Navigating The Cyber-Threat Landscape

Uploaded on 2016-06-14 in NEWS-Cybersecurity News, FREE TO VIEW

With every day that passes it seems that cybersecurity becomes a bigger and bigger issue for businesses and citizens.

General and specialized media are flooded with stories on threats and attacks. On top of that, countless niche cybersecurity vendors out there are fighting to communicate how their products can solve most cybersecurity problems. It all contributes to a collective fragmentation of views on what cybersecurity actually is, creating a fog of information.

In the meantime, executives, security managers and specialists are looking to cut through this fog to find proper and holistic navigation tools. A disciplined information security approach suggests adopting the established views for guiding maps, such as ISO 27001, the Federal Information Security Management Act (FISMA), PCI Data Security Standard (PCI DSS), and new ones, such as the US Cybersecurity Framework.

Unfortunately, they are not sufficient to provide enough relevant knowledge for establishing cyber resilient organizations, data centers and information systems.

What is missing in all of this are the connections between actual attack techniques, vulnerabilities, threat actors and further detailed analysis of the domain. So how to fill this gap properly?

I wish I could say that my beloved Center for Internet Security’s (CIS) Critical Security Controls (CSC) is the right answer. Unfortunately, while it is a useful instrument, it does not provide sufficient guidance.

Recently the European Union Agency for Network and Information Security (ENISA) published its Threat Landscape 2015 (ETL 2015), and I was pleased with what I found in it for cybersecurity strategists and practitioners. For the last two years I have referred people to ETL, also Verizon’s Data Breach Investigation Report (DBIR) and CIS CSC, because they all offer relevant, independent sources for strategic, operational and tactical guidance for cybersecurity.

What is so special about these reports? Here are my thoughts on the recently published ETL; hopefully they will inspire you to read the reports if you have not already.

ETL 2015 (and 2014) provides measurement of the landscape of cybersecurity, connecting strategic and tactical views. ETL 2015 offers mitigation vectors (controls) for the Top 15 threats. For example, CIS CSC provides aggregated mitigation vectors for all threats in prioritized and increased sophistication levels. Such CSC aggregation is good for overall enterprise vision; however, it dilutes details of a particular threat, which are relevant to motivate and prove that a threat can be handled adequately.

Cybersecurity vendors publish quarterly and annual reports on threat analysis; however, they have internal conflicts, covering only information that is relevant to vendor product portfolio. ETL 2015 mitigates this conflict nicely by providing links to relevant deeper vendor analysis for particular top threats. I find it so elegant and a valuable resolution!

ETL 2015 provides a separate visual Top 15 threats poster – allowing it to be used as an instrument for discussion on how this information is relevant for a particular environment.

I have been involved previously in a few threat classification efforts. I am happy to see that ETL 2015 has issued their Threat Taxonomy in a mind map, and also in an elaborated Excel format (after opening Excel, for it to be readable, hide the document comments). It can be a great tool to validate your views and see if any gaps remain in your cybersecurity defense architecture. It also allows you to link to an IT infrastructure resilience theme.

DBIR gathers cybercrime facts, even while it is not clear to what extent European law enforcement agencies can legally analyze cases and share anonymized data. DBIR provides great analysis on what should be changed to improve resilience to cybercrime, and it maps practical guidance to CIS CSC. I hope that future ETLs will connect to CIS CSC as well, and to COBIT and ISACA’s publications.

At the end of the day, most organizations have to work through the fog of hysteria on cybersecurity to choose their own strategy for cyber resilience. I hope that these resources will be valuable anchors for you and your organization to evaluate and choose your own way.

Opinion By Vilius Benetis CEO NRD CS

Vilius Benetis is CEO of NRD CS, Cybersecurity Practice Lead at Norway Registers Development, and a member of the ISACA.

This article first apperaed in Information-Management:

« Cyber Theft Interrupted: Vietnam Bank Foils SWIFT Attack
Hackers Steal Sexual Proclivity Data »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

SecuPedia

SecuPedia

SecuPedia is a wiki-type platform that collects and provides the entire knowledge of security and IT security.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

Jones Day

Jones Day

Jones Day is an international law firm based in the United States. Practice areas include Cybersecurity, Privacy & Data Protection.

Recorded Future

Recorded Future

Recorded Future arms security teams with threat intelligence powered by patented machine learning to lower risk.

Ikarus Security Software

Ikarus Security Software

Ikarus focuses on antivirus and content-security solutions.

Alyne

Alyne

Alyne is a Munich based 2B RegTech offering organisations risk insight capabilities through a Software as a Service.

Sompo International

Sompo International

Sompo International is a global specialty provider of property and casualty insurance and reinsurance services including Cyber & Network Risk.

Argo Group

Argo Group

Argo is an international underwriter of specialty insurance. Argo Cyber offers a full spectrum of coverage solutions related to professional and technology services.

Audea

Audea

Audea is a consultancy firm specialising in cybersecurity, risk and compliance. We provide professional services addressing all areas of Cybersecurity and GRC.

Cynalytica

Cynalytica

Cynalytica deliver pioneering cybersecurity and machine analytics technologies that help protect critical infrastructure, securely enable Industry 4.0 and help accelerate digital transformation.

IntelliDyne

IntelliDyne

IntelliDyne is a leading information technology consulting firm enabling better mission performance through innovative technology solutions.

International Association of Financial Crimes Investigators (IAFCI)

International Association of Financial Crimes Investigators (IAFCI)

International Association of Financial Crimes Investigators provides services and information about financial fraud, fraud investigation and fraud prevention.

Hush

Hush

Hush is a premium privacy service that gives people unprecedented visibility and control of their digital footprint. Hush assesses threats, and goes to work to eliminate digital risks on your behalf.

Cytek

Cytek

Cytek is a leading provider of cybersecurity and HIPAA compliance for dental practices and other industries.

Kaesim Cybersecurity

Kaesim Cybersecurity

Kaesim are a global team of cybersecurity experts protecting businesses since 2015. We stop bad people damaging your business, your data and your reputation.

Tryaq

Tryaq

Tryaq are a group of cybersecurity experts and enthusiasts who share the mission to make the world feel safer online.