8 ways to identify and measure security threats
Improving Security Cover Slide.jpg
Security execs need to better understand vulnerabilities to improve resiliency of information systems.
Cloud Security Alliance notes importance of proactively measuring threats
0. Cloud Security AdobeStock_55239022.jpeg
The Cloud Security Alliance contends that healthcare organizations can greatly improve their security posture by developing metrics and processes to measure data security threats before they become cyberattacks. CSA, which raises awareness of best practices to ensure a secure cloud computing environment, has developed a white paper that introduces two essential metrics: Elapsed Time to Identify Failure (ETIF) and Elapsed Time to Identify Threat (ETIT). “Measuring them and developing processes to lower the values of ETIF and ETIT would improve the resiliency of an information system,” its research states.
1. Cyber ecosystem
1. Cloud Security AdobeStock_168057798.jpeg
The cyber ecosystem is non-discriminant—good and harmful information coexists harmoniously. The Internet and transmission protocols by which the information travels within the cyber ecosystem is also non-discriminant in the sense that good and harmful information is transmitted across cyberspace without discrimination as to priority or hierarchy. Thus, the opportunity to discriminate between good and harmful information typically doesn’t occur in the cyber ecosystem.
2. Discriminating threats
2. Cloud Security AdobeStock_110632835.jpeg
Discrimination must occur within one’s own information Technology/Operational Technology (IT/OT) infrastructure and must occur in the security infrastructure layers.
3. Good vs. bad
3. Cloud Security AdobeStock_71035929.jpeg
The first opportunity to discriminate between good and harmful information occurs at the security layers between the cyber ecosystem and IT/OT infrastructure. The second opportunity occurs at the security infrastructure layer of the information system.
4. Fast action
4. Cloud Security AdobeStock_163119167.jpeg
If a cyberattack is identified and captured at the security layers in the IT/OT infrastructure, then the information system is protected. However, if a cyberattack is identified by the security layers residing in the information system (i.e., harmful information already has passed the IT/OT infrastructure), then the information system is compromised.
5. The attack surface
5. Cloud Security AdobeStock_143801068.jpeg
Cyberattacks occur when the information system vulnerabilities are exposed and exploited. For a given information system, these vulnerabilities are embedded into the architecture of the software and hardware, and represent the attack surface.
6. The need for resilience
6. Cloud Security AdobeStock_115798692.jpeg
Resilience of a system is characterized by its ability to achieve its intended functions despite disruptions. The bounding function on how a system is attacked and recovers is dependent on the attack surface. Thus, the functions representing resiliency, in this case Elapsed Time to Identify Failure, are bounded by the attack surface. However, given the lack of standardization in publicly available data on the start of a cyberattack and identification of a cyberattack, it is difficult to consistently and specifically calculate ETIF and hence cyber resiliency.
7. Sharing data
7. Cloud Security AdobeStock_67811247.jpeg
The Cloud Security Alliance advocates the sharing of threat data on a real-time basis. “Ideally, if an entity that experienced failure could share the system’s vulnerability with other entities, analysis of such shared failure event would be critical in detecting the presence of a threat or recover quickly from the failure.” This is the Elapsed Time to Identify Threat (ETIT) metric, the effectiveness of which can be measured by its ability to move time to identify failure closer to the start time of the failure.
8. Using ETIT to track the threat
8. Cloud Security AdobeStock_51507883.jpeg
“ETIT is critical in changing limits on the loss and recovery functions and thus impacting the quality of service,” the alliance explains. “If there is an ability for early identification of the threat that is causing the failure, then the overall time to recovery and hence the loss of resiliency could be reduced.” The full report is available here.