Building an informed community New cyber threat landscape makes sharing intelligence imperative

Similar documents
Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Are we breached? Deloitte's Cyber Threat Hunting

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

The University of Queensland

ISAO SO Product Outline

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Real estate predictions 2017 What changes lie ahead?

Cyber Espionage A proactive approach to cyber security

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Big data privacy in Australia

Accelerate Your Enterprise Private Cloud Initiative

Cybersecurity, safety and resilience - Airline perspective

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Emerging Technologies The risks they pose to your organisations

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Cyber Security and Cyber Fraud

CYBER RESILIENCE & INCIDENT RESPONSE

PALANTIR CYBERMESH INTRODUCTION

Sage Data Security Services Directory

Angela McKay Director, Government Security Policy and Strategy Microsoft

Canada Life Cyber Security Statement 2018

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

NCSF Foundation Certification

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

Incident Response Services

A new approach to Cyber Security

Vulnerability Management. June Risk Advisory

M&A Cyber Security Due Diligence

Gujarat Forensic Sciences University

Five essential steps to improve cybersecurity Trekking toward a more secure, vigilant, and resilient organization

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Continuous protection to reduce risk and maintain production availability

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

G7 Bar Associations and Councils

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

EY s data privacy service offering

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cybersecurity and Hospitals: A Board Perspective

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

INTELLIGENCE DRIVEN GRC FOR SECURITY

Are you safe? Your business growth strategies are at the heart of the cyber risks your organization faces

ENISA EU Threat Landscape

How to be cyber secure A practical guide for Australia s mid-size business

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Cyber Security Incident Response Fighting Fire with Fire

Security in India: Enabling a New Connected Era

Combating Cyber Risk in the Supply Chain

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Cybersecurity in Government

MITIGATE CYBER ATTACK RISK

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

GDPR: A QUICK OVERVIEW

Protecting your data. EY s approach to data privacy and information security

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

TEL2813/IS2820 Security Management

Risk Advisory Academy Training Brochure

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Chapter X Security Performance Metrics

White Paper. View cyber and mission-critical data in one dashboard

Turning Risk into Advantage

The UK s National Cyber Security Strategy

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Anticipating the wider business impact of a cyber breach in the health care industry

Security by Default: Enabling Transformation Through Cyber Resilience

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cybersecurity for Health Care Providers

Cybersecurity. Securely enabling transformation and change

HOSTED SECURITY SERVICES

Cyber Security Strategy

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

RESOLUTION 130 (REV. BUSAN, 2014)

BUSINESS CONTINUITY MANAGEMENT

General Framework for Secure IoT Systems

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Chapter X Security Performance Metrics

The New Healthcare Economy is rising up

DHS Cybersecurity: Services for State and Local Officials. February 2017

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

Transcription:

Building an informed community New cyber threat landscape makes sharing intelligence imperative

2 This page has been intentionally left blank.

The complexity of cyber threats has evolved rapidly in recent years with highly specialized criminal, political, and government networks overtaking random small-scale hackers and criminals as the foremost threat to organizations. These specialized networks represent an elaborate mix of cyber threats that can target specific organizations, regions, and customer profiles through a sophisticated set of malware exploits and anonymization systems. Organizational leaders increasingly understand that the new cyber reality means more new and sophisticated threats - and as threats continue to increase, cyber criminals capabilities will grow as well. Leaders also understand that combatting the new threats will depend on more than tweaking security policies and executing technical fixes. To meet new enemies on the cyber battlefield, organizations will need new intelligence. They ll need strong cyber threat intelligence (CTI) capabilities as well as the ability to share information to ensure that intelligence about cyber threats gets to the right people and the right systems for proactive decision making. The challenge is one that will require broad vision, executive guidance, and an ability to create new models of cooperation within and across industries. Building an informed community 1

