ensuring their retention is often a key priority. Proper business defense relies on talented people flexible enough to adapt with the threat landscape, and make best use of the security tools they buy, are given or craft for themselves. From my experience working with clients, the task of gathering such a workforce is a multi-step endeavor.
It starts with providing comprehensive cyber security training and ongoing education. It’s also important to ensure there is a pool of talented individuals joining the organization from education, with valuable cyber security skills and expertise. Management must continually monitor the talent pool to ensure their employees have the diversity of skills and experiences required.
To give an example, one US community bank made a significant acquisition, and soon after experienced a major data breach. They quickly arranged for some analysis of their newly combined security staff and programs to evaluate the shortfalls in their current environment. Once the current gaps were identified and future needs were assessed, they brought in a managed security service provider where appropriate, and an e-security training provider to rationalize and scale their security staff. This project not only reduced the risk of successful attack; it also resulted in a three fold ROI, saving $650,000 in hiring costs and $130,000 in improved staff productivity. 

Step 3: Fundamentals

The third step in preparedness is security fundamentals. A very simple way to deter attackers is to take away all easy entry methods – but it’s not always a simple task to perform.
Strong cyber security fundamentals can support compliance needs, and stop a significant volume of lower level attacks. This includes security monitoring and management, along with ensuring the core controls are in place to prevent gaps in perimeter security.
One US broadcaster recently had to comply with new, more stringent data laws, and it was struggling to find and keep skilled security talent to make that possible. It decided to adopt a set of Managed Security Services (MSS) capabilities to offload some functions, which would allow existing staff to become more productive Before this change, three IT staffers had spent 60% of their time managing the firewall. Now it only takes 10% of their time, leaving them free to focus on higher priority projects.
In the second blog post in this two part series, we’ll cover the remaining three steps by addressing the prevention, detection and response aspects of this topic.
Dave Gormley, Product Specialist, Cyber Security 11 April 2016