The mark of a well-run business is its ability to control and align all its operations to support whatever goals it wants to achieve; steering clear of risk, maximizing opportunity and ensuring compliance with regulation and industry standards.
This is a significant undertaking, particularly for large organizations, commonly managed under the auspices of a comprehensive Governance, Risk and Compliance (GRC) program.
The sprawling remit of GRC can make it difficult to pin down as a tangible entity or defined set of activities. In any case, whichever way the GRC program is documented or executed is not especially important. What matters is to understand how the effectiveness of an organization’s GRC efforts, and its security posture in general, can be strengthened by deploying optimum threat intelligence.
This is best explained by examining each element of GRC in turn.
G for Governance
The Governance element of GRC is concerned with the operational control of the organization; ensuring effective command and communications processes; being able to predict outputs based on inputs, etc. In the context of GRC, this is wider than simply IT governance (i.e. control over what the IT function does within an organization to support its goals).
Threat intelligence adds value here by giving a picture of the specific threats which, if successful, are likely to impinge upon effective governance processes, and to what extent. Threat intelligence can pinpoint the assets used in discharging governance activities, as well as the human factors that may be compromised.
If the organization is concerned about its governance capability (e.g. management structures) potentially being undermined by any specific internal or external individual or group, threat intelligence can be tuned to alert any unusual activity.
R for Risk
GRC programs cover the whole spectrum of downside risk and upside opportunity, from the financial to commercial to operational. Clearly, threat intelligence plays the most significant role in identifying and prioritizing cyber-risks and it is essential that it does this using the deepest possible pool of internal and external sources.
Too many GRC programs are undermined by a threat intelligence approach narrowly focused on data extracted from internal security appliances and IPs, that builds only a limited picture of IOCs (indicators of compromise) and attack patterns.
The optimum approach encompasses sources from the publicly accessible (social networks, forums and web posts) to the ‘underground’ (closed sites and forums on the dark web, and data from command and control systems). Good threat intelligence will also major on intelligence-sharing across the security community – check out the Blueliv Threat Exchange Network, for example.
One of the fastest growing risk vectors is third parties; the networks of business partners and suppliers who connect to your organization and exchange information – thereby introducing risk. GRC programs that already incorporate evaluations of financial risk for these third parties have become practiced at doing so using credible independent intelligence (i.e. credit scoring) rather than relying on ‘point-in-time’ questionnaires. They are increasingly extending this mindset by turning to advanced threat intelligence systems to assist in mapping third-party cyber risks.
All risk management protocols call for risks to be identified, registered or otherwise categorized. This creates two issues: scope and freshness. In terms of scope, how can you be sure that all risks have been located? Threat intelligence’s unique quality is to convert ‘unknown’ risks into known risks, through a process of discovery, contextual understanding and prioritization in readiness for action.
In terms of freshness, how can you be sure that your risk assessments are up to date when the cyber threat landscape evolves so quickly? All of this ties back into the need to funnel the maximum number of useful, relevant sources into your threat intelligence system.
There is another issue: information overload. With so many potential risks, how can you effectively delineate between benign and malignant, at pace? The answer lies in harnessing a threat intelligence system with the appropriate blend of automation ‘horsepower’ and human brain cells. Experienced security researchers are a rare commodity in today’s extreme cyber skills shortage – but their input is crucial to contextualizing which threats pose the greatest risk.
Threat intelligence’s role in supporting risk management overlaps with the comparatively new industry domain of “digital risk protection” (DRP). While threat intelligence envelops the broadest possible range of cyberthreats, DRP is focused mainly on the aspects most associated with enterprise brand reputation.
All is not what it seems in cyberspace, with malicious actors spoofing social media accounts, executing account takeovers and committing domain fraud. Hence DRP can be a useful toolset in the cybersecurity arsenal, particularly for organizations with a high susceptibility to such attacks, but is no substitute for fully-fledged threat intelligence.
If anything, the capacity for threat intelligence systems to surface genuinely fresh (real-time) insights at enormous scale, and use APIs to feed into other systems and threat mitigation resources, increases the value of any DRP investment as part of a wider GRC program.
C for Compliance
Wary of public censure, reputational damage and significant monetary fines, few organizations leave regulatory compliance to chance. In particular, the introduction of GDPR has instilled tougher obligations for the protection of personal data, which organizations manage as part of their GRC programs. Read our dedicated GDPR whitepaper here.
Threat intelligence can be instrumental in preventing data breaches from happening in the first place, ensuring compliance to GDPR and other such standards. The value of threat intelligence insights can be put to work preemptively by isolating likely threat actors and their modes of operation so that appropriate security measures can be put in place. Threat intelligence can also assist in the development of realistic ‘red team’ attack scenarios that are totally unique to your business context, and which enable incident response processes to be thoroughly tested.
Prevention is only part of the compliance challenge, as regulations increasingly acknowledge. Students of GDPR smallprint will be aware that the penalties for non-compliance are geared according to the gravity of breach, duration of exposure, number of data subjects and the level of damage inflicted. The regulation is also explicit that penalties will be lowered in the event that appropriate controls are demonstrably in place to prevent, detect and remediate data breaches.
A GRC program that sets out to restrict the length of any breaches to the absolute minimum, initiate the most rapid and effective attack response and conduct the most glaringly evident strength of security posture will undoubtedly be most successful in adhering to the spirit of post-breach compliance requirements. To do so, it will have to be one that leverages threat intelligence.
In GRC programs, visibility is everything. This explains the value of threat intelligence in supporting wider business objectives, not merely in solving technology challenges.
GRC is typically a Board-level imperative that sits above the remit of IT governance and the IT department. This can perpetuate a hierarchy of interaction where it’s the business decision makers who always ask questions of IT and security teams, and demand that they step into line.
That is perhaps as it should be, but threat intelligence can help to subtly disrupt that dynamic in the most positive way. In organizations where threat intelligence is used to drive insights into the GRC program, IT and security team are empowered to ask questions of the rest of the business – helping to constantly enhance technical, managerial and operational controls to benefit all stakeholders.