“How can you balance being really secure and paying through the nose?”
Join us as we discuss how unacceptable business outcomes can be avoided by quantifying the cost of events:
- Lee Harris, MSSP & Cloud Pak for Security Sales Leader, EMEA, IBM
- Dr Alex Tarter, Chief Cyber Consultant & CTO, Thales
- James Todd, CTO – BT Security, BT
- Andy Grzes, CTA, Smarttech
Let’s start with you, Alex. As a managed service provider, how do you help your customers to identify the threats and the level of security they need?
Yeah, that’s always difficult. As a service provider, you always want to give as much as possible, charge them the most. You know, uh, don’t worry we’re here to solve all your problems– yeah, being a little bit facetious. But the reality is– and I see a question in the audience participation, as well– how do you sort of balance being really secure with also, essentially, paying through the nose for that? And as we pointed out before, the threat landscape constantly changes.
So at least in our environment, we try and focus a little bit less on the evolving threats and a little bit more on the business outcomes and business unacceptable outcomes, because how a business operates and how it could go wrong is pretty static over time. So there’s a myriad ways of causing things to go wrong, but essentially, if you start with what could go wrong and what are they willing to pay to actually prevent from going wrong.
So downtime and productivity in an OT system has a defined monetary value to it. If it’s offline for two hours, it costs me x million. If it’s offline for two days– so you could take that quantifiable amount and say, all right, this may be an incredibly low likelihood event. But the impact is extraordinarily high. Then I’m willing to pay money to actually solve it.
So we typically work from impact and work on attack scenarios and sort of attack trees and work backwards to understand some common areas of causes and try and understand, all right, how do we specifically address those? And we balance that a little bit with more the mundane sort of low level of maturity things– that we know email is going to get compromised. We know people are going to do bad things. We know that their software updates is going to be a challenge.
So there’s constant sort of background low cyber hygiene elements that we focus on. But really, at the other side, to really target our resources– and let’s be honest, people are the most expensive resource of all. Where are you going to target those expensive analysts’ time? Where are you going to target those expensive threatening activities, et cetera?
And it’s got to be on those where the outcome, if it happens, is going to have the biggest impact to the business. So that’s kind of how we sort of level and identify the amount of security. Is it proportional to the amount of the impact?
Thank you. And James?
Yeah, I completely agree with Alex there. I mean, just to take an additional thing that we look at, as well, is that we– it’s seem to be a MITRE ATT&CK conference, this one. We use MITRE ATT&CK, as well, in those conversations, in that if we work with our customers to identify the usual things that are their core assets and their sort of business objectives, both at a business level and stock operations level, and look at the MITRE ATT&CK framework and particularly the tactics and techniques that particular adversaries that would see them as an attractive target and the behaviours that they would exhibit within that environment in order to reach their end objectives.
So you look at it predominantly within our customers from a geography and a vertical perspective. So we can start the conversation immediately with a customer by knowing which vertical and which geo they operate in and the common means that an adversary would look to look to compromise them. And that, then, comes, looks back and saying, OK, if these are the TTPs that the adversary would bring to bear, like an organisation like yourself, what do you currently have in order to be able to detect that and mitigate those actions?
And that allows us to build up a gap assessment in terms of what we can provide over and above what they provide internally and other service providers provide to them. So we’re not all competing within the same space to provide a particular solution to them.
We also use that approach to sort of build out our SOC operations that we provide over and above our managed services so that we are reporting on those elements that we’ve identified as being specific to the service that we’re providing. So yes, identifying those behaviours, yes, identifying and servicing those attackers that are bringing to bear, but also focusing on behaviour allows us to be agnostic of a particular attack, or piece of automated malware, or targeted malware.
So we’re not looking for indicators around a specific attacker or their tooling. We’re looking at behaviours and techniques. That allows us to be much broader in the provision of particularly monitoring capabilities and then layering on top of that, mitigating action through security controls that we provide as a service provider, but also being able to pivot into controls that they have, as well.
So not only are we having influence over what we provide, we’re also providing guidance into services that other people provide. And also, what we’re seeing is service providers a greater adoption of native cloud security services. Now, it’s incredibly hard for a service provider to provide a service over and above an existing service, so using that approach allows us to introduce automation and orchestration on those powerful native controls that they’re acquiring from IaaS, PaaS, and SaaS services from other providers.