Why it’s time to change tack in cybersecurity and replace Fear, Uncertainty and Doubt with an evidence-based, datadriven approach
At the end of April, breach and attack simulation specialist AttackIQ signalled its growth ambitions with the appointment of ex-Menlo Security EMEA Channels Director John Brown as Senior Director for Global Channels with responsibility for building out the company’s channel network and taking its partner business to the next level.
AttackIQ operates in what Gartner has coined the ‘breach and attack simulation’ market, though Ross Brewer, Vice President and General Manager EMEA and APJ, told Technology Reseller that he prefers to think of it as ‘a continuous security controls validation’ opportunity.
The AttackIQ Security Optimisation Platform uses a combination of threat intelligence on the tactics, techniques and procedures (TTPs) of cyber criminals and the publicly available MITRE ATT&CK framework to provide security professionals with a matrix they can use to test and evaluate the effectiveness of their security controls, validate the performance of their firewall, DLP, EDR, SIEM etc., and identify any areas that need strengthening.
Because it is automated, the platform enables customers (end user organisations and managed service providers) to do this at scale and on a continuous basis, rather than manually, haphazardly or through quarterly or annual Red Teaming exercises.
AttackIQ has a 100% channel, twotier go-to-market strategy, working with Westcon as its distributor in EMEA and APJ and top tier system integrators and service providers, as well as vendors like BT that use its products to validate their own offerings and monitor the preparedness of their customers.
Brewer says the expansion of AttackIQ’s channel network will enable the company to extend its reach beyond its core market of government organisations and large enterprises – national infrastructure, energy, banks, technology companies, computer manufacturers, retailers – and into the SME space and new territories, while providing channel partners with consulting and sales opportunities that come from identifying weaknesses in their customers’ security.
“A lot of our partner work to date has been fulfilment but this is more proactively using partners to give us scale and reach and operate in more countries. There is also a need for controls validation in the small to medium enterprise, and that’s a services opportunity for our partners,” he said.
He added that AttackIQ gives service providers the ability to validate the security of their own services at a time when MSPs are coming under unprecedented attack (and scrutiny) themselves.
“Cybersecurity in the supply chain is incredibly important and it’s becoming a very high priority for larger organisations. They want to be able to validate their service providers; they want to be able to police the police, the MSSPs who are providing these services.
“Just today, I was talking to a major critical infrastructure organisation that was trying to take service providers to task by saying ‘These controls that you’re selling us, how do you know that they work?’. The managed service providers say ‘We assure that they work’. ‘Well, we’ve just tested them and they don’t’. There’s a gap here. ’You’re selling this so-called Nirvana, but who’s actually checking to make sure it is Nirvana?’
“Managed security service providers need to ensure that they are testing their capabilities using the latest methodologies because their customers are going to start automating this and MSSPs need to find the gaps before their customers do. It’s going to be embarrassing if a customer like the one I was talking to tests the services provided by an MSSP and finds them wanting.
A new approach
The appointment of John Brown as global channel leader with the headcount and resources to drive forward AttackIQ’s partner business in the US and other regions comes at a time of strong growth in EMEA and APJ, with revenues increasing by more than 600% in the year ending January 2022 and set to rise by another 300% this year.
Ross Brewer says that this growth is being driven by greater awareness of cyber security risks and the emergence of an evidence-based, data-driven style of cybersecurity based around the MITRE ATT&CK framework that he believes will strengthen businesses’ defences and improve dialogue between cybersecurity professionals and business leaders.
Instead of selling solutions through fear, uncertainty and doubt (FUD), AttackIQ provides security professionals with the means to evaluate the effectiveness of their existing defences and identify areas that need strengthening.
“What we’re talking about here is control effectiveness and how you measure the efficacy and efficiency of your cybersecurity controls, which ultimately points to the efficacy and efficiency of your cybersecurity programme, because it’s the control failures that allow hackers to continue their activity,” explains Brewer.
“The first failure is the initial access – phishing, someone clicking on something – what MITRE calls ’assumed breach’. But that’s not where the action is. The important question is ‘If hackers got to your laptop, could they get to your data, could they get to your contacts, could they get to your customers’ personal information?’ It’s about understanding where they can start from and where they can get to, and if you can measure that, find those gaps before the hackers do and fill them in, then you’re less likely to become a headline.
“We recently surveyed customers who were able to measure their controls with AttackIQ and found that their controls were 0.25%, either failing or degraded. If you think about the IT side of the business, we’re all chasing three, four, five 9s (.9999%), whereas in cybersecurity, we’re running at .75%. Is that acceptable?”
