Interview: How cyber hygiene supports security culture - ThreatQuotient
Talk to any CISO about their job. and there’s a good chance they’ll tell you about the security culture they’re building. This could be as simple as empowering employees to report phishing emails, with security tools and technologies working behind the scenes to make their people - and their organisation - safer.
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.
Let’s start with the basics of cyber hygiene. What should businesses and employees take to heart as core security practices?
Naturally, every business and employee should use the organisation’s security policy as their guiding reference for best practice. The security policy is driven by risk assessment and seeks to minimise the risk or damage from threats to a business’ assets, prioritises action and investment from the highest risks down.
Mostly, businesses have tried to make these as simple and approachable as possible, so employees can understand what’s required and adhere to these guidelines or rules.
From a threat perspective, we know from breach analysis and other empirical statistics, about the most likely vectors of attack and compromise. Financially motivated criminal groups use phishing and stolen credentials, with misconfiguration and misdelivery are the leading internal factors or ‘errors’ that result in breaches.
Employee training helps address much of this risk, especially in preventing phishing and internal errors. This training also speaks to the complexity of IT infrastructure, even more so now cloud infrastructure and applications, and working from home, put pressure on organisations to manage security effectively.
Taking phishing for example (as it is so widespread), training can reduce the risk of employees falling for phishing attacks and is able to show employees how to submit phishing emails for analysis by the security group. This allows the organisation to block similar attacks and learn about who or what attackers are targeting.
The concept of a business learning from existing threats and feeding that back into defences is a core security capability now continues to grow, as attacks get more because attacks are sophisticated, customised and targeted to each business, and even certain groups or individuals.
Learning completes the ‘protect – detect – respond’ cycle that is fundamental to a strong security posture and policy.
An employee flags something as suspicious. That information needs to make its way to security teams who can investigate further. What processes should businesses have in place to ensure that issues are reported and protocols are in place if a compromise has happened?
Organisations need to make it easy for employees. Having a group email account where suspect emails can be forwarded is a great start. Technology can also help automate this with things like a “report” button, so employees don’t even need to remember the group phishing inbox name.
Of course, there’s no point getting employees to do this unless the security group has a process for analysing these emails. For most businesses, it is incredibly time-consuming, taking up to an hour per email for an analyst.
There has been a lot of recent focus on how to automate this as much as possible using tools like a Security Orchestration Automation & Response (SOAR) platform, which allows security teams to orchestrate activities, and the threat intelligence platform to store and correlate the threat information.
How can businesses play their part in becoming part of a threat intelligence ‘collective’?
For the security team, leveraging threat information, whether from employees or elsewhere, which is a newer capability that most businesses are still learning or getting comfortable with. On the employee side, training is the ultimate answer. That could involve spotting and submitting phishing emails or any other kind of suspicious activity they experience.
At a macro level, threat information sharing is a big and growing industry now. We’ve had Computer Emergency Response Teams (CERTs) and Information Sharing & Analysis Centers (ISACs) for years. However, organisations like the Australian Cyber Security Centre and even state governments are looking to build threat sharing centres. The idea behind these initiatives is based on ‘trickle-up’ sharing so that any person or employee can contribute to the collective.
The “collective” being Australia in the ACSC instance, although the same applies with any country establishing government funded cybersecurity bodies such as Singapore’s Cyber Security Agency, but the concept is the same at an organisational level (threat intelligence team) or industry level (ISAC).
Naturally, this also poses a question for organisations: How do I leverage all this threat information, and do I have a responsibility to do so?
In our previous interview, you mentioned that threat intelligence platforms can help to eliminate communication gaps, particularly amongst security teams. How would these platforms and security teams leverage employee reports into their security protection?
Employee reporting is on the collection side. So too is threat hunting, incident response, forensics and alert triage, all of which are technical security operational capabilities requiring varying levels of expertise. Incidents and breaches involve sharing and working across these groups, often using standard office tools like email, spreadsheets and instant messaging.
A better way is to centralise the threat information together with the collaboration tools so that different teams - such as incident response, threat hunting, security operations and others - can all work from one virtual evidence board, like a virtual ‘corkboard’ that is so often popularised in crime shows.
This has the advantage of also helping to solve the other side of this problem, which is how to use threat information. With a centralised store of threat information, it can be automatically integrated into the systems that can leverage this information in real time, like the SIEM and even security defences like firewalls, DNS and web gateways.
Is there anything else you would like to add?
Most organisations believe that threat intelligence is an external pool of information that will close the gap that exists because security controls, like firewalls and antivirus, are not 100% effective. However, research suggests this is simply not the case.
External threat intelligence is valuable, especially if you choose sources appropriate for the threats your business faces, but it is not “complete”. Part of the problem comes from customised attacks, like bespoke phishing, that external intelligence will never cover.
The only way to get on top of this is to build an internal capability in threat detection by leveraging information from the attacks your organisation faces every day.