8 ways to identify and measure security threats

Published
  • October 05 2017, 4:00am EDT

8 ways to identify and measure security threats

Security execs need to better understand vulnerabilities to improve resiliency of information systems.

Cloud Security Alliance notes importance of proactively measuring threats

The Cloud Security Alliance contends that healthcare organizations can greatly improve their security posture by developing metrics and processes to measure data security threats before they become cyberattacks. CSA, which raises awareness of best practices to ensure a secure cloud computing environment, has developed a white paper that introduces two essential metrics: Elapsed Time to Identify Failure (ETIF) and Elapsed Time to Identify Threat (ETIT). “Measuring them and developing processes to lower the values of ETIF and ETIT would improve the resiliency of an information system,” its research states.

Content Continues Below

1. Cyber ecosystem

The cyber ecosystem is non-discriminant—good and harmful information coexists harmoniously. The Internet and transmission protocols by which the information travels within the cyber ecosystem is also non-discriminant in the sense that good and harmful information is transmitted across cyberspace without discrimination as to priority or hierarchy. Thus, the opportunity to discriminate between good and harmful information typically doesn’t occur in the cyber ecosystem.

2. Discriminating threats

Discrimination must occur within one’s own information Technology/Operational Technology (IT/OT) infrastructure and must occur in the security infrastructure layers.

3. Good vs. bad

The first opportunity to discriminate between good and harmful information occurs at the security layers between the cyber ecosystem and IT/OT infrastructure. The second opportunity occurs at the security infrastructure layer of the information system.

Content Continues Below

4. Fast action

If a cyberattack is identified and captured at the security layers in the IT/OT infrastructure, then the information system is protected. However, if a cyberattack is identified by the security layers residing in the information system (i.e., harmful information already has passed the IT/OT infrastructure), then the information system is compromised.

5. The attack surface

Cyberattacks occur when the information system vulnerabilities are exposed and exploited. For a given information system, these vulnerabilities are embedded into the architecture of the software and hardware, and represent the attack surface.

6. The need for resilience

Resilience of a system is characterized by its ability to achieve its intended functions despite disruptions. The bounding function on how a system is attacked and recovers is dependent on the attack surface. Thus, the functions representing resiliency, in this case Elapsed Time to Identify Failure, are bounded by the attack surface. However, given the lack of standardization in publicly available data on the start of a cyberattack and identification of a cyberattack, it is difficult to consistently and specifically calculate ETIF and hence cyber resiliency.

Content Continues Below

7. Sharing data

The Cloud Security Alliance advocates the sharing of threat data on a real-time basis. “Ideally, if an entity that experienced failure could share the system’s vulnerability with other entities, analysis of such shared failure event would be critical in detecting the presence of a threat or recover quickly from the failure.” This is the Elapsed Time to Identify Threat (ETIT) metric, the effectiveness of which can be measured by its ability to move time to identify failure closer to the start time of the failure.

8. Using ETIT to track the threat

“ETIT is critical in changing limits on the loss and recovery functions and thus impacting the quality of service,” the alliance explains. “If there is an ability for early identification of the threat that is causing the failure, then the overall time to recovery and hence the loss of resiliency could be reduced.” The full report is available here.