More and more businesses think not and are adopting a more comprehensive threat-informed defence based on awareness of the latest TTPs of hackers and continuous monitoring and validation of security controls across the enterprise.
“If you go back to the beginning of the cyber security industry, it was really about capabilities – let’s get some firewalls, let’s get some EDRs, let’s get some SIEM to protect ourselves. That was the proactive thing. Then it became a question of responding to the activity that was generated, being reactive by looking at incident management and now SOC,” explains Brewer.
“But in doing this we actually missed a step, which was to take what we now know about the tools, techniques and procedures of hacking groups, which are really well documented by the MITRE organisation, and replay them against our infrastructure to make sure that our defences are actually intact so we don’t have to exercise our incident management as much.
“Instead, we loosely installed the protection mechanisms and then heavily relied on incident management, which failed in a lot of cases – I think the statistic is that in 80% of breaches the information was in the logs but the organisations failed to see it. The missing step is to test those defences and to find gaps before the hackers find them. Organisations are now starting to recognise that the assumed breach methodology from MITRE and using the MITRE matrix to measure efficacy and efficiency is the way forward. This is called a threat-informed defence.”
Brewer argues that this approach is gaining ground because the top-down, risk-informed defence that has prevailed for the last 30 years, which is all about governance, risk and compliance (GRC), has failed so dramatically. As evidence points to the fact that there were 300 million ransomware attacks last year and 81% of victims surveyed by the BBC said they paid the ransom.
“There’s a major problem here; we’re losing the fight and organisations recognise that and realise that they need to augment that GRC approach with a threat-informed approach to find out what would happen if a hacker got onto a company laptop, where could they get to and could we shut down their activity?
“That’s the new movement in the industry. It’s not about a product. It’s about all the holistic platforms, the firewalls, the SIEMs, the EDRs working together as a single organism, rather than just being a bunch of siloed technologies that don’t talk to each other.”
The changing role of CISOs
This transition is coinciding with a much stronger focus on cybersecurity from regulators and at board-level, which Brewer says requires a new approach from Chief Information Security Officers (CISOs).
“Boards and regulators like the Bank of England’s Prudential Regulation Authority (PRA) in the UK are getting a lot more savvy about the testing and validation that they do. They invoke what’s called a CBEST test, which doesn’t involve a university graduate with a clipboard asking ‘Do you have a password? Do you have a firewall?’. Instead, the question is: ‘Take XYZ hacking organisation: they use these TTPs, show us how you would defend your organisation against that activity’. That’s a very different question that requires much more scenario-based analysis.”
Brewer argues that while regulators and boards are changing their approach, there is a disconnect with CISOs who have come up through the trenches and are often too technical and too details-oriented.
“They want to talk about how many hacks there have been and from which countries. That’s irrelevant to a board; the board are only interested in the risk to the business, what’s being done to solve the problem, what industry peers are doing and whether the right amount of money is being spent. There’s a disconnect between the technical language that the security teams talk and the risk language that the boards talk.”
To illustrate the kind of approach he would like to see from CISOs, Brewer compares the data-driven boardroom presentations of CFOs and CMOs to the more speculative declarations of CISOs.
“In the boardroom, the CFO comes in and has every detail: this is how much money we have, these are our creditors, these are our debtors, this is our balance sheet, this is our growth, this is what we’re expecting from collections, this is our cash flow. The marketing person walks in and says this is how many people have hit our website, this is how many people have downloaded our white paper and so on. The logistics person walks in and says we’ve got GPS in vans and this is what it tell us. When it comes cybersecurity, we just don’t have feedback on what’s working and what’s not working. We don’t have that evidence, that data. So we go in and say ‘We’ve kind of bought everything we think we need; we think we’re OK’.
“That’s no longer acceptable. Boards need cybersecurity to act like every other function and CISOs, especially the newer ones, to talk in data-driven terms, not fear, uncertainty and doubt. Instead of saying there’s all this geopolitical activity happening, we need to spend more money on cybersecurity, they should be saying ‘We’re in energy; these are the groups that are targeting us; these are the things they’re going to do against us; we’ve measured our environment and we’re about 76% effective. If the board would like us to get to 86% effective, we need another couple of million pounds. Do you want to accept the risk at 76% or do you want to spend another couple of million pounds to get us to 86%?’. That’s more like the conversation you have with finance: ‘We’re going to buy this building, we’re going to retire these two buildings, and that’s going to reduce our rent by this, our liabilities by that and it’s going to increase our profit by this’. That’s a very different conversation.”
The AttackIQ Security Optimisation Platform supports the emergence of this new type of CISO by providing the intelligence and data needed for a threat-informed defence, bringing new opportunities for channel partners to validate their customers’ defences and their own managed services.