How to raise your organisation’s

security maturity level…the need for Security Intelligence

and why it should be a board-level concern

author • Fran Howarth

ecurity risks are everywhere in today’s always-on, online world and everyone faces threats, from individuals,

through small and medium organisations, to large enterprises. Everyone should consider themselves a target and the consequences of being hit can be dire.

Cyber security has become too important to be left to chance. Security threats are increasing in volume, severity and complexity. Attackers use increasingly advanced methods to try to breach defences – and are successful in so many cases that it is not a case of if you will be breached, but when and how often.

Executive summary

SFor any organisation, a strategy focused merely on preventing attacks from reaching the network is insufficient. To safeguard sensitive data and perhaps even the business itself, the focus must shift to detection and response.

A new mindset is required for security. Security risks need to be seen in the context of overall risk, including financial and operational. Security needs to be pervasive, throughout all levels of the organisation and across all systems on and connected to the network. Only then can an organisation achieve the level of security that is required.

This paper takes a look at the stages involved in the security maturity journey and defines five stages along that journey. It then sets out to describe how organisations can move from being security blind to reaching a level of true resilience. Whilst not every organisation has the same level of risk tolerance nor unlimited budgets, organisations should consider how they can move up the scale to reach the level of security maturity that is most appropriate for them.

Fast facts

Security Intelligence is vital for achieving the levels of visibility across all systems and endpoints on the network to detect all threats and to gauge the level of risk that they pose.

It will provide the actionable insight that is required for better decision making.

Security Intelligence will drive the incident response process, enabling organisations to better gauge what countermeasures will be the most effective.

It will allow for remediation processes to be automated where appropriate.

For any organisation, security must be driven from the top. Executive sponsorship will ensure that security is driven throughout the organisation and that investments in security controls are appropriate and sufficient.

The bottom line

The need to better align security with overall risk in order to protect business reputation is top of the mind for many organisations. In the past, many security investments were driven by regulatory and industry standards compliance requirements, but that often leads to security being implemented in a piecemeal fashion, leaving gaps that can be exploited. That is no longer tenable. An end-to-end stance is required that covers processes from threat prevention through detection to response. By implementing a Security Intelligence framework, organisations will benefit both in terms of risk reduction as well as allowing the business to run smoothly, without the need to constantly be in firefighting mode as incidents occur. By striving for higher levels of security maturity, security objectives will be much more easily achieved.

yber risks are seen as one of the greatest challenges facing developed economies today and are vastly increasing the

challenges that organisations face in containing overall risk. Every organisation should consider itself a target.

According to the PwC Information security breaches survey 2015, 90% of large organisations in the UK experienced a security breach in the past year, up from 81% the previous year, and 74% of small organisations, up from 60%. Almost every organisation has sensitive data that it needs to protect, from customer and financial records, to intellectual property and trade secrets. Information such as that has great value – both to the organisation and to an ever-growing roster of criminals looking to steal it for their own gain or to compromise the organisation for ideological purposes.

Therefore, every organisation should consider itself a target and should ensure that they are doing as much as they can to adequately protect themselves. It is not a case of if an organisation has been breached, nor when; but rather how often.

As Figure 1 shows, not only are attacks becoming more frequent, but they are also increasing in severity. Slightly more than a half agree that it is extremely important to take the offensive against criminals and almost

Security risks are increasing

Cas many believe that they are vigilant in monitoring cyber attacks. However, only just over a quarter state that their budget for mitigating cyber intrusions is sufficient.

As Figure 2 shows, protecting customer information is the top driver for information security investments by a large margin, and this is something that remains consistent with earlier surveys. The need to protect the organisation’s reputation has jumped in 2014 into second place, cited by 21%, which is considerably higher than the 14% recorded in 2013, when it was placed fourth. Regulatory compliance is being seen as less of a driver, although this will likely change when the new EU data protection regulation comes into effect, with vastly increased sanctions for data breaches. Protecting intellectual property is important, but varies by industry, with the technology, consulting and professional services sectors seeing this as particularly important.

Figure 1: Challenges to achieving a strong cyber defence

Source: PwC

34%Protectingcustomerinformation

21%Protecting theorganisation’sreputation

10% Protectingintellectual property

10% Complying with laws/ regulations

9% Other

5% Maintaining data integrity

11% Prevent downtime & outages

Source: Ponemon Institute, Strongly agree and agree responses combined

75%

68%

53%

46%

27%

Figure 2: What is the main driver for information security?

