Advanced persistent threats (APT) are now a big business - for cyber criminals. With advanced engineered code combined with sophisticated social engineering and a relentless focus on individual companies or government agencies APTs are a severely troubling vector targeting sensitive data and intellectual property across government and the private sector. Due to their diverse nature, an organisation must recognise the requirements to adopt a defensive posture through governance, risk and control (GRC) and Security Event and Incident Management (SEIM) to ensure that exploits are acted upon immediately.
Cyber security has moved to centre stage this year, as high profile attacks on public and private bodies have become a commonplace occurrence. Cyber threats of all types combine to present organisations with a new risk profile that must be evaluated alongside more traditional business risks. In addition to potential economic loss and brand damage as the result of criminal cyber and cyber activism activities, organisations also need to take into account other types of related cyber risk such as IP theft, physical damage to information assets, and enterprise disruption. Despite all the advantages we attribute to today’s Internet-connected world, there is no doubt that, from a risk perspective, it comes at a potential cost.
APT mitigation in the cyber realm is directly related to the strength and depth of an organisation’s security capabilities. Given that assumption, how ready are organisations to defend themselves? HP recently sponsored some interesting research in conjunction with the Ponemon Institute, the Second Annual Cost of Cyber Crime Study, August 2011*.
One standout result, taken from the many areas under investigation, is that when it comes to APTs enterprise deployment of SIEM makes a difference. Ponemon found a percentage cost difference between SIEM and non-SIEM companies of 24 percent with a bearing on the APT challenge. Findings suggest companies using SIEM were better able to quickly detect and contain cyber crimes than those companies not using SIEM. As a result, SIEM companies experienced a substantially lower cost of recovery, detection and containment than non-SIEM companies. Crucially, SIEM companies were more likely to recognize the existence of APTs than non-SIEM companies. It seems pretty straightforward that SIEM technologies are a vital part of the up-to-date security mix.
Moreover, the Second Annual Cost of Cyber Crime Study reports on the total annualised cyber crime cost according to organisations recognising or not recognising APTs during the four-week benchmarking period. The study demonstrates that organisations that recognised APTs (34 percent) seem to achieve a lower overall cost than those that did not recognise APTs (66 percent). That makes a compelling case for the adoption of SIEM into the corporate IT environment, if plans are not already in place to do this.
Looking at what organisations are doing to protect themselves, other Ponemon studies have shown that there is a strong awareness of the importance of deploying the right technologies to deal with the wide range of threats out there today (** The Cybersecurity Readiness Study, September 2010). However, over 80 percent also believed that enabling technologies are only part of the solution and that a holistic approach is required involving technology, people, process and policies. In our experience, this is often the most difficult part of any security project to get right, affecting not only the success of the technology deployment but also its ongoing effectiveness. In larger organisations we see a desire to adopt the latest best practices in what is a rapidly moving discipline.
The Cybersecurity Readiness Study also identifies some short-term areas of need. There is almost universal agreement from respondents that in order to more effectively tackle cyber threats, they need advance warning about threats and attackers and continuous intelligence about their own threat landscape. “In the wild” vulnerability analysis and discovery services along with modern security event capture and correlation are additional capabilities that provide much needed intelligence on what’s going on inside and outside of the corporate network. There is also a realisation that some of their information assets are part of the critical national infrastructure, which makes it even more vital that cyber defence is applied intelligently and in sufficient depth to counter the most aggressive APTs or other cyber risks.
Given the scale of the issues organisations are facing, it comes as no surprise then that the major inhibitor highlighted in the Cybersecurity Readiness Study is funding; while 70 percent of the organisations that took part in the research are seeing an increase in successful intrusions, less than 40 percent have seen an increase in budget to deal with the problem. Additional investments in information security have always been difficult to justify against other business investments that have clearly understood ROI, and more work is needed to tie information security to business risk in order for it to be better understood by senior management.
While this shows promise in the high level of awareness of the problem and the steps needed to address it, it also serves as a reality check that much of the real work is still left to do. It’s a case of how much risk is the organisation prepared to tolerate, given the penalties being demonstrated very publicly by high profile organisations in the news, every day.
* The Second Annual Cost of Cyber Crime Study was independently conducted by Ponemon Institute LLC and sponsored by HP in August 2011. The complete study can be found here.
** The Cybersecurity Readiness Study was independently conducted by Ponemon Institute LLC and sponsored by HP in September 2010. The complete study can be accessed here.
Posted by Jay Huff, EMEA Marketing Director, HP Enterprise Security