Security practitioners have long held the opinion that an understanding of assets and risk is the bedrock for security. This understanding increases confidence in the decisions made to allocate resources to protect the assets that really matter from the things that are most likely to cause serious damage to the organization.
But, is their thinking trapped in the past?
New terms like threat-led and intelligence-led security seem to be de rigueur. Every cyber security professional will be familiar with the terms even if they may not always be entirely comfortable with them. It is perhaps easier to understand the role that threat intelligence plays in cybersecurity defenses.
Clearly, it has to be understood by professionals working in security operations centers and incident response teams but how does it relate to the foundation of risk management? Put simply, threat intelligence provides a picture of the current landscape and the methods attackers are using.
However, sophisticated cyber attackers do not infiltrate your network without specific intent, so the first step remains to establish what the likely targets of a cyber-attack would be. The attackers will aim for your assets, that is any organization-owned information, software or hardware that is used in the course of the organisation’s business activities. The value of a particular asset can be determined by assessing the impact that would be realised if it was to cease to be available or to operate correctly.
These assets are likely to be very specific to your organisation, and this is why it is important that the threat and risk analysis process is collaborative; threat-intelligence needs to be interpreted in context.
There are different scales that can be used to assess the value of an asset:
- Business value can be evaluated in relation to business processes. Typically the correctness, completeness and timeliness of the data are the most important characteristics and the combination of them is what determines the asset’s value. This could include the ability to streamline your supplier process and stockholding.
- The cost value is the cost of acquiring or replacing a lost asset, including the cost of the impact to the organisation whilst that asset remains unavailable.
- The economic value may be derived from how an information asset contributes to the revenue of an organisation. For example, this could be an asset that is supporting sales or fulfilment.
- The market value is derived from measuring the revenue directly generated by the asset. For example, a software service that is bought and being used by customers An asset can be said to have an intrinsic value if it is not readily available in the marketplace and so has the potential to provide more value to you against your competitors. For example, information about your organisation’s competitive position.
The value of this information is relative to the motivation of the attacker; for example, to a nation state attacker, intellectual property is a prime target. This may hold limited value to a hacktivist group that is targeting your business because their motivation is to cause damage to your brand and reputation. To them, a key asset might be your website content management system, which if compromised would allow them to publish their logo on your customer-facing site.
With an understanding of the real value of the assets, security risk practitioners think about who could compromise a system and hence the organisation’s assets, why they might want to and how that could happen in terms of:
- Vulnerability: A weakness that could be exploited to cause damage.
- Attack: A method of exploiting a vulnerability.
- Threat: An adversary who could potentially act to cause harm and the resources they could afford to deploy.
- Impact: The consequence of a threat being realised.
Cyber attacks are rarely single events, but a sustained campaign by increasingly sophisticated attackers that use a combination of social engineering and technical skill to penetrate a network and gain access to the most important assets. This increase in the complexity and skill level of the adversary means that there is no single solution to preventing cyber attacks. No organisation can defend against every conceivable threat, and it therefore makes sense to prioritise the threats by the most likely to target your specific business, and then make informed decisions on how to prevent and detect those threats. An IT security risk assessment may vary greatly in terms of the method, rigour and scope, but the core goal always remains the same: identify and quantify the risks to your organisation’s information assets. A threat-led approach changes the dynamic of security risk assessment from something that is based on published observations, conjecture and analysis to something that is close to real-time which uses information about real-world occurrences. The discipline remains the same but with the better “instrumentation” to identify and understand potential adversaries’ behaviour and the vulnerabilities within the estate the risk assessment will better determine priorities and will be focused on mitigating the real-world occurrences specific to an organisation.
This approach needs to be part of a cyber resilience strategy that not only allows the organisation to take measures to prevent these threats, but also respond appropriately if defensive measures are defeated. Security budgets are finite, so this approach can help to focus limited resources more effectively to protect the assets that are most likely to be targeted. Rather than adding new layers of defence and more products, the headline move is to cyber strategies focused on cyber resilience and driven by a threat-led approach focused on the key assets of the organisation, and the motivations and capabilities of the most likely attackers. Risk analysis is still very much the foundation for this approach.