Cyber criminals know the importance of intelligence. They actively profile organizations to help them develop highly customized malware code and attack techniques for exploiting specific security weaknesses. On top of gathering intelligence, they re sharing it, helping one another to exploit organizations vulnerabilities. For Canadian businesses, the result is a league of cyber adversaries that is persistent, motivated and agile sharing and employing a variety of tactics, techniques and procedures (TTPs) that can compromise systems, disrupt services, perpetrate financial fraud, expose sensitive information, and steal intellectual property. Organizations could benefit by taking a page from the playbook of modern cyber criminals. If cyber attackers can devote resources to leveraging intelligence from their community as a way to advance their efforts, what s stopping industry from doing the same thing? What is Cyber Threat Intelligence (CTI)? CTI is an organizational capability, not a data set. It is an intelligence-led approach to manage cyber risk and build cyber resilience. It requires continuous awareness of relevant, current and emerging threats to your organization where you can proactively identify and mitigate incoming attacks. 2

The value to organizations While cyber attackers have long shared security-related information for their mutual advantage, business organizations have been slow to cooperate among themselves. Only recently have business leaders begun to fully recognize the need to engage in CTI sharing as a way to help combat cyber threats. And the need is great, with cyber crime activity continuing to increase. According to a joint McAfee-Center for Strategic & International Studies report released in June 2014, the cost of cybercrime in Canada is estimated at 0.17% of the country s gross domestic product 1, and according to Ponemon Institute, the cost of cybercrime is $7.6 million on average per company in 2014, a 10.4 percent net change from previous year s study 2. The growth in cyber-attacks has fueled discussion of information sharing across all sectors and industries. Many organizations, however, have not moved past the discussion stage. A majority of business leaders polled say they are willing to share cyber information and would do so voluntarily. Nonetheless, more than 40 percent aren t sharing any information at all, citing legal reasons or business concerns as the main factors. But the case for CTI sharing is growing clearer and being proclaimed loudly, with key organizations such as the U.S. National Institute of Standards and Technology (NIST) asserting that to enhance incident response actions and bolster cyber defences, organizations must harness the collective wisdom of peer organizations through information sharing and coordinated incident response 3. Moving forward on CTI sharing remains a challenge for organizations. And to overcome their persistent reluctance to share information, businesses need to better understand exactly how they can share intelligence safely and effectively, how they can preserve privacy, and how they can realize significant overall benefits from sharing. One path forward begins with setting up information sharing communities a move that can boost the ability to defeat advanced, persistent threats across individual organizations, industries, and geographies while heightening cyber resilience in the face of targeted attacks. Unlocking the value of CTI sharing requires an understanding of key prerequisites to understand the features of an enabling technology platform/infrastructure and to understand what the lifecycle of a CTI sharing initiative should look like. A recognized need Recognizing the importance and need for a threat intelligence sharing community, Deloitte has been involved in the creation of the Canadian Cyber Threat Exchange (CCTX). Leveraging our global knowledge and expertise of threat intelligence and cross intelligence sharing, we have helped defined the requirements and elements of the CCTX and developed the governance model which explains how it will work and how organizations can benefit from participating in it. Building an informed community 3