The severity of cyber attacks experienced is on the rise

The frequency of cyber attacks

experienced is on the rise

Launching a strong offensive against hackers and other cyber criminals is very important

Security budget is sufficient for mitigating most cyber attacks (intrusions)

Organisation is vigilant in monitoring cyber attacks

Perhaps the lack of focus on intellectual property loss is surprising in the data in Figure 2 given that respondents to the Ponemon survey depicted in Figure 3 state that it is the most damaging consequence of a cyber attack or intrusion. Should such information fall into the hands of a competitor, an organisation can see its competitive advantage dissolve.

However, the two surveys appear to agree that damage to brand and reputation can have dire consequences. In the aftermath of many of the highly publicised mega breaches that have been seen over the past couple of years, the share prices of many of the affected organisations tumbled and customers fled to competitors. According to the Risk Management Society, as much as 75% of an organisation’s value is based on its reputation.

Cisco states that 54% of organisations responding to its security capabilities benchmark study have had to manage public scrutiny of a security breach. In terms of reputational damage caused by the worst security incident of the year, PwC recently found that 17% suffered extensive adverse media coverage over a prolonged period, 17% had some adverse media coverage, and 22% received no media coverage, but had complaints from some customers.

Figure 4 looks at the fallout from the most serious security incident that organisations have suffered in the past year. Whilst smaller breaches may be easier to contain and will not necessarily be made public, more serious incidents weigh heavily on an organisation’s reputation. Add to that the loss of assets and the cost to fix the problem, and it is clear just how much a serious breach can cost an organisation.

Source: Ponemon Institute , 1-10 scale (10 = most severe)

Figure 3: Consequences as a result of a cyber attack or intrusion

Lost intellectual property/including trade secrets

Reputation damage

Productivity decline

Damage to critical infrastructure

Customer turnover

Regulatory actions or lawsuits

Lost revenue

Stolen or damaged equipment

9.15

8.64

7.22

6.75

4.55

3.97

2.89

2.37

1.99Cost of outside consultants and experts

Source: PwC

Figure 4: What made a particular incident the worst of the year?

ecurity breaches are increasing in volume and new technologies such as cloud computing, social networks and

increasingly powerful mobile devices are making networks ever more porous, creating more chances for attackers to infiltrate organisations. Traditional security technologies and strategies are no longer up to the task of safeguarding networks.

The new security imperative

SHistorically, many security technology investments have focused primarily on preventing attacks, but advanced attacks are increasingly difficult to defend against and attacks are getting through. The focus needs to change to one of incident detection and response. However, detecting incidents that have occurred is something that many organisations struggle with. And this is made harder by the tactics deployed by attackers, who look to gain a foothold on the network and then maintain a long-term presence undetected. The longer an attacker is inside the network, the greater the damage they can cause in terms of the data they are able to collect, increasing the overall cost of the breach.

n order to protect sensitive information and perhaps even to keep the business afloat, organisations need to strive to

achieve a higher level of security maturity. Figure 5 depicts five levels of security maturity.

At the most basic level, organisations will be putting out fires, trying to ward off attacks with insufficient security controls, generally placed at the perimeters of the network to prevent what attacks they can from getting through. Security is seen primarily as an IT problem. But the point of IT is to increase efficiencies and keep the business running smoothly. This often leaves security under-funded.

In recent years, regulatory mandates and the need to comply with industry standards that demand security controls be placed around sensitive data have led to the need for greater investments to be made in security. Yet, this often leads to organisations investing in just those technologies that they need to achieve compliance, with little overall oversight.

As organisations move up the security maturity stack, they move from a strategy based around prevention alone to one of detection and rudimentary incident response, implementing more proactive controls and putting in place more formal policies and processes. At this stage, security becomes more integrated into the overall business and achieves more autonomy from IT.

Achieving security maturity

IBy the time they reach the fourth level, organisations are becoming more resilient. To achieve this level, executive support is essential to drive investments in technologies that enable them to see and respond quickly to threats, backed up by a team of dedicated security personnel. They will be better able to counter even advanced threats and respond to incidents in a timely manner using countermeasures that have been developed.

