Navigating The Cyber-Threat Landscape

With every day that passes it seems that cybersecurity becomes a bigger and bigger issue for businesses and citizens.

General and specialized media are flooded with stories on threats and attacks. On top of that, countless niche cybersecurity vendors out there are fighting to communicate how their products can solve most cybersecurity problems. It all contributes to a collective fragmentation of views on what cybersecurity actually is, creating a fog of information.

In the meantime, executives, security managers and specialists are looking to cut through this fog to find proper and holistic navigation tools. A disciplined information security approach suggests adopting the established views for guiding maps, such as ISO 27001, the Federal Information Security Management Act (FISMA), PCI Data Security Standard (PCI DSS), and new ones, such as the US Cybersecurity Framework.

Unfortunately, they are not sufficient to provide enough relevant knowledge for establishing cyber resilient organizations, data centers and information systems.

What is missing in all of this are the connections between actual attack techniques, vulnerabilities, threat actors and further detailed analysis of the domain. So how to fill this gap properly?

I wish I could say that my beloved Center for Internet Security’s (CIS) Critical Security Controls (CSC) is the right answer. Unfortunately, while it is a useful instrument, it does not provide sufficient guidance.

Recently the European Union Agency for Network and Information Security (ENISA) published its Threat Landscape 2015 (ETL 2015), and I was pleased with what I found in it for cybersecurity strategists and practitioners. For the last two years I have referred people to ETL, also Verizon’s Data Breach Investigation Report (DBIR) and CIS CSC, because they all offer relevant, independent sources for strategic, operational and tactical guidance for cybersecurity.

What is so special about these reports? Here are my thoughts on the recently published ETL; hopefully they will inspire you to read the reports if you have not already.

ETL 2015 (and 2014) provides measurement of the landscape of cybersecurity, connecting strategic and tactical views. ETL 2015 offers mitigation vectors (controls) for the Top 15 threats. For example, CIS CSC provides aggregated mitigation vectors for all threats in prioritized and increased sophistication levels. Such CSC aggregation is good for overall enterprise vision; however, it dilutes details of a particular threat, which are relevant to motivate and prove that a threat can be handled adequately.

Cybersecurity vendors publish quarterly and annual reports on threat analysis; however, they have internal conflicts, covering only information that is relevant to vendor product portfolio. ETL 2015 mitigates this conflict nicely by providing links to relevant deeper vendor analysis for particular top threats. I find it so elegant and a valuable resolution!

ETL 2015 provides a separate visual Top 15 threats poster – allowing it to be used as an instrument for discussion on how this information is relevant for a particular environment.

I have been involved previously in a few threat classification efforts. I am happy to see that ETL 2015 has issued their Threat Taxonomy in a mind map, and also in an elaborated Excel format (after opening Excel, for it to be readable, hide the document comments). It can be a great tool to validate your views and see if any gaps remain in your cybersecurity defense architecture. It also allows you to link to an IT infrastructure resilience theme.

DBIR gathers cybercrime facts, even while it is not clear to what extent European law enforcement agencies can legally analyze cases and share anonymized data. DBIR provides great analysis on what should be changed to improve resilience to cybercrime, and it maps practical guidance to CIS CSC. I hope that future ETLs will connect to CIS CSC as well, and to COBIT and ISACA’s publications.

At the end of the day, most organizations have to work through the fog of hysteria on cybersecurity to choose their own strategy for cyber resilience. I hope that these resources will be valuable anchors for you and your organization to evaluate and choose your own way.

Opinion By Vilius Benetis CEO NRD CS

Vilius Benetis is CEO of NRD CS, Cybersecurity Practice Lead at Norway Registers Development, and a member of the ISACA.

This article first apperaed in Information-Management:

« Cyber Theft Interrupted: Vietnam Bank Foils SWIFT Attack
Hackers Steal Sexual Proclivity Data »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Qolcom

Qolcom

Qolcom is a leading UK based integrator of secure wireless network and mobile device management solutions.

FoxGuard Solutions

FoxGuard Solutions

FoxGuard Solutions develops customized cyber security, compliance and industrial computing solutions for critical infrastructure entities and control system vendors.

Mnemonica

Mnemonica

Mnemonica specializes in providing data protection system, information security compliance solutions, cloud and managed services.

Quokka

Quokka

Quokka (formerly Kryptowire) is the source for mobile security and privacy solutions, staying steps ahead of the threat and delivering peace of mind.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

CNA Insurance

CNA Insurance

CNA offers a market-leading suite of cyber liability insurance products and risk control resources for businesses of all sizes.

TechStak

TechStak

TechStak is the easiest way for businesses to find and connect with IT Pros and other technology solution providers in their area.

Unit21

Unit21

Unit21 helps protect businesses against adversaries through a simple API and dashboard for detecting and managing money laundering, fraud, and other sophisticated risks across multiple industries.

TransUnion

TransUnion

TransUnion is a global information and insights company that makes it possible for businesses and consumers to transact with confidence.

TechBase

TechBase

TechBase is an innovation and start-up center offering technology-oriented start-ups optimal conditions for successful business development.

SecureOps

SecureOps

SecureOps is transforming the Managed Security Service Provider industry by providing tailored cybersecurity solutions proven to protect organizations from cyberattacks.

Accedian

Accedian

Accedian is a leader in performance analytics and end user experience solutions, dedicated to providing our customers with the ability to assure their digital infrastructure.

AVEVA

AVEVA

AVEVA has a long history in providing Supervisory Control and Data Acquisition software for meeting complex and evolving automation requirements.

Apura Cybersecurity Intelligence

Apura Cybersecurity Intelligence

Apura is a Brazilian company that develops advanced products and provides specialized services in information security and cyber defense.

RIoT Secure

RIoT Secure

RIoT Secure AB is a technology enabler within the IoT industry - created with a vision to ensure security technology exists in the foundations of software development for IoT solutions.

Merlin Ventures

Merlin Ventures

Merlin Ventures is a strategic investor focused on driving growth and value for cybersecurity software companies with market-leading potential.