Читать книгу Cyber Intelligence-Driven Risk - Richard O. Moore III - Страница 7

It is even better to act quickly and err than to hesitate until the time of action is past.

– Carl von Clausewitz

THIS BOOK is designed for business leaders who are looking to unwrap the “cyber black box” and understand how cyber intelligence can improve their business decisions. For the cybersecurity professional who is trying to find an entry point to provide value to executives, and for the cybersecurity teams looking to raise their level of sophistication, this book will address the fundamental issues facing businesses and individuals today. First, organizations are still failing to respond to cyber threats due to inconsistent decisions and poor cyber hygiene. Second, both organizations and cybersecurity professionals are struggling with compliance frameworks, international legislation, and local legislative and other privacy requirements while still trying to make revenue through technology advantages. All of the frameworks, compliance, and privacy items are focused on the technology and not on how the organization should be looking at operational risk. By the end of this book, we will explain to the reader why the CI-DR™ is the center of gravity for decisions that business leaders should be taking advantage of. Business leaders in every organization are consistently being asked how the organization is dealing with cybersecurity issues, whether it can respond to cyber losses, and what the shareholders need to know should a cybersecurity breach or cyber loss leading to financial consequences occur. Most of the cybersecurity issues that current business models outline are reactive in nature and are usually actioned without much analysis or debate, leaving biased opinions and hasty approaches that ultimately detract from logical decisions.

Operational risk losses or consequences are defined in the IEC/ISO 31010¹ documentation and is where we begin to leverage the language needed to bring the CI-DR “knowledge” to the risk management professionals. To have a seat at the table as cyber professionals we need to be able to speak the same taxonomy as our business risk managers. Throughout the book we provide some real-world examples of how a CI-DR program assisted organizations where these capabilities were implemented and matured to assist in the business decision-making process. As you read the examples, our intent is to have you think about the role you hold at your company, or your next role, and the types of information you would want to assist you in making decisions. To be successful, it is key to have the data and knowledge, coupled with curiosity and the desire to be of value that will ultimately lead to being granted access to the internal decision-making for your organization.

With every chapter we provide the business need for a CI-DR program with a real-world example of the cybersecurity issues that many organizations have faced in the past. As you may recall, the year 2012 was very troubling for the financial services, banking, and cybersecurity practitioners. Starting in the month of September and continuing into the new year, a sympathetic nation-state of malicious actors known as QCF (Cyber Fighters of Izz ad-Din al Qassam, also known as Qassam Cyber Fighters) began to methodically stop banks from financially transacting with customers, through an attack known as a Distributed Denial of Service (DDoS). This is essentially a technical mechanism that consumes and overwhelms systems and networks, rendering them unavailable or useless for the purposes they were designed for. Many of these banking institutions leveraged their membership in the Financial Services Information Sharing and Analysis Center (FS-ISAC)² to gain an understanding of how the attack started and to provide a secure forum for discussing best strategies to defend the banks against this adversary, helping to set the foundations for many cyber programs and processes in use today.

The ISAC provided the necessary connections among cybersecurity professionals, many of whom came from the military intelligence profession, with a forum and location to share threat intelligence as well as the ability to discuss new capabilities and mitigation process to reduce the attacks against their financial institutions without retribution for competitive interests. The Security and Exchange Commission later issued a statement that cybersecurity and threat intelligence cannot be a competitive advantage.³ The larger member institutions had begun building cyber intelligence programs and sharing information on attacks through the membership's cyber intelligence leaders. As executives continued to hear through headlines and peers throughout the banking community, their concerns were how much money they would need to spend to protect their organizations and whether they had the proper staffing and expertise on hand to do that. The action and outcomes of this specific attack played a significant role in the development of the CI-DR program. One of the important processes that was implemented from the sharing of information through the ISAC was the need for cyber intelligence teams to collect, analyze, and produce reporting of attack vectors to the banking management teams for decisions on how to deploy resources.

