Outcomes-based security is the way forward

Every security technology is effective for a limited time, but understanding data assets and their value to attackers is key to effective cyber defence, according to an industry veteran of 20 years’ experience

The biblical quote that accurately describes the world of information security is as follows: “What has been, will be again. What has been done, will be done again; there is nothing new under the sun.”

This quote describes why the security industry, and increasingly digital organisations, need to change the way they have approached information security, because it is still failing to address the same basic challenges.

Looking back 20 years to when he founded Context Information Security, CEO Mark Raeburn says fundamentally nothing much has changed since then, when businesses were spending money on computers to improve business efficiency without understanding the risk.

“We are still finding the same problems every year that we have found in previous years, with things like credential theft and abuse still common, and multifactor authentication – especially for privileged accounts – still rare, even though this would reduce the attack surface massively,” he says.

The only real change, he adds, is that there is now a lot more on the corporate IT network, with “almost everything” connected and online as business processes become increasingly digital and the dependency on IT is greater than ever before.

“But businesses still assume that if they have spent millions on security products, everything is fine. But bad guys usually work out what has been done to make something more secure and will find a way around it, so it is a continual arms race,” he says.

As a result, Raeburn believes most cyber security technology innovations tend to provide a false sense of security for organisations because they will be effective only for a limited period of time. They also distract information security professionals from addressing the real issues and investing in the most appropriate technology.

“There is a cadre of people in our industry that produces products that have marketing brochures that say they will fix whatever today’s problem is, and people blindly buy them because they don’t know any better,” he says.

Raeburn adds that security spending does not necessarily guarantee protection, and in some cases, organisations can achieve even greater protection by spending less on more appropriate things.

Understanding how business thinks

Raeburn, who moved from physical security to cyber security when he recognised and understood the risks that businesses were taking, says the raison d’être of his company is to provide security in the right context.

This requires an understanding of what the business is trying to do, what represents an information asset, why cyber attackers might want to get that asset, what their capabilities are, and what constitutes the appropriate level of defence to stop attackers from getting to that data.

“Our approach is to test the security that an organisation thinks it has to see if it is actually delivering the security they hope it’s delivering, and then doing something about it where it isn’t,” says Raeburn.

He adds that it is conceptually the same process that underlies the CBest testing framework defined by the UK’s financial authorities to test the effectiveness of banks’ cyber security capabilities against nation state-style attacks.

The challenge with CBest, says Raeburn, was finding a way of fully testing banks’ cyber defence capabilities, including the people, processes and procedures, but without prior warning and at the same time without affecting normal business operations.

CBest is ultimately designed to uncover vulnerabilities that need to be addressed and was developed with input from not-for-profit accreditation and certification body Crest, which Raeburn helped to found, chairing the management committee for the first seven years.

“Crest was born out of the realisation that the security industry needed some standards defining technical competency that were owned by the industry and were updated regularly,” he says.

The CBest approach, says Raeburn, should be adopted by all organisations so that they know exactly what their vulnerabilities are so they can fix those before they buy another security product.

This practice of rigorously challenging plans, policies, systems and assumptions by adopting an adversarial approach, is commonly known as red teaming.

By attempting to do what attackers would do, Raeburn says organisations will soon know if their cyber defences are doing what they expect them to, functioning effectively and resulting in an appropriate response by security teams where required.

It also shows if they are missing the technology required to catch what the red team was attempting to do, which identifies a potential gap that needs to be filled.

“This ensures there are no technology gaps and that the technology that is in place is tuned correctly and working properly, and that the correct human responses are happening when required,” says Raeburn. 

“By continually repeating this process, organisations can uncover the real vulnerabilities in their cyber defences that represent the biggest risks and, as a result, what security technology investments are really needed to mitigate those risks.”

Ignoring the checklist

According to Raeburn, the fact that CBest is enabling banks to identify vulnerabilities and areas for improvement demonstrates the value of adversarial security testing. It also underlines the fact that even the biggest security budgets are no guarantee of protection if those investments are not fit for purpose.

This approach provides an alternative to the traditional checklist approach to security. “The process to draw up a comprehensive security checklist takes a huge amount of time, but at the same time the pace of change in the security industry is great,” says Raeburn.

“So by the time anyone has formulated a checklist, it undoubtedly will be out of date and anyone relying on that checklist will not be secure.”

Another key problem with the checklist approach, he says, is that it reduces an organisation’s sense of responsibility for its own cyber security. This is because they focus on working through the checklist rather than finding and addressing the real issues, and if something goes wrong they can always blame the regulator or whoever is responsible for drawing up the checklist.

“This is not a sensible way to go forward, and I am happy to say that our industry is finally waking up to that and there is a growing appetite for outcomes-based regulation, where regulators stipulate the desired security outcomes rather than prescribing to organisations how to get there,” says Raeburn.

As a result, Raeburn says some organisations that are so used to the traditional prescriptive checklist approach are struggling with the challenge of knowing what do. Around 40-50% of people in the security industry are struggling to get to grips with new regulations because they no longer have the comfort of a checklist, he adds.

“It has got to change and the pace of change has got to be quicker because that old checklist-based model is clearly not viable,” says Raeburn.

“My contention is that the only way organisations can find out where they really stand is by continually testing their cyber defence capabilities in an adversarial way to get some level of comfort they are doing the right things in the right way.”

In line with this view, government and the telecommunications, nuclear and other industry sectors are taking the lead from the finance sector and developing their own versions of the CBest framework. As outcomes-based regulation takes hold, Raeburn predicts a shakeup in the security industry.

“There will be greater clarity around what products are good and which suppliers are able to serve their customers usefully, which hopefully will result in more security intelligent budget allocations,” he says.

Around 20 years ago, Raeburn says, 90% of security spend was on physical security and only 10% was on IT security. Since then, IT security has been given a budget allocation in its own right, but 80% of that is on IT security on the perimeter of the network and only 20% on catching attackers if they get in.

“The direction of travel needs to be towards spending 50% on perimeter defences and 50% on catching attackers once they are inside the network, because compromise is inevitable if someone wants what you have got,” he says.

This has resulted in the rise in the popularity of investigation-based services and security operations centre services aimed at catching cyber intruders who manage to bypass the perimeter defences before they can get to business critical data.

Rise of nation-state attacks

Raeburn also cautions against relying on particular security technologies for too long. “If a security product is really causing attackers serious problems, a typical response is to reverse engineer it to find ways around it,” he says.

For this reason, he adds, all security products tend to have a limited lifespan and smart buyers are the ones who recognise when it is time to change to something different.

“In the past 20 years, we have gone from the Wild West when there were no security controls at all, to an over-focus on perimeter security and reliance on the certification model, to the brave new world we are in now,” he says.

“It is there where we are seeing the start of a move to an outcomes-based model, which encourages security testing both from the outside and the inside, including the human element.”

He adds that failure in the context of security testing is a good thing because the more bad stuff organisations find and fix, the fewer opportunities there will be for cyber attackers.

A key factor driving up the level of cyber threats faced by ordinary companies, he says, is the fact that nation-state level attacks are becoming increasingly common among the cyber criminal fraternity.

This is due to the fact that some nation states allow their cyber attackers to do freelance work applying the same capabilities as they do in their day jobs. Some also sell their attack tools on underground markets, collaborate with crime groups or do not have proper controls on who has access to their attack tools.

“But there are still people in senior management in the IT security function who haven’t quite grasped the reality of the situation yet, and certainly don’t understand the capabilities of nation states to compromise infrastructure without detection,” says Raeburn.

“Therefore, there is still a lack of clarity at the board level about the security challenges they are facing, what the consequences may be on the business in the long term and what investments they should be making.”

Raeburn says organisations need to understand that they can no longer rely on perimeter defences and that they need internal detection capabilities. They also need to know what their critical data assets are and where they are located, who is likely to target those assets, what capabilities they have, and what investments are required to deliver the desired level of protection.

“Ultimately, it is about making a business decision about how much pain would be caused if data assets were compromised and how much effort is required to protect those to deliver a satisfactory business outcome, which is what few organisations get right,” says Raeburn.

“This is not a technology problem. This is a business problem and it’s about having the security dial in the right place in the context of the business’s needs and risk appetite.”

Read more about cyber security

Read more on IT risk management

CIO
Security
Networking
Data Center
Data Management
Close