Creating a CTI sharing community The current threat landscape may serve as the vital motivator to prompt organizations to collaborate on a robust CTI sharing community within Canada. But before such a community can become operative, the Canadian business community must address certain considerations from the outset. The following is a list of actions that includes leading practices for developing an effective CTI sharing community: Develop community oversight and governance structures Clearly established structures can help drive the community s vision and provide a level of assurance that procedures exist for addressing concerns. An intelligence-sharing community requires a strong oversight board and clear rules for seating that board. Beyond a board, the community will need a code of conduct as well as procedures and penalties for handling disputes or breaches of membership. Strong oversight means members can trust that their rights and obligations are clearly governed and that security measures are in place to prevent sharing or leaking of unauthorized data. Implement community membership criteria A defined process and criteria can help ensure that new members are evaluated on their willingness to share intelligence, on best practices, on know-how, and on experience. A strong CTI community should also include a specific member intelligence onboarding process where analysts can obtain key and relevant information from the member s organization. It will also allow the member to receive customized reports on threats to specific assets. Make cross-sector sharing a priority Cyber attackers are not always industry-specific when seeking out new targets. While it is of great value for CTI communities to rely on industry-specific intelligence such as the Financial Services - Information Sharing and Analysis Centre (FS-IFAC), it is equally important to have cross-sector sharing as part of the community s plan with appropriate controls and agreements in place. Leverage cybersecurity expertise Gathering and analyzing community intelligence requires subject-matter experts who can produce reports and identify trends. A CTI sharing community also requires specialized day-to-day operational personnel to assist with program management and administration. Support open discussions on threat intelligence Periodic open group discussions can help community members share best practices, insights, and perspectives in an engaging and meaningful way, while also helping to build trust within the group. Comply with regulatory, privacy and legal obligations Complying with regulatory, privacy and legal requirements for information sharing remains a key concern. This enables an organization to define, publish, and disseminate any potential civil/criminal responsibilities so all members understand their obligations. 4

However, understanding the regulatory landscape provides only the baseline. If customer information is being collected, used or disclosed, take measures to ensure the appropriate privacy controls are embedded into the technology design and privacy infrastructure. Depending on the type and quantity of information disclosed or compromised, potential liability issues could ensue given the rise in class action law suits in Canada. A competitive advantage is to take a proactive risk management approach to privacy. Adopt a Privacy by Design mindset to ensure that information practices and privacy standards are not only compliant with regulatory requirements, but adhere to privacy best practices. Deloitte offers a Privacy by Design certification program 4 to demonstrate that processes, solutions and programs meet privacy best practices, minimizing the risk of compromise and reputational harm. Develop a community funding framework Acquiring the right technologies, platforms, and resources to generate actionable intelligence requires funding commitments from members. Explore cost-sharing methodologies to determine what is right for the community. For example, tiered membership fees rather than fixed contributions might work well for some communities. Funding amounts should cover not only operational and technology costs, but developmental and research costs as well. What to share? There s a wealth of information that organizations can share as they seek to collaborate among themselves to combat and prevent cyber attacks. Shared information can include: Intelligence on potential targets and attackers Vectors an attacker is known to use Methods and impacts of a successful attack Lessons learned and defence guidelines The key success metrics of creating a successful CTI sharing community include: 1. Having a central and secure ability to share information, 2. Established trust across a unique blend of public and private, cross-sector community members, 3. Member sharing of best practices, concerns and discussion items, and 4. Documented outcomes usable to create internal awareness on CTI. Initiate government relationships Private-sector communities should immediately begin developing reciprocal relationships with government bodies to provide and to be provided with security breach notifications that can help organizations prevent, detect, and respond to threats. Building an informed community 5

The power of sharing A community in which organizations can share real-time intelligence on constantly evolving threats can deliver broad benefits, including: Access to relevant, actionable intelligence Enhanced threat understanding Cost savings through elimination of duplicated effort Increased efficiencies in risk assessments Implementation of sharing models without new legislation Identification of trends and indicators of compromise Prioritization of threats and vulnerabilities by importance and imminence Improved security through shared best practices Development of shared situational threat awareness Correlation of seemingly unrelated indicators Better defensive agility with shift from reactive to proactive strategies Improved, more timely decision making via shared, real-time information More rapid customer notification of potentially impactful incidents Developing a CTI sharing platform The next step beyond the basic components of a CTI sharing community involves putting in place an appropriate technology platform. The effort will include systems, tools, and controls for sharing threat knowledge in a timely manner while protecting organization-specific corporate knowledge. As with building the overall CTI community, there are essential actions and best practices involved in developing an effective CTI sharing platform: Create an intelligence sharing taxonomy An explicit taxonomy will help ensure that all participants use and understand a common language and terminology. The taxonomy should include trusted intelligence classification standards, such as the Traffic Light Protocol (TLP). Communities also should set boundaries to define which members and which sectors can access which levels of information. Confidence-level ratings also should be developed and included in reports for members to let them know how trusted specific intelligence sources are. Operationalize the platform If a community decides to create its own intelligence sharing platform, it will have to develop both applications and infrastructure. Such an approach requires developing a robust broadly functional application interface, as well as acquiring and implementing infrastructure components that will ensure constant availability. 6

