Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
This post is one of a series looking at what we can learn from what is actually said by real people working on real problems in the cyber security industry (hence “cyber security quotes”). Below we consider the feedback, thoughts, opinions and views at the front line of cyber security – the things that are said by security operators and analysts who monitor and defend systems from attack and deal with incidents when they occur.
Cyber security is a people, process and technology challenge. Sometimes the tools and processes don’t work as well as they should, or they solve the wrong problems. The best way to resolve or improve this is to listen to what the people have to say. A bad process or a technology limitation won’t always be evident until someone tries to use it – and these “cyber security quotes”, once understood, become valuable insights.
One challenge security operations teams face is that the volume and rate of cyber security attacks and alerts has grown to the point where the sheer numbers are difficult to deal with. The reasons for this are chiefly:
A contributing factor to this, is our response to these realities. The security industry has been creating a range of new technologies that detect more types of attacks and the same attacks more effectively – hence even on a level playing field we are finding more attacks to respond to.
NO. OF ALERTS
OPPORTUNITY TO ATTACK BE ATTACKED
SIZE / SKILL OF ATTACK POPULATION
In short, as this particular “cyber security quote” illustrates, there are too many alerts and reports and threats to deal with.
When overseeing a network or an “ecosystem” of security controls, the signs of an external attack or internal misuse are often not evident, sometimes the indications that all is not well are manifest in ways that surface only because “they look interesting”.
There might be a call centre operator who seems to be accessing a larger number of customer records than normal call volumes would indicate, or an email user sending an abnormally large number of emails, or a strange pattern of web site navigations, or a network session that is open for a long time but isn’t carrying very much data.
Any of these, as well as a variety of other signs, could mean a system or network is under attack or that data is being lost or accessed. However, there are three challenges buried in this quote that must be recognised:
Computers go some way to solving this problem as they can do quite complex analysis over and over in a predictable and reliable way; however they aren’t as “tuned in” as the human mind is at spotting things that are “interesting” unless they have been programmed to do it, or as is becoming increasingly common, they have been programmed to “learn how to” do it.
When something is observed as worrying, or a possible intrusion is detected, it is not uncommon for the initial signs to be deemed as normal. This may be for a number of reasons, often lack of knowledge of what normal activity might look like or (more commonly) how the early stages of an attack actually manifest themselves.
In some cases it is as simple as being at the front end of several hours investigative work that will often lead to a false positive and the observer simply wants to avoid what is perceived as a long and rather complex trip down a blind alley when they have got more pressing (so they think) matters to attend to.
One example in a past data loss prevention deployment, identified a flow of network data on a port commonly used by peer-to-peer file sharing applications. There wasn’t a large volume of data involved and the true nature of the issue wasn’t obvious, but clearly suspicious.
The server was a documentation server so held a significant amount of material, but the server software itself could have used the protocol, or possibly there was a file sharing application installed by a system administrator to effect a simple backup arrangement to a separate solution, or to download a large software patch at some point. The IT team thought it may have been related to a past virus outbreak; an outbreak that had been fully eradicated so wasn’t anything to worry about. The possibility remained though, that it indicated an ongoing and deliberate data theft.
In any case, establishing the true nature was deemed to be “difficult” and the IT team’s response, in the absence of any corroborating evidence was “I don’t think that’s anything to worry about”. This particular case was left in the hands of Internal Audit to decide whether they trusted the finding or the responses of the IT team.
Even more risky than just simple confidence that all is well, is the certainty that it is.
Maybe a constant string of alerts or reports of a similar type occur on monitoring systems and SOC dashboards, or maybe the past investigations into a particular stimulus have always turned out to be innocent… leading to the view that the normal system behaviour is to generate that kind of “detection noise”.
In this more certain case, the authority and surety means that what might be an attack, insider threat, virus infection or data loss is deemed not to be significant based on past or current similar cases or context. This approach of course fails immediately when an apparently familiar situation turns out not to be as benign as it is assumed to be. It is ignored purposefully when in reality it needed urgent attention.
There is a car alarm going off in a car park – no one runs over, no one calls the police, no one tries to find the owner. Everyone just gets annoyed until the noise stops and they don’t have to listen to it anymore.
Every year there are numerous surveys undertaken into various aspects of cyber security. One of the more interesting figures is the amount of time taken to detect a breach – not to investigate or to resolve, but just to detect that the network or system is under attack.
This figure is depressingly long (in every survey and in every year). If you imagine how much time a determined hacker might want to be able to access a network to extract data etc. maybe a few hours, a few days perhaps? Statistics often put the “dwell time” at tens or hundreds of days. A recent Mandiant/FireEye report gave a figure of 146 days as a global average.
Of course, in the case of each incident, as soon as the intrusion is apparent the incident response process swings (or more often ‘limps’) into action. However, in too many cases, this is several months after the attack – several months that culminate in the security team saying “We didn’t spot that until now”.
The last frequently repeated expression: “I don’t know” is used all too often and too widely in the cyber security realm.
Sometimes followed by slightly more positive words like “… yet”, “… but I’ll find out” or “… let me ask someone”. However, the reality is that often there are more questions than answers when defending systems from attack. Hence any of:
Can be followed by “I don’t know” when the real world situation of a cyber attack arises.
Part of the reason for this is that often the origin and effects of an attack and the answers to these questions are hard to come by. It can be difficult trying to reverse engineer the nature of a breach or data theft, reliable information can be hard to track down and parse, the true chain of events might not be clear, and the attacker themselves could have deliberately tried to hide their presence, conceal their activities or disguise their motives. For example, they might transfer thousands of files simply to get one particular document, or compromise a number of systems just to find one that is used by a particular user.
Trying to minimise the number of times “I don’t know” is the only available answer is the real challenge of cyber security. Having information, analytics tools, skills, resources and the confidence to be able to answer with a much more robust “Let me run you through what we know…” is what we must aim for.
The meaning behind these various comments, assertions or denials is clear. When people talk about cyber security they are often equipped with a high degree of human bias, frequently a lack of knowledge (certainly compared to the attacker) and insufficient information, tools and resources to answer probing questions.
The solution therefore to be able to more confidently and accurately answer questions and convey assessments of cyber security realities and outcomes, must combine people and technology improvements within a more optimal process. Otherwise we will see continued surprise, confusion and naiveté in our cyber responses.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.