On Thursday, September 22, CIONET, in collaboration with partner VECTRA, organised for the very first time an international double roundtable: a dozen cyber security experts gathered in London and Londerzeel, Belgium, to exchange best practices on Cyber Threat Detection & Response. The discussion happened simultaneously on both sides of the Channel, and, at the end of the evening, the main conclusions were shared between the two groups via a live link.
Given the topic's sensitivity, we agreed not to share personal statements or proprietary information in this blog article unless prior explicit permission was given.
Early detection of cyber attacks has become crucial
The premise of the evening was clear: given the exponential increase in volumes of data and traffic on the one hand and the number of cyber-attacks on the other, detecting suspicious activities early and correctly has become crucial.
A semantic calibration
As a warm-up to the discussions, a 'semantic calibration' was first done around risk, threat, incident and vulnerability. The Risk Management Framework (RMF), developed by the National Institute of Standards and Technology (NIST), defines a security risk as "any event that could potentially result in the compromise of organisational assets". Cyber threats are external to the organisation. They are sometimes mistakenly confused with vulnerabilities. The key word is "potentially". The threat is not a security problem that exists in a system or organisation. It is something that can breach security. It can be compared to a vulnerability, an actual weakness that can be exploited. The threat always exists. However, countermeasures can be deployed to minimise the chances of the threat materialising into an incident.
Two elements are thus crucial: firstly, the potential business impact, the potential damage that can be incurred, and secondly, the probability of the risk materialising. These two elements are also the basis for making business decisions around investments in risk mitigation.
Intelligent tools and automation in the context of threat detection
Risk mitigation is an exercise that, in the case of Euroclear, is done by a different team from the Cyber Defence Centre Kris Vangeneugden, our speaker on duty, is part of. Kris has been responsible for outlining and implementing the roadmap and technical stack of this Cyber Defence Centre for the past three years. He sees two major recent evolutions. The technological shift towards new generation intelligent tools - such as those offered by Vectra - that allow dynamic threat detection with a focus on all (OSI) layers. Next to the investments in automation. The latter starts with the enrichment of the incident. The analysts no longer have to spend a major part of their time looking for all the necessary information related to the systems and users. That information is now provided to them. This means that the 1st tier analysts get a new upgraded role and can spend more time on proactive 'hunting' for 'abnormal activity in systems and networks.
Euroclear is establishing "Security as Code". Security as Code is a toolset that helps DevOps professionals secure and protect the software development lifecycle throughout the development process. It includes validating all steps and enables continuous end-to-end testing. Testing is implemented in the CI/CD pipeline to automatically and continuously detect vulnerabilities and security flaws.
What else is in the roadmap, according to Kris?
Further roll-out of NDR and EDR to eventually focus on anomaly detection, risk-based alerting, away from binary detection. As Euroclear is a financial organisation, a lot of importance is attached to compliance. Behaviour is, therefore, key.
Both Rik Bobbaers - CISO of ING - and Kris confirmed that automation and intelligent tools drive threat monitoring throughout the OSI layers of IT solutions. Today they are also looking at how business applications can generate warnings when anomalies occur.
Once you know what normal is, you can and should focus on the abnormal.” (Rik Bobbaers, CISO ING)
When asked what the most effective approach to managing and reducing cyber risks is, Rik answers mainly in terms of End-to-End monitoring. Go for EDR, NDR and XDR and be careful where you install your sensors. Ultimately, however, you cannot monitor all your traffic. You have to accept some risk as you will never be able to cover everything. Consequently, focus on anomaly detection in the most business-critical areas. In doing so, make maximum use of automation and intelligent tools to map out what you have and where the sensitivities lie and make your SOC as efficient and effective as possible.
As to Rik, criminals are able to evade old heuristic systems like AV, signature based ID/PS systems. If you know what normal behavior of “your company” is, it’s easier to detect when something goes wrong. And the latter is much harder to evade by criminals.
How can you measure the effectiveness of your cyber strategy?
All tablemates unanimously agreed that this remains a difficult nut to crack. You can pre-set specific parameters, create a dashboard and measure whether you are monitoring what needs to be monitored. However, this always carries risks. For example, you may overlook critical systems or applications. And what's more, there are often unknow unknowns: the gaps you are not aware of.
Even if you know exactly what needs to be monitored, the perfect detection solution does not exist (yet). You can, however, increase your quality by introducing red team testing in a proactive and structural way. For instance, the red team can demonstrate that they can completely shut down production or all network traffic with a mouse click. Security risks thus become visible and quantifiable. And consequently easier to discuss with management.
How high should you set that bar?
What is the appropriate level of security? For that question, it was suggested to use your industry peers as a benchmark. In any case, you should do that exercise with the entire management team of the organisation. Not only will you determine with them what is really critical for the business, but also what the board's 'risk appetite' is. In other words, you draw up a business case around IT security: based on the potential costs of a security disaster, you can decide where and how much to invest.
What do you see as the most important security risk or challenge for your company?
We received various answers on the question what was perceived as the most important security risk, depending on the size and sector of the organisation. Extortion and ransomware are often mentioned as the primary headache. Other CISOs especially see a significant challenge in people awareness, even and especially at C-level. Our English friends also saw keeping pace with rapid technological evolutions (including those of attackers) as a challenge. For a lot of organisations, the growing complexity and dependencies within ecosystems also make the security issue more challenging to manage. And last but certainly not least, nation-state cyber warfare can no longer be denied as a major threat for all of us.
Everyone was in full agreement that it is not so much technology but staffing the security roles with qualified people that will be the most critical challenge of the coming years.
How can you leverage new technology, such as AI and ML, for increased visibility, optimal triage and better protection against attackers?
AI and ML are recognised as crucial components of a cyber threat detection & response solution. Without these technologies, one's SOC would be completely overloaded, staff would not be able to handle the influx properly. AI tools are now primarily used for behavioural analytics. For Kris, those tools may be diverse - best of breed - as long as you can integrate them into one centralised platform and data lake. The latter, by the way, is also a sensor an sich, as AI also detects anomalies in the data lake. AI has dramatically evolved in this domain and today plays an increasing role both in the threat detection phase and in defining the appropriate response. And we see this trend also continuing in the risk management domain, where AI can point out business risks the team was unaware of.