Last week our home city hosted the Barcelona Cybersecurity Congress (#BCNCyberCon19), the second edition of an event focused on bringing together key cybersecurity players and industry professionals from around Europe.
Our Head of Threat Intelligence, Jose Miguel Esparza, was invited to present at a roundtable on the final day, but a number of other talks prior to this also caught our attention. The key trends that permeated most of the discussions we attended centered on digital trust, digital risk and the effectiveness of processes including threat intelligence.
This blog is a recap of some key topics from the event.
The cost of cybercrime
Ángel Fernández, at our partners ElevenPaths, stressed that the impact of cybersecurity incidents has increased exponentially in recent years. The effects of a breach be much longer lasting than in the past – there are multiple hits on a company’s bottom line, from initial incident response and clean-up costs on the operational side, to long-term reputational damage that drives customer attrition.
The largely unavoidable costs are those that have an immediate impact, including restoring the confidentially, integrity and availability of all data and systems affected. The slower burning costs include reimbursing affected parties, and furthermore, GDPR and other powerful pieces of legislation mean that the cost of a data breach can increase even further as the regulators levy fines and penalties.
We cover this topic in depth in another blog: data breach is among the most serious issues a company can face, especially with regard to personal data protection. For more detailed reading, we’ve also published a whitepaper on how threat intelligence can reduce your liabilities in the event of a data breach.
Most speakers agreed that priorities have shifted in recent years, and that agility is the key to managing digital risk effectively. “It doesn’t matter what you were doing yesterday,” commented Fernandez, and this holds true to an extent. We would argue that it does matter what you were doing yesterday, since it can inform the changes you need to make to your strategy today. The pace of digital transformation across all industries – also a key topic – has many cybersecurity professionals concerned.
Digital transformation and the role of the CISO
Security is now a business enabler. For both consumer-facing and B2B companies, having robust security processes helps them become more competitive, particularly those that handle sensitive data and transactions in any context. Ultimately, Fernandez emphasized, it comes down to digital trust. “Taking security and privacy seriously can have a positive financial impact beyond avoiding costly data breaches,” referencing a Frost & Sullivan survey
CISOs are at the center of cybersecurity decision making, and many speakers were pleased to note that their voices are being heard at last. By enforcing a risk-based approach, they are becoming more successful at aligning with other departments’ business priorities. This in turn helps secure more budget for necessary protective measures.
In terms of threat intel, Jens Monrad, head of intelligence at FireEye, stressed the importance of “speaking the right language,” meaning that threat intelligence should be aligned to different stakeholder needs. For example:
- Strategic intelligence is future-oriented, meaning that it focused on emerging trends and patterns to make long-term decisions. It should be consumed by the board.
- Operational intelligence can help prioritize resources for ‘real’ versus ‘perceived’ threats. It still factors in business outcomes, but is better consumed by analysts, incident response and SecOps teams
- Finally, tactical intelligence is much more actionable. It’s not to be consumed by executives, on the whole, because it’s simply not in the right language.
Several speakers were encouraged by approaches that pushed “security by design;” that is, baking in necessary security protocols from the outset, rather than including as an afterthought. This extends to upgrading talent within the company too – both raising general workforce awareness of security issues and ensuring that security teams are becoming more integrated within the overall structure of the business.
Thankfully, this is changing. “Cybersecurity is the responsibility of the whole organization,” said Monrad. We also noted improvements to communication with the board of directors – by ensuring that they are aware of the business risk when it comes to privacy, data etc. they are better engaged and more likely to devote the necessary budget and resource to security.
Know your enemy
We paraphrase Sun Tzu quite a lot in the intelligence community, and for good reason. This adage continues to hold firm. By sharing information, including threat intelligence reporting to customers and peers, we gain an advantage over potential attackers. Specifically, attacker profiles, including those found on our enrichment module Threat Context, are extremely valuable to address incidents before, during and after an attack.
Jose Miguel Esparza, our head of threat intelligence, hammered this point home by discussing how to spot patterns between different campaigns and creating these actor profiles from malware analysis, extracting metadata, information from signatures etc. Jens Monrad also commented that “we need to have context,” and that we should look for as much information as possible around each indicator to make it relevant.
In a more technical discussion, Victor Diaz from Kaspersky pulled out four key attributes of attacker profiles that can aid analysts before, during and after an attack:
- Capabilities: TTPs used to compromise targets, maintain persistence, exfiltrate data and wipe servers
- Infrastructure: what is the infrastructure used by the attackers to communicate with their implants, conduct reconnaissance, and exfiltrate data from networks
- Adversaries: profiles should include information to build attribution patterns. For example, analysts might identify an attacker depending on their sophistication or lack thereof, with info on guides, supports or finances them
- Victimology: information about the entity or individuals are targeted by the attackers can also be helpful. If targets change according to the geopolitical agenda or economic context then analysts can start to make connections between victims and one or several APTs
By building links between campaigns, we can optimize our incident response and threat hunting processes, find links between campaigns and anticipate attacks in advance.
While APTs are using more and more creative approaches to compromise their targets, Diaz commented that more and more actors are actually legitimately accessing the network by taking advantage of weaker cybersecurity protocols. This is particularly true of small and medium-sized businesses which do not have the means to invest in a SOC, for example.
What’s an SME to do?
A final topic that emerged several times was how smaller companies could protect their networks in both efficiently and in a manner which is cost effective. Speakers from INCIBE, EUROCAT emphasized that company-wide training was extremely important, but also to consider the value of purchased products.
This means that the person in charge of the security budget needs to rationalize their spend – why buy a full gamut of products when your SME there are only a few which are mission critical? A patchwork of security vendors might be completely unnecessary when you only need to leverage component elements of their offering. For example, an SME in the retail space would want to prioritize fraud detection and fake mobile apps. A mid-size insurance company would do well to focus on data leakage into the wild.
In summary, security buyers should be aware that they are not faced with purchasing products on an ‘all or nothing’ basis. They can build a bespoke arsenal of tools which allow them to satisfy their own unique needs, maximize cost efficiency, minimize maintenance overheads and focus on rapid and measurable ROI. In the threat intelligence segment, we have produced a buyer’s guide to help with this rationalization process, available to download for free here.