At different phases of the attack other institutions were doing similar activities, and after months of analysis and the velocity and growth of the attacks, teams using the initial vision of the CI-DR program were able to create a predictive analysis when the attack might occur. Most conversations that were happening in business leadership were not the old similar technology mitigation discussions; the conversations quickly changed focus to discuss whether this attack would impact capital reserves, what other risks might be encountered during this unprecedented cyberattack, and what amount of financial transactions and revenue losses would online banking systems and internet-facing systems incur. As these conversations grew and expanded, our organization had a plan to have the accountants and business analysts review the systems and provide transactional and revenue estimations for eight, sixteen, and twenty-four hours to determine the amount of loss each critical system could incur. Much of this information was derived from work done by the risk management team during their Business Impact Analysis reviews, and the “crown jewels” asset risk assessments conducted by the information security and business technology teams. One of the most difficult assessments that the accountants had to deal with was figuring out potential revenue loss and the number of hours it would take to lose it. This process that was incorporated after the attacks subsided is the original iteration of what is commonly called today a fusion center. A CI-DR fusion center can exist when bringing business owners, accountants, technologists, risk managers, cyber intelligence analysts, and cybersecurity personnel together to solve an organizational problem.

Having generated all available intelligence through the fusion of stakeholders, combined with our analysis of all data brought from the fusion teams, a decision model was presented to the Board of Directors for their agreement that we were doing the right thing. That “knowledge” package painted key cyber intelligence decision points and pinpointed that the organization would be attacked somewhere around January 7 at 14:00, and that the financial loss would be over a million dollars for eight hours of outage time. Additionally, the decision points included mitigation technologies the organization could deploy to remediate the attack and the cost comparison against the impact of loss. The cost-benefit decision weighed with risk options provided two courses of recommended actions. The decision points were to either allow our systems to be overwhelmed and let the attackers think they took us offline, or implement this new unproven Anti-DDoS scrubbing technology, which could still potentially lose some real transactions with an additional cost for ineffective technology. With agreement that executive management had the situation well understood, the decision was made to allow the attackers to shut down our online banking platform and allow it to be unavailable during our anticipated 14:00 to 17:00 outage.

To add additional scrutiny and anxiety for the executives, these plans had to be presented to the US Treasury and our financial regulators, which gave the executive team concern that we would be placed under supervisory letters if our decisions were steadfast. The cyber intelligence analysis from months of attack data was also provided to the Treasury and Regulators so they too could understand that the attackers usually turned off their attacks at 17:00 and that our exposure and loss rate was consistent with our risk models. It was the first time the organization's executives and management felt like they were making cybersecurity decisions and this grew my cyber intelligence program by leaps and bounds. Our intelligence estimates were off by thirty minutes, and we were back online transacting by 17:15 the same day. As the attacks were not subsiding through the spring of that year, the executive team, armed with the information from the collaborative efforts of the fusion team and the cyber intelligence analysis, made the decision to purchase the technology and reduce the financial losses even further. That organization is still using that same approach to mitigating other risks and how they purchase technology today as part of their risk management strategy. By leveraging this proven CI-DR framework it will enhance your cyber program from a pure technology thought to an operational risk program.

Figure I.1 shows how the CI-DR framework is designed and organized to address and provide reporting to directors and executives, to the risk officers and auditors, and of course to the leadership of the technology and cybersecurity functions within the company. The reporting to the directors and executives mostly covers the areas of what the cyber program is doing to enhance or contribute to how the organization governs and responds to risk. In many organizations the business objectives drive how the organization handles risk and are key to how the CI-DR framework ties its goals and missions to assisting the business in meeting those objectives. Committees are another area where the CI-DR program provides analysis and input for reporting. As we mentioned, consequences of loss are listed in the International Standards Organization's Risk Management standard and that taxonomy can be used to provide a one-to-many or many-to-many from CI-DR capabilities and functions to a risk mitigation process, technology, or exposure. Risk management and compliance professionals are businesspeople, and they need to have technologists speak a common language to help them also protect the organization against risk. The CI-DR also provides for compliance, internal auditors, and technology leadership with the ability to report on the maturity and performance of the functions and capabilities. Maturity reporting within the CI-DR framework gives the various organizations using this framework the confidence to not have to compare themselves to others, to determine their needs based on size and budget and skills available in the area, as well as providing the overall understanding that cybersecurity is an operational risk that can be understood by non-technologists.

FIGURE I.1 CI-DR's business value.

We are positive that after reading this body of work the reader could confidently address the committees, the boards, and the executives when they ask about how the organization is governing its cyber risks. We know this framework has been able to address questions from regulators about the processes and the strategy for identifying, containing, and mitigating emergent cyber threats. Finally, if you are a director and an officer of a company implementing a CI-DR, the framework provides the formalization necessary to show that the organization's risk response and process and the directors and officers have done their due care to protect the company.