Comprehensive Threat-Driven Security Operations Require Unification of Threat Intelligence, Vulnerability Management and Attack Simulation



August 3, 2020

Yotam Ben Ezra, VP Products

We are living through perhaps the most accelerated period of digital transformation ever witnessed. The COVID-19 pandemic and work-from-home have put enterprise efforts to digitize into overdrive. There is a dark side to more and more rapid digital transformation. As digitization increases, so do cyber threats. As more of what we all do is connected to an IP address and a network, the opportunities to attack endpoints of more shapes and sizes increases rapidly. Complexity of defense increases exponentially, as well.

Against this backdrop, many security organizations realized that effective security operations require focus and prioritization rather than trying to “boil the ocean”. These strategy-minded security teams have become more proactive in understanding the adversary that may target them, the attacks most likely to be attempted, and the resulting business risks. A unified view of security that combines threat intelligence, vulnerability management and attack simulation is critical to empower this shift from reactive to proactive security management.

Broad Digital Transformation Equals Richer Target Environment

With greater stakes and higher value targets, the motivation for cybercrime increases. Ransomware attacks now regularly ask and receive seven-figure payouts. As the business becomes more dependent on digital, the price of interruption and the value of the transactions continue to grow. The professionalization of cybercrime has made it a boom industry. Tools and capability are readily for sale on the Dark Web. Advanced Persistent Threat groups that are government sponsored now frequently engage in cybercrime for financial gain. All of the core capabilities that have made DevOps so important - automation, machine learning and other standardization - enable cyber criminals to be more effective and execute more attacks at a greater level of complexity while spending less money and time.

The number and severity of threats has increased even over the past year with much growth driven by cybercriminals seeking to exploit the pandemic. According to McAfee Labs research, total malware attacks grew by 1,902% over the past four quarters. The World Health Organization reported a five-fold increase in all types of cyberattacks aimed at its infrastructure and employees during the pandemic, while the U.S. Department of Health and Human Service logged a 50% increase in serious cyberattacks during the COVID-19 crisis. The average cost of data breaches in 2019 was $3.86 million, according to IBM’s 2020 Cost of Data Breach Report.

Forward-Thinking Security Teams Switching to Threat-Driven Security Practices

This same IBM research found that companies that have deployed security automation technologies to assess and manage risks can cut their cost of breach response in half. This does not even count the security events avoided by using these smart technologies proactively. On the forefront of this thinking are “threat-driven security practices”. These are practices that:

  • leverage threat intelligence to identify the worst threats for a specific business
  • continuously simulate these threats with attack simulation and vulnerability scanning
  • combine threat, vulnerability and simulation data in a single system and prioritize based on a single pane of glass.
  • trigger automatic remediation or human intervention

This workflow allows security teams to proactively prioritize the worst risks first and assign lower priority to lesser risks.

Threat intelligence platforms and their data feeds have been in the center of this change and allow threat-centric activities to be managed in one place. TI Platforms organize and analyze threat importance and the relevance of specific threats to the organization based on configurable criteria (infrastructure, software, type of risk, etc). This helps analysts easily understand the capabilities of the adversary or the potential impact of any new risk. Threat intelligence platforms also make it much easier for teams to share information across the organization and drive actions based on specific threats as well as broader changes to encourage more proactive, focused security hygiene.

Historically, the biggest challenge organizations face is how to efficiently and effectively share this information with other parts of security operations, and integrate this information into workflows and automation processes. Because the flow of threat intelligence information is constantly growing, security teams have a clear understanding of what to prioritize from a threat mitigation standpoint. This requires a clear and data-driven view of their organization’s specific risk with respect to each of the threats covering the following aspects:

  • Threat - The capability and intent of the adversary including adversary behaviors, indicators and vulnerabilities used.
  • Vulnerability - The overall posture of the organization versus this specific threat, including vulnerability to exploitation, mitigation of adversary behaviors and ability to identify and mitigate related indicators.
  • Impact - The explicit association of a threat and vulnerability with impact to the business based on understanding of the assets that can be targeted and their importance to the business.

Creating an accurate view using these three variables can enable organizations to focus on the right things, fix the most important problems first, and track their security posture in a way which is tailored to the needs and capabilities of the organization. That said, missing any one of the points can result in bad decisions. For example, a CVE rated as a high-priority may lead a vulnerability management team to prioritize patching a vulnerability for which sufficient controls already exist. Or, mitigating a specific Indicator of Compromise but neglecting to detect and monitor surrounding behaviors may create a blind spot for a specific threat actor and create a new risk for an organization.

Improve Security Posture and Reduce Risks By Integrating BAS, TI and VM Platforms

SafeBreach’s newly announced integration capability with threat intelligence platforms adds the full threat context required to run effective threat-driven operations across threat analysis and attack simulation. When combined with vulnerability management integration, this trio of capabilities delivers the most comprehensive operational view possible of threat-based security posture. SafeBreach automatically connects with compatible threat intelligence platforms or feeds, fetches relevant threat information, and generates a data-driven view of organizational security effectiveness and risk for each relevant threat. This includes recently discovered threats that may not have widely known mitigation steps.

The SafeBreach Threat Intelligence Integration includes the following capabilities:

  • Automatically create new attack simulations based on threat-related IoCs
  • Automatically correlate threat-based adversary behaviors and patterns with existing attack simulations based on MITRE ATT&CK framework
  • Automatically correlate threat-based software vulnerabilities to existing organization-specific software vulnerabilities.
  • Report and contextualize threat-based security posture including behaviors, indicators and vulnerabilities.

The ability to assess the overall impact of any potential threat to the organization and assign an intelligent priority to each threat is critical in driving a better informed decision making process for day-to-day detection and mitigation efforts.

Summary

SafeBreach Threat Intelligence Integration allows organizations to unify the three major pillars of threat intelligence, vulnerability management and security operations in order to make the entire organization more responsive, better informed and more proactive. Threat intelligence teams can more easily simulate attacks associated with each threat and quickly gain a view of posture and risk for each threat of interest. Vulnerability Management teams can prioritize vulnerability patching based on a combination of threat context and exploitability models derived from continuous attack simulation. Security operations teams can prioritize detection and mitigation strategies and rules based on threat relevance and importance.

Most importantly, this integration builds trust throughout the organization - and beyond the security team. With these integrations, executives can instantly generate a report which quantifies the impact of top threats and better understand the risks they face. Information sharing and integration drives efficiencies in any type of business. In security, the efficiencies are even more critical because threats are evolving so much more quickly - and the stakes of failure to remediate the right threats in a timely manner is so much higher.

Related Posts