Use of Intelligence for Corporate Security Programs

09/28/21 • 25 min

In episode 56 of The Cyber5, we are joined by Ray O’Hara, Executive Vice President for Allied Universal.

We discuss the use of intelligence for corporate security programs, usually overseen by a Chief Security Officer (CSO). We talk about some of the challenges this role faces and how intelligence can be actionable to mitigate those risks. We also work through various case studies, talk about metrics for success, and what technology platforms are used to aggregate intelligence that might be useful in the future.

Four Topics Covered in this Episode:

Role Shift for Chief Security Officers (CSO)

For many large organizations, the chief security officer is the chief strategist for organizing the holistic security strategy and obtaining board approval for the organization.
CSOs are no longer in the day-to-day planning around “guns, guard, and gates.” Instead, they are more strategically focused on business continuity, emergency planning, and crisis management.
Risk to business leaders drives the daily activities of CSOs. They need to understand that other business leaders may choose to work around the threat to execute against profit and loss.

Intelligence Sources for Chief Security Officers

Having a dedicated intelligence analyst is an important asset to a chief security officer.
Emerging markets, information on key suppliers, as well as competitor data is routine tasking for an intel analysis who is subordinate to the CSO.
Since security is a necessary cost center on the administrative function within organizations, intelligence analysts need trusted partners to handle the collection and analysis side of intelligence, including social media. Additionally, intelligence analysts ensure that collection and analysis are tailored to business management requirements.

Sentiment Analysis Combines CISO and CSO Functions

Negative sentiment analysis against a company's brand traditionally falls within the CSO's GSOC function. However, this responsibility is starting to move toward information security due to threats to confidentiality, integrity, plus the needs for availability of data, systems, and networks from the Dark Web. As long as coordination is present, it doesn't matter whose lane covers social media sentiment analysis.

Social Media Monitoring Critical For Reducing Executive Protection Resources

Executive protection is expensive when a physical security threat escalates. Effective social media monitoring and direct threat actor engagement help to derive the most accurate protective intelligence. They can be a more cost-effective way to monitor the danger without having 24x7 surveillance.

In episode 56 of The Cyber5, we are joined by Ray O’Hara, Executive Vice President for Allied Universal.

Four Topics Covered in this Episode:

Role Shift for Chief Security Officers (CSO)

For many large organizations, the chief security officer is the chief strategist for organizing the holistic security strategy and obtaining board approval for the organization.
CSOs are no longer in the day-to-day planning around “guns, guard, and gates.” Instead, they are more strategically focused on business continuity, emergency planning, and crisis management.
Risk to business leaders drives the daily activities of CSOs. They need to understand that other business leaders may choose to work around the threat to execute against profit and loss.

Intelligence Sources for Chief Security Officers

Having a dedicated intelligence analyst is an important asset to a chief security officer.
Emerging markets, information on key suppliers, as well as competitor data is routine tasking for an intel analysis who is subordinate to the CSO.
Since security is a necessary cost center on the administrative function within organizations, intelligence analysts need trusted partners to handle the collection and analysis side of intelligence, including social media. Additionally, intelligence analysts ensure that collection and analysis are tailored to business management requirements.

Sentiment Analysis Combines CISO and CSO Functions

Negative sentiment analysis against a company's brand traditionally falls within the CSO's GSOC function. However, this responsibility is starting to move toward information security due to threats to confidentiality, integrity, plus the needs for availability of data, systems, and networks from the Dark Web. As long as coordination is present, it doesn't matter whose lane covers social media sentiment analysis.

Social Media Monitoring Critical For Reducing Executive Protection Resources

Executive protection is expensive when a physical security threat escalates. Effective social media monitoring and direct threat actor engagement help to derive the most accurate protective intelligence. They can be a more cost-effective way to monitor the danger without having 24x7 surveillance.

Previous Episode

Evaluating the Conundrums of OT Security in the Energy and ONG Industries

In episode 55 of The Cyber5, we are joined by Nate Singleton, a security practitioner who was most recently the Director of IT, Governance, and Incident Response at Helmerich and Payne.

We discussed the conundrums of operational technology security within gas and energy sectors, including risks downstream and upstream. We also compared the aggressive and constant need for interconnectivity on the information operation technology sides of the house to show that events like the Colonial Pipeline ransomware attack are probably just the beginning of future attacks against critical infrastructure.

We also discussed what more major oil and gas companies can do to help improve cybersecurity for small companies critical in the oil and gas supply chain.

Five Topics Covered in this Episode:

Operational Technology is Built to Last, Bringing Nuance to Security

Underlying technology controlling oil, gas, and energy PLCs runs on old Linux and Windows servers from 20 years ago and patching for upgrades is expensive and takes a lot of down time.
Routine vulnerability scanning against an entire IP block often seen within regular IT environments can cause major damage, even resulting in the loss of human life, if not conducted carefully and properly in OT environments.

Interconnectivity Comparisons Between Legacy Silicon Valley Tech and Operational Tech Development

Security