The panacea is the fifth level, where a high level of security maturity has been achieved and the organisation is capable of defending against and withstanding even the most extreme attacks. Generally, the CISO has a place on the board, reporting directly to the CEO so that cyber security risks are considered alongside all the other risks that the organisation faces and a culture of security is driven throughout the business. At this point, the organisation can consider itself to be highly resilient.

To get to this point, there are a number of things that organisations need to do. They need to invest in capabilities that cut right across the threat detection and response lifecycle, backed up by strong capabilities in terms of Security Intelligence. This requires that adequate budget is allocated to security and that the entire programme is overseen by an executive with sufficient clout to bridge the traditional security communications gap between security practitioners and those in charge of the purse strings. With adequate resources dedicated to it, security can come to be seen as an enabler for the business, rather than a hindrance, and a culture of security can be driven throughout the organisation.

“ In the modern economy, every company runs on IT. That makes security the business of every person in the organisation, from the chief executive to the newest hire, and not just personnel with “security” in their title or job description. Everyone should be accountable and learn how not to be a victim.” Source: Cisco

Level 1: Blind• Focused on prevention

• Security seen as IT problem

• Lack of dedicated budget and executive support

• Basic perimeter controls and complete lack of visibility

Level 2: Minimally compliant• Investments driven by mandates

• Checkbox attitude

• Ad hoc processes

• Minimal reporting to executives

• Monitoring technologies implemented

Level 3: Securely compliant• Improved capabilities for detection and response

• Security more integrated into the business

• Larger security team and more autonomy from IT

• More proactive controls

• Formal policies and processes, including basic incident response

Level 4: Vigilant• Able to see and quickly respond to threats

• High levels of automation and integration

• Strong executive support

• Large, dedicated security team

• Able to see advanced threats early

• Formal incident response with established countermeasures

Level 5: Resilient• Capable of withstanding and defending against even most extreme attacks

• CISO reports to CEO

• Cybersecurity part of the culture

• Extremely resilientFigure 5: Security maturity levels

Security should be a board-level concernHaving executive oversight of all of the risks that an organisation faces is essential for effective, enterprise-wide risk management and for achieving a high level of security maturity. However, although the situation is improving, this is still not the case for many organisations, which can leave them stumbling around in the dark. According to PwC, 28% of the worst breaches in the past year were caused partly by senior management giving insufficient priority to security. It found recently that 14% of security managers have never briefed their board on security risks and 21% have not briefed them in the past year. Figure 6 shows promising data in that cybersecurity is at least discussed at board meetings. However, anecdotal evidence from a recent CISO forum in the UK shows that those discussions are often limited in scope.

The National Association of Corporate Directors of the US recommends that risk oversight should be a function of the full board of directors but, as Figure 7 shows, this is only the case for a quarter of organisations that PwC surveyed. For 30%, there is no engagement of board committees or members in cyber risks.

Source: NYSE Governance Services

Figure 6: How often are cybersecurity matters discussed during board meetings?

Figure 7: Board engagement in cyber risks

Source: PwC

Full boardof directors

27%

Riskcommittee

25%

None

32%

Auditcommittee

16%

Every meeting

35%

Most meetings

46%

Only after internalor industry incident

10%

Only after a string ofhigh-profile breaches

in our industry

8%

Never

1%

Preventive and detective controls that must be implemented by management, but the board is responsible for monitoring them. A board oversight programme can demonstrate that reasonable security protocols and procedures are in place. Board oversight of security is one of the key ways of moving up the security maturity scale. It will ensure that cybersecurity risks are placed on a par with all the other risks the organisation faces.

Why cybersecurity needs board oversight

1. The impact of cybersecurity is systemic. Incidents can impact an organisation’s global operations even when the point of risk is thousands of miles away.

3. As regulations evolve, compliance is becoming more challenging and increasingly costly.

4. The Internet of Things has brought new threats that can cause extreme risks and tremendous physical damage.

5. Cybersecurity insurance should be considered as a regulatory hedge against cyber risks.

6. Adversaries are working together to attack organisations.

Source: PwC

7. Cyberattacks can result in substantial financial losses and damage brand reputations.

2. The financial impact can be significant.

Five principles for enhancing the oversight of cyber-risks

1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.

4. Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.

5. Board management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.

Source: National Association of Corporate Directors

2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.

PwC believes that boards need to know about evolving risks, as well as the organisation’s security preparedness and response plans. But they can only do this if they have effective oversight of the risks faced. The text box “Why security needs board oversight” explains why board involvement is necessary.

The National Association of Corporate Directors recommends that risk oversight be a function of the full board, not just one committee, in order to have responsibility for cybersecurity risk. Risk must be seen as an enterprise-wide issue, not just one that concerns IT. The board needs to be in a position to be able not only to identify risks that the business faces, but to be able to determine which to avoid, accept, mitigate or transfer through insurance. ISACA states that the potential risks to consider include the proliferation of BYOD and smart devices, cloud computing, outsourcing of critical business processes to a third party, including the lack of controls around third-party services, disaster recovery and business continuity, periodic access reviews, log reviews and advanced persistent threats.

PwC warns that regulators and a plaintiff’s counsel may view the lack of substantive board consideration of operational cyber risks as meaning it does not have the required security controls in place.

Source: CyberEdge Group

Figure 8: Network security technologies in use or planned for acquisition

76%Network-based antivirus

69%Intrusion detection/prevention system

69%Secure email gateway

63%Secure web gateway

59%DoS/DDoS

56%SIEM

54%Next-generation firewall

54%Web application firewall

53%Advanced malware analysis/sandboxing

51%Data loss prevention

47%Network behaviour analysis/net flow analysis

45%Security analytics/full-packet capture

43%

16%

22%

18%

22%

22%

26%

32%

28%

27%

31%

30%

33%

32%Threat intelligence service

Currently in use Planned for acquisition

The need for unified Security IntelligenceThe shift from prevention to detection and response requires greater Security Intelligence. According to LogRhythm, Security Intelligence is the single largest enabler of collapsing the incident response cycle via:

• Centralised, full spectrum visibility around the threat and associated incident, delivered via powerful analytic tools.

• Integrated workflows and collaboration capabilities that expedite the analysis and response process.

• Automation in support of incident response processes and the deployment of countermeasures.

Security Intelligence starts with the ability to capture forensic data from every system throughout the network, whether that be an endpoint, a network security device, or even a physical security device. Every threat or incident leaves forensic traces that can be collected from log and machine-generated data from all these systems. Security Intelligence provides the ability to correlate, visualise and analyse this data, even across massive “big data” sets, to discover the sequence of how an attack occurred, how far it has spread and which systems have been impacted. By leveraging a Unified Security Intelligence Platform, context is applied to raw data from disparate sources, turning it into actionable intelligence.

According to the CyberEdge Group, security analytics technology with full-packet capture capabilities is currently the top-rated technology acquisition being planned by organisations. As Figure 8 shows, security analytics, network behaviour analysis and SIEM are all near the top in terms of planned acquisitions, all of which will help boost levels of Security Intelligence.

Big data analytical capabilities are essential for analysing extremely large data sets. According to the SANS Institute, respondents to its analytics and intelligence survey in 2013 did not believe that big data would stick, whereas the results of its 2014 survey indicate that the majority believe big data to be a valid approach. However, that validity is dependent on integration of analytics solutions with numerous internal detection platforms to increase visibility and improve Security Intelligence.

Figure 10: Main impediments to attack detection and incident response

Source: SANS Institute

The use of a Unified Security Intelligence Platform will iron out many of the commonly cited impediments to attack detection and response, which are shown in Figure 9. One commonality among many of the responses is the lack of visibility that impedes the process of detecting and responding to incidents. Security Intelligence provide that visibility, adding context to raw data and providing the actionable insight that is required for better decision making.

The survey found that next-generation SIEM systems that can analyse and provide intelligence alerts are used by 37% and 32% use retrospective review of logs or SIEM-related data for initial discovery of security events. These technologies provide the visibility across systems from which Security Intelligence can be derived.

By leveraging machine analytics, a Unified Security Intelligence Platform provides the means to analyse all this data, enabling the organisation to be better able to assess the severity of the threat to determine whether or not further investigation is required, based on the level of calculated risk. It will find it easier to determine the root of an incident, assess its scope and determine what action to take. These are considered to be the most time consuming incident detection and response tasks.

