Cyber defenders struggle with acute uncertainty around who may or may not be targeting their industry and their people at any moment. Difficult questions arise. What tools and techniques are being used to target what infrastructure? Does that infrastructure belong to me or any of my third-party vendors? Am I vulnerable?
Samir Aliyev, CEO and Founder of the Swiss Cyber Institute had the opportunity to chat with Marie Brattberg, Chief Strategy Officer at Recorded Future, a world-leading intelligence company. In this interview, Marie shared her insights on how automated intelligence contributes to strategic security functions, the importance of threat intelligence in the fight against cloud attacks, the benefits of a risk-based approach for managing cyber risks, and best practices to implement a healthy cybersecurity culture in the workplace. Read the full interview below.
SA: In a cloud-centric world, where the cyber-attack surface is infinite, disrupting the adversary requires being one step ahead. Which kind of intelligence do companies need to maintain a critical edge and why?
MB: The short answer is that defenders need to know their enemy, and there are many ways to break that down. Starting with the infinite attack surface, as a defender, you need to be able to have the same perspective on your organization that the adversary has. Both from a technical perspective, to be concrete – internet-facing assets, but also from a more strategic perspective – what role does my organization play in society/economy, and in what way am I an interesting target to a specific actor?
One thing that we can agree on is that with an infinite attack surface, we’re never going to be able to defend every part of it. We must prioritize. Some of that prioritization is based on internal assessments of what the effect of an attack on a specific part of a system, or service becoming inaccessible would have.
But from the outside, it’s about understanding what type of attacks you are most likely to be exposed to and then prioritize patching the vulnerabilities that are most likely to be used to carry out such an attack; and the patching work could include everything from training employees on phishing/spear phishing and deep fake technologies being used, to patch prioritization of software, led by the vulnerability management team.
SA: How does automated intelligence contribute to tactical, operational, or strategic security functions to defend against the adversary?
MB: Automated intelligence can give you a real-time understanding of what adversary is the most likely to target companies like you, targeting you or one of your third parties. That’s the strategic side – Threat Management. That leads to strategic activities like training and policies for employees but also to priorities for the tactical and operational side of the security organization.
Tactically informing the security organization on how to instrument security controls, vulnerability management, endpoint configuration – the entire tech stack, to catch anything related to those threats. And operationally, continuously monitor for changes in attack patterns, tools and techniques used by the adversary.
SA: As companies shift to the cloud, CISOs, and CIOs are facing an onslaught of unknowns. In which way does threat intelligence helps security get ahead and stay ahead of cloud attacks?
MB: Speaking with CIOs and CISOs around the globe, one of the questions I know they get from their leadership and boards is, “The adversaries use AI techniques these days, how are we using AI in our defenses to meet that?” And I love that question because it makes it really easy for the CIO or CISO to “check a box,” through intelligence. When I speak of “Automated Intelligence,” I’m really referring to a by-machines-automated intelligence cycle.
All the traditional steps that any intelligence agency would execute can be automated. From planning to data collection, processing, and production of intelligence. And I think this is the KEY – Threat Intelligence has traditionally been thought of as manually produced reports, technologies may be used for accessing and processing some of that data, but in the end, it’s dependent on a human analyst.
With automated intelligence, CISOs and CIOs can get a real-time view of the threats by priority, and they can then instrument their security organization and technology to prioritize those.
That way, security teams can stay above the attacks. And perhaps equally important, a CISO or CIO will have the right tools to visually communicate to a CEO or a CFO, not just all the bad things that could possibly happen to them based on vulnerabilities in their attack surface, but specifically point to concrete, targeted threats, that requires the budget to stop. Changes the conversation.
SA: The most sophisticated organizations are moving from a maturity-based to a risk-based approach today for managing cyber risks. What kind of benefits does such an approach yield?
MB: “Risk” is the language of business. How do you measure and communicate the value of basic security controls? The answer lies in the language of risk. Senior decision-makers don’t necessarily understand the language of security or even technology, but they speak the language of risk.
As a cybersecurity professional, your goal should be to quantify as a monetary value how every potential cybersecurity investment in staff and tools can reduce risk. If you can do that, you will find it much, much easier to:
- Set priorities among alternative cybersecurity investments, based on real outcomes for the enterprise
- Justify budget requests for each investment, and for the overall level of investment in cybersecurity
- Work productively with executives and line management to estimate risk and find the most cost-effective ways to reduce it
SA: Implementing a healthy cybersecurity culture in a workplace plays a vital role in the entire organization’s security posture. What are some of your key recommendations?
MB: Enforce 2FA – baseline. And don’t just enforce, educate on why through (required) training. Show real examples such as how easy it is to crack a password.
Awareness training should take place both at the job start date and then an annual re-training (re-certification) for the entire company. A specific training example would be to expose employees to a “real” phishing attack, tracking results, and showcasing the final results after (again by not pointing out who failed) but by presenting here’s where we did well, here’s where we can improve.
Don’t create a security environment based on fear or blame. You want to create a culture where your employees are aware and vigilant when it comes to every email, attachment, link, text, etc. If someone does make a mistake, for example clicking a suspicious link – the security team would much rather that person tell them they clicked it on accident as soon as they did, versus the employee clicking it, get scared, close down and tell no one.
Be transparent with your business. Consider weekly/monthly reporting to highlight how security is securing and protecting the business. By showing everyone what your Infosec program enables, people feel more aware and provide feedback and become more engaged.
SA: Thank you Marie for sharing those great insights. We are pleased to have Recorded Future as a Global Cyber Conference partner and look forward to hearing more about automated intelligence to defend against the adversary in your track session.
You can check the conference agenda here.
You can see all speakers here.
Book your ticket today and gain valuable insights on cybersecurity thought leadership.