Instead of creating its own platform, a community might opt to save time and resources by leveraging partnerships with CTI experts and using existing technologies. Such an approach might include, for example, implementing a MISP (malware information sharing platform) an open-source platform for sharing, storing, and correlating indicators of compromises targeted attacks or a Soltra Edge, an industry-driven threat intelligence sharing platform. Ensure anonymization capabilities Any platform should allow members to share intelligence either openly or anonymously. To support anonymization, the community should create an accepted definition and develop the necessary controls. All members should know what aspects of the sharing process are or can be anonymized without risk of misinterpretation. Control the volume of shared information Developing clear intelligence triaging and analysis process can help ensure that the most critical information is shared first, while limiting the amount shared. Too much information can consume valuable resources, meaning critical items might not be addressed rapidly enough. Create actionable intelligence Intelligence sharing holds limit value if reports and discussions fail to outline potential actions that members should take to proactively secure their operations against identified threats or vulnerabilities. The CTI sharing life cycle Once the requisite platform is in place, the ongoing cyber threat sharing process can begin. In its most effective form, the process is an end-to-end endeavour that involves acquiring, assessing, disseminating, and applying knowledge about cyber adversaries, with the goal of producing actionable intelligence. The vision is to maximize value for individual organizations as well as for the community at large. Threat intelligence distribution Threat intelligence source/ partnership identification Threat intelligence intake Threat intelligence output Threat intelligence analysis Building an informed community 7

Protective power A CTI sharing community with a cross-sector focus and access to real-time intelligence holds the potential to help organizations respond more effectively to threats and to better protect their assets. Establishing such a community and making it operational requires a multiphased approach with the first true step being a group of committed, forward-thinking leaders coming together and establishing a guiding structure. Once leaders have set core requirements and expectations, they can begin crafting a pilot program and set in motion a truly cutting-edge cybersecurity strategy. Ultimately, embracing established best practices for CTI sharing can provide a strong baseline for organizations looking to establish not only a CTI sharing community but a community that serves as an active, effective, sustainable mechanism for collective cyber threat protection. The first true step is a group of committed, forward-thinking leaders coming together and establishing a guiding structure. 8

Sharing what we know Deloitte has experience helping organizations address cyber threats through a variety of tools, processes, and tactics including CTI sharing initiatives. We re happy to share what we know. To learn more about our approach to CTI and to discuss steps for building a CTI sharing community, please contact us. Dina Kamal National lead, Cyber intelligence and Analytics services dkamal@deloitte.ca +1 416-775-7414 1 McAfee and Center for Strategic and International Studies. Net Losses: Estimating the Global Cost of Cybercrime. Date accessed: August 20, 2015. http://www.mcafee.com/ca/resources/reports/rp-economic-impact-cybercrime2.pdf 2 Ponemon Institute. 2014 Global Report on the Cost of Cyber Crime. Date accessed: May 31, 2015. http://www.ponemon.org/library/2014-global-report-on-the-cost-of-cyber-crime 3 National Institute of Standards and Technology. Guide to Cyber Threat Information Sharing (Draft). Date accessed: July 9, 2015. http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf 4 Deloitte LLP, & Ryerson University, & Cavoukian, Dr. Ann., & Kingsmill, S. (2014). Privacy by Design - Setting a new standard for privacy certification. Building an informed community 9

www.deloitte.ca Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. 2015 Deloitte LLP and affiliated entities. Designed and produced by the Deloitte Design Studio, Canada. 15-3128H

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback