ra2 studio - stock.adobe.com

Embrace risk-based security, McAfee urges business

Modern cyber threats require a risk-based approach, according to McAfee’s chief technical strategist

In the digital security world, it is not always possible secure everything, Candace Worley, vice-president and chief technical strategist at McAfee, told the MPower Cybersecurity Summit in Las Vegas. 

“Sometimes, something has to be given up to the adversary, but it is how you plan for it that makes all the difference,” she said.

Worley said most people often first learn about risk by playing strategy games, and there are typically four key winning strategies that are commonly applied in the digital world.

“These are: defend your own territory, reduce the enemy’s ability to attack that territory, minimise your borders, and create a buffer zone around your territory.

“In securing our digital infrastructure, we typically ensure we protect what we’ve got, try to prevent people from taking it away and minimise the attack surface,” she said.

However, Worley said this often means organisations concentrate their resources on assets that are most critical to the organisation’s long-term sustainability.

“And you do this knowing that in doing so, you will sometimes have to leave something to the enemy; that you will have to trade something off to get something critical to your long-term goal,” she said.

Read more about risk-based security

However, information security professionals find this a difficult thing to do, said Worley, because they want to protect the entire infrastructure.

The problem with that, she said, is that in trying to spread limited resources across everything, organisations typically end up protecting everything less or leaving some things unprotected.

This means that in a banking industry scenario where there are three core businesses: financial services, financial accounts and credit card services, and two ancillary services: training on financial services and travel insurance services, the organisation will have to make a decision to protect the three core businesses, but not the ancillary services, knowing they are going to be at risk of breach or damage.

“Accepting this risk is something that is a bit different for cyber defenders because historically were are the first responders who want to make sure that everybody survives the encounter, but the attacks we see are too sophisticated and our infrastructures are too complex for us to potentially be able to do that going forward,” said Worley.

When it comes to minimising the attack surface or reducing the number of ways an organisation can be penetrated, she said the reality of today’s modern digital infrastructure, for example, makes that much more difficult because it is spread all over the place.

“You may have user devices, a partner site, cloud storage provider, Amazon, Azure and a cloud-based infrastructure as a service provider, which makes it much more difficult for cyber defenders to do their job.”

Therefore, said Worley, understanding the distribution of an organisation’s data assets and correlating the criticality of those assets to the risk appetite of the organisation is a “necessary and critical” element in cyber risk incident response plan.

Speaking the language of risk

However, she said calculating risk is only part of the main equation. “You also have to understand how to speak the language of risk, which is the language of C-level executives and the board of directors, not necessarily the language of ROI [return on investment].

“What this means is they may be willing to take a lower ROI if it means a material reduction in the overall risk profile from a financial perspective of the corporation as a whole,” said Worley, adding that facilitating these types of conversations requires a different approach to cyber incident planning.

“It requires an approach that is rooted in the understanding of what attacks your organisation is likely to see, what the likely attack targets will be, what your risk tolerance is for each of those attacks and each of those targets, what you are willing to protect at all costs, and how that information is going to colour your decisions around cyber investments,” she said.

According to Worley, risk-based planning is important because it elevates the conversation from an operational discussion about efficiency, efficacy and ROI to a strategic discussion about how an investment of $X in security will reduce the overall cyber risk by $Y.

“When you are talking to C-level execs and directors, being able to discuss that in the context of risk rather than operations can mean the difference between getting the budget you are asking for and having to take your existing budget and spread it even further,” she said.

To evolve to the language of risk, Worley said cyber defenders need to take various things into consideration, including understanding the likely impact of the various kinds of cyber attacks such interruption of critical business processes, data loss, compliance implications and damage to reputation.

“This gives you a window into where to focus your security controls and potentially where to make future security investments,” she said, adding that detailed information on sector-specific data targets from the Verizon data breach incident report provides contextualised cyber security risk information that can be used to inform risk incident planning.

Defining a risk tolerance score

The next step, said Worley, is to define a risk tolerance score for the organisation, which is about how the organisation views different types of cyber incidents through the lens of risk.

Incidents which organisations will defend against at all costs are classified as low-risk tolerance, she said, and these are the areas they are likely to invest in more because they are crucial to business operations.

“Website defacement, for example, may be high-risk tolerance in the sense that the organisation can tolerate it more than loss of IP or the loss of data,” she said.

Understanding risk tolerance by incident, said Worley, provides guidelines when it comes to making trade-off decisions and security investment decisions.

Next, organisations need to map incident types in terms of likelihood and consequences. “In terms of IP theft, for example, I could invest heavily in trying to reduce the consequences of IP theft, but if the IP gets out, there will be consequences. So while I might be able to reduce the consequences of IP theft, I should probably spend most of my investment on mitigating the theft in the first place,” she said.

Calculating potential cost

Finally, an organisation has to calculate the potential cost of each type of incident, which Worley said most organisations find the most difficult step.

A useful approach, she said, is the one used by the Ponemon Institute, which looks at detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. 

In this way, Worley said organisations can assess the benefit of implementing particular security controls. “Correlating cyber risk is useful in determining where to make future investments,” she said.

However, building plans for asset prioritisation and risk tolerance is only part of a comprehensive cyber security strategy. “It’s a critical foundational element that will colour your investment decisions over time,” said Worley.

In closing, she said cyber attacks and data breaches are inevitable. “If we are going to solve this problem, we have to approach securing against those attacks and breaches in a different way.

“We must evolve to using a risk-based approach that focuses on investing to protect the most critical at the expense of the most expendable, and the security of our proverbial territories has got to be as dispersed and as sustainable as the territories themselves,” she said.

Read more on IT risk management