Navigating The Cyber-Threat Landscape

Uploaded on 2016-06-14 in NEWS-Cybersecurity News, FREE TO VIEW

With every day that passes it seems that cybersecurity becomes a bigger and bigger issue for businesses and citizens.

General and specialized media are flooded with stories on threats and attacks. On top of that, countless niche cybersecurity vendors out there are fighting to communicate how their products can solve most cybersecurity problems. It all contributes to a collective fragmentation of views on what cybersecurity actually is, creating a fog of information.

In the meantime, executives, security managers and specialists are looking to cut through this fog to find proper and holistic navigation tools. A disciplined information security approach suggests adopting the established views for guiding maps, such as ISO 27001, the Federal Information Security Management Act (FISMA), PCI Data Security Standard (PCI DSS), and new ones, such as the US Cybersecurity Framework.

Unfortunately, they are not sufficient to provide enough relevant knowledge for establishing cyber resilient organizations, data centers and information systems.

What is missing in all of this are the connections between actual attack techniques, vulnerabilities, threat actors and further detailed analysis of the domain. So how to fill this gap properly?

I wish I could say that my beloved Center for Internet Security’s (CIS) Critical Security Controls (CSC) is the right answer. Unfortunately, while it is a useful instrument, it does not provide sufficient guidance.

Recently the European Union Agency for Network and Information Security (ENISA) published its Threat Landscape 2015 (ETL 2015), and I was pleased with what I found in it for cybersecurity strategists and practitioners. For the last two years I have referred people to ETL, also Verizon’s Data Breach Investigation Report (DBIR) and CIS CSC, because they all offer relevant, independent sources for strategic, operational and tactical guidance for cybersecurity.

What is so special about these reports? Here are my thoughts on the recently published ETL; hopefully they will inspire you to read the reports if you have not already.

ETL 2015 (and 2014) provides measurement of the landscape of cybersecurity, connecting strategic and tactical views. ETL 2015 offers mitigation vectors (controls) for the Top 15 threats. For example, CIS CSC provides aggregated mitigation vectors for all threats in prioritized and increased sophistication levels. Such CSC aggregation is good for overall enterprise vision; however, it dilutes details of a particular threat, which are relevant to motivate and prove that a threat can be handled adequately.

Cybersecurity vendors publish quarterly and annual reports on threat analysis; however, they have internal conflicts, covering only information that is relevant to vendor product portfolio. ETL 2015 mitigates this conflict nicely by providing links to relevant deeper vendor analysis for particular top threats. I find it so elegant and a valuable resolution!

ETL 2015 provides a separate visual Top 15 threats poster – allowing it to be used as an instrument for discussion on how this information is relevant for a particular environment.

I have been involved previously in a few threat classification efforts. I am happy to see that ETL 2015 has issued their Threat Taxonomy in a mind map, and also in an elaborated Excel format (after opening Excel, for it to be readable, hide the document comments). It can be a great tool to validate your views and see if any gaps remain in your cybersecurity defense architecture. It also allows you to link to an IT infrastructure resilience theme.

DBIR gathers cybercrime facts, even while it is not clear to what extent European law enforcement agencies can legally analyze cases and share anonymized data. DBIR provides great analysis on what should be changed to improve resilience to cybercrime, and it maps practical guidance to CIS CSC. I hope that future ETLs will connect to CIS CSC as well, and to COBIT and ISACA’s publications.

At the end of the day, most organizations have to work through the fog of hysteria on cybersecurity to choose their own strategy for cyber resilience. I hope that these resources will be valuable anchors for you and your organization to evaluate and choose your own way.

Opinion By Vilius Benetis CEO NRD CS

Vilius Benetis is CEO of NRD CS, Cybersecurity Practice Lead at Norway Registers Development, and a member of the ISACA.

This article first apperaed in Information-Management:

« Cyber Theft Interrupted: Vietnam Bank Foils SWIFT Attack
Hackers Steal Sexual Proclivity Data »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Norwegian Center for Information Security (NorSIS)

Norwegian Center for Information Security (NorSIS)

NorSIS) is an independent organization that works to increase knowledge and understanding of information security for businesses and individuals.

Riverside Research

Riverside Research

Riverside Research is a not-for-profit organization chartered to advance scientific research in areas including Trusted & Resilient Systems.

Nullcon

Nullcon

Nullcon provides an integrated platform for exchanging information on the latest attack vectors, zero-day vulnerabilities and unknown threats.

SCIS Security

SCIS Security

SCIS Security provides affordable cyber security services and solutions to small to medium sized businesses and homes.

IronNet Cybersecurity

IronNet Cybersecurity

IronNet’s product and services provide enterprise-wide security management and visibility of your network, users and assets.

Cylus

Cylus

Cylus, a global leader in rail cybersecurity, helps rail and metro companies avoid safety incidents and service disruptions caused by cyber-attacks.

Asvin

Asvin

Asvin provides secure update management and delivery for Internet of Things - IoT Edge devices.

Rizikon Assurance

Rizikon Assurance

Rizikon Assurance is an Online System that improves Third-Party Assurance and Risk Management, through efficiency, automation and better visibility.

PatrOwl

PatrOwl

Automate your SecOps with PatrOwl, and start defending your assets efficiently.

JM Search

JM Search

JM Search’s Information Technology Executives Practice sources the most sought-after technology roles including CIO, CTO, CISO, CDO and other senior posts.

MagiQ Technologies

MagiQ Technologies

MagiQ produced the world’s first commercial quantum cryptography product that delivered advanced, future-proof network security.

National Cyber Security Center (NCSC) - Vietnam

National Cyber Security Center (NCSC) - Vietnam

National Cyber Security Center of Vietnam has a central monitoring function and is a technical focal point for monitoring and supporting information security for people, businesses and systems.

Ridge Security

Ridge Security

Ridge Security enables enterprise and web application teams, ISVs, governments, education, DevOps, anyone responsible for ensuring software security to affordably and efficiently test their systems.

Bright Data

Bright Data

Bright Data Inc is the world’s #1 web data platform, enabling organizations to research, monitor, analyze data, and make better decisions.

Alethea

Alethea

Alethea is a technology company helping companies, nonprofits, and democracies protect themselves from harms stemming from disinformation and social media manipulation.

Axient

Axient

Axient advances defense and civilian missions from aerospace to cyberspace with multi-domain test and analysis, mission engineering and operations, and advanced technologies.