I had the pleasure of attending a GDS Engagement Evening hosted by Admiral Patrick Walsh (ret) from iSIGHTPARTNERS last week. It was fascinating to hear from Pat the role that threat intelligence played from his direct experiences in the Navy and I think I can speak on behalf my peers on our table when I say that we could all benefit from those insights in our own work.
Those that have read my previous posts on the subject of Cyber Security and the application of KnowIT in IT security will know that I believe the current approaches and thinking in Cyber Security are ripe for disruption.
I take this position from an analysis of the costs and benefits of the existing paradigm for implementing Cyber Security strategies and specifically from the domain of vulnerability and patch management.
For any global enterprise the existing implementations of vulnerability and patch management simply cost too much and provide too little benefit. The sheer volume of vulnerabilities identified form Pen testing, IAST, SAST and DAST alone make the cost of remediation exorbitant; assuming such remediation is possible at all.
One must remember that only a fraction of the code utilised by the enterprise is under direct control. The vast majority of code in any business is owned and controlled by proprietary software vendors or is Community Source or Open Source in nature. To depict this from a Java perspective I’ve included a picture from a white paper that will be published early next year.
The standard response to the problem of cost is, of course, a pragmatic assessment of risk and an attempt to patch what should be patched and manage/mitigate the risk of what can’t be patched. But this approach leads to another set of difficulties for global enterprises. Assessing risk and reaching agreement with stakeholders on what should be patched and when it should be patched, can itself be an error prone, manual and costly exercise often resulting in systems that violate the NoIT principle.
A global enterprise does not have the cohesion, discipline or chain of command of a military organisation. Even when a threat has been identified as carrying the highest level of risk affecting remediative action, whether it is a patch, firewall rule or even switching the vulnerable application off, takes time.
While we can throw resources at better training, better process and raising awareness to create better threat response systems I cannot help but think institutionalising such practices will simply lead to an unsustainable and ultimately unacceptable rise in costs.
This is why I found the discussion with Pat so compelling. As I understand it, threat intelligence is used in military circles to identify the nature and motivation of the threat with the aim of creating actionable intelligence.
So how does threat intelligence differ from the standard approach of risk assessment? Perhaps in essence it doesn’t, both of these approaches seek to inform a threat response and risk mitigation decision. However in practice a standard security vulnerability risk assessment focuses on CVSS of a vulnerability not the nature, motivation and target of an attack. Of course most Cyber Security teams will include at least some information pertaining to the target in their analysis but, by and large, these factors are not given due weighting.
I see one immediate benefit of cyber threat intelligence as a means of reducing the internal assessment of a CVSS carried out by the CISO. We already do this where Runtime Application Self Protection is in effect within the enterprise.
Given our knowledge that applications and platforms utilising RASP are afforded a higher degree of protection from Command Line Injection, SQL Injection and Cross Site Scripting vulnerabilities that depend upon on these attack vectors, we can issue a lower internal risk rating to such vulnerabilities, thus obviating the need to trigger a costly and invasive patching exercise.
Cyber Threat Intelligence can be a wonderfully complementary technology alongside RASP. It can be introduced without initially having to change existing threat response mechanisms, but rather to reduce the number of times these responses are exercised and to target any response more effectively. Once it has been established and its cost saving benefit demonstrated I believe further investment would be justified to affect greater changes in the overall threat response approach.