Mike Trevett of Mandiant FireEye explains why company Boards need to understand and manage cyber risks better.
At InfoSec in London this month, I met with Mike Trevett, Director UK&I at Mandiant, FireEye, to explore why so many organisations have problems prioritising and managing cyber security risks.
How do you decide what to invest in? If you are running a hospital, should you spend on cyber security or a new MRI scanner? Obviously, it isn’t an easy question to answer. And it is made harder, Mike tells me, because company leaders often fail to understand the nature of cyber threats.
A changing cyber threat landscape
The cyber threat landscape has changed. It’s not just credit card or health data that is at risk. Attackers are now targeting more and different types of data to extort or otherwise harm your business.
Business leaders must take note of the changing risk landscape. They need to keep their breach response plans current if they are to protect their organisations from reputational damage, litigation and the liabilities that can follow a data breach or other cyber crisis.
Also of interest: Getting buy-in from the Board
It would help, I suggest, if organisations got the basics right. Like patching the software they use so that it is updated with the latest bug fixes. Not easy, Mike counters. Patching at an enterprise level is difficult. The patch mustn’t break something down-stream – like the MRI scanner.
But, he concedes, better management is needed. Too often there is a long period allowed for patches to be implemented. And sometimes those “patch windows” are even published online so that hackers know how long they have to exploit a bug before they will get locked out.
In addition, there is a tendency to think “it’s not gone wrong yet so let’s not patch the software right now. We have other important things to do”. Discipline is needed.
Defending against “ubiquitous commodity attacks” (the commonplace attacks that can be bought online, sometimes even with money-back guarantees) is or should be simple with the right processes and disciplines.
But defending against determined hackers and advanced threats is much more difficult. Some might say, impossible.
One tactic is to make sure that you are more secure than others “near” you (companies with similar risk profiles) just as you might with a house: thieves will be able to get in if they are determined but if you make it hard they will try someone else.
However, if they have decided to target you, they will in all probability succeed.
Assume you will be breached
Therefore, you need to assume intrusions will happen. That means you must have three things ready: procedures to respond to intrusions; technology to contain intrusions; and resilience to keep the lights on while the attack is being dealt with.
All too frequently though there are failings in the execution of this approach. The trouble is that most organisations are comfortable with operational and financial risk. But they don’t take cyber risk seriously. Cyber won’t make it to the Board meetings. It isn’t addressed regularly at a senior level.
As a result, easy decisions are made. “We’ll buy the latest defensive technology: that will keep us safe.” But the really hard thing to defend against is humans, your employees, the “the soggy things at the end of a keyboard” as Mike describes them.
Is this because Boards have a difficulty in expressing cyber risk appetite, I ask. Yes, replies Mike. The trouble is that there is too little data around to evaluate risk, unlike, say, with financial risk.
And because things move so fast in cyber, even the little data we have is often useless. So defining what level of risk an organisation is comfortable with is very difficult.
That doesn’t mean it shouldn’t be attempted. You have to decide what your organisation can live with. What are the crown jewels that must be protected and what can be given up.
And as always, you need to accept that there is a trade between safety and efficiency. 100% cyber security doesn’t exist. But if it did, it would be in an organisation that was totally unable to operate.
And because that risk will always exist there is a need to run exercises, to get people at all levels (including the Board) to get used to the procedures that will happen during a security incident. Like fire drills. You shouldn’t wait till there is an incident to blow the dust off the process.
Unfortunately those processes will never be perfect. You simply can’t predict everything that will happen. So you need to use common sense and look for the most likely eventualities, as well as the eventualities that could kill the organisation.
Take the parts of cyber security that add value and invest in them, accepting that you can’t do everything and that some defensive activities will in effect simply add cost to your organisation.
And be flexible. Make plans of course, but be prepared to vary them. Mike describes how, as a pilot he was taught that when something went wrong he should make a decision. If things got better then stick with the decision. But if things got worse, it was time for a new plan.
The problem with AI in cyber security
None of this is easy. And technologies like artificial intelligence (AI) simply make things more difficult.
And defensive AI is a very real problem for cyber security. How do you assure it? If you want an understanding of what will happen in certain circumstances, perhaps an attempted intrusion, then how can you know and plan for what will happen if an AI machine is taking decisions on its own.
Also of interest: Trusting AI in cyber security
It’s not practical to examine the algorithms that are driving the decision making. That too complex. Especially during the time that an incident is happening.
And if you don’t know how the AI machine is arriving at its decisions, how can you predict what it will do next? If the programmer has done well, then perhaps the best decision will be made. But how can you guarantee that?
AI in cyber security is potentially a very powerful tool. But we need to develop a better understanding of how we use it. For instance we must be able to predict what decisions it is likely to make, and why; and to do that we need to understand how it makes its decisions. We shouldn’t be content dealing with a black box.
Mandiant FireEye’s latest M-trends report is available at https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html