39.1%Lack of visibility into applications, underlying systems and vulnerabilities

36.2%Inability to understand and baseline “normal behaviour”in order to detect abnormal behaviour

30%Lack of people and skills/dedicated resources

26.3%Not collecting the appropriate operationaland security-related data to make associations with

24.7%Lack of visibility into the network

22.2%Lack of visibility into the endpoints and specific users

19.3%Lack of visibility into mobile devices

18.5%Lack of context to know what threats are importantbased on criticality of assets

15.6%Lack of external perspective/intelligence on newthreats/indicators of compromise

14.4%Lack of visibility into cloud-based applications and processes

13.6%Lack of central reporting and remediation controls

Figure 9: What processes are the most time consuming incident detection/response tasks?

Source: ESG, Three responses accepted

Determining the impact and/or scopeof a security incident (ie what alteredon a system, what this situation did,what other systems were affected)

Taking action to minimise the impactof an attack (ie taking the system offline, segmenting the network, etc)

Analysing security intelligenceto detect security incidents

Determining which assets, if any, remain vulnerable to a similar type of attack

Performing forensic analysis to determine the root cause of the problem

Altering security controls to prevent future similar types of malware attacks

Conducting retrospective remediationto determine scope of outbreaks,contains them and automatically remediate malware

Getting the right data for accurate situational awareness

47%

42%

41%

39%

38%

35%

32%

26%

Automated responseSecurity Intelligence will provide organisations with the actionable insight that they need to determine the best way to respond to and recover from any security incident that occurs. This will help to quickly decide on countermeasures in order to limit the damage caused and to allow normal business operations to be resumed as quickly as possible. However, for incident response to be effective, it must be as automated as possible – especially since the top impediment to incident response is lack of dedicated in-house personnel, as shown in Figure 11.

Benefits of using Security Intelligence to increase security maturityAs organisations move beyond firefighting and compliance-oriented mindsets and switch from a policy of prevention alone to threat detection and response, Security Intelligence is vital for guiding organisations through the process. It will add context to raw data collected from throughout the network, giving organisations the intelligence and actionable insight that they need for more informed decision making. It will help guide organisations along the path to achieving full security maturity.

However, all parts of the business and every system on or connected to the network must be included if full security maturity can be achieved. To achieve pervasive security, everyone must be involved in the organisation, from top-level executives to the newest hires. Security requires board-level sponsorship and oversight so that it given the priority that is required so that even the most complex and pervasive threats can be countered.

Once the Security Intelligence Platform has identified a threat and determined that it poses a real risk, organisations should move on to the investigation stage. At this point, the threat will be fully analysed to determine its scope and level of risk so that countermeasures can be decided on that can mitigate the risk posed. Any technology chosen should provide a suggested range of countermeasures to be taken. Where the risk of using the chosen countermeasure is deemed to be low and there is little likelihood of further disruption, such as a critical system being taken offline, fully automated remediation can take place. Where the risk of implementing a fully automated response is perceived to be higher, human guidance steps should be included whereby security personnel and managers review the remediation process prior to implementation and assess the results during and after the process.

Figure 11: Top impediments to incident response

66%54%

45%

42%

37%

Staffing andskills shortage Budgetary shortages

for tools andtechnology Not enough visibility

into events acrossdifferent systems

or domainsLack of procedural

reviews and practiceInability to distinguish

malicious eventsfrom non-events

Source: SANS Institute

ll organisations are at risk of a security breach that could have extremely damaging consequences. Taking into

account their own appetite for risk and any budgetary constraints, every organisation should strive to achieve as resilient a security posture as possible.

Summary

ASecurity Intelligence provides the visibility that is necessary for being able to not just detect, but to respond to threats and vulnerabilities on the network and all endpoints that are connected to it by providing the relevant information and context that provide the actionable insight needed for effective decision making. With such capabilities, organisations will be able to move up the security resilience scale to the point where they have the confidence that they are doing the most that they can for protecting sensitive assets and safeguarding the organisation.

2nd Floor 145–157 St John Street

LONDON EC1V 4PY United Kingdom

Tel: +44 (0)207 043 9750 Web: www.Bloor.eu

email: info@Bloor.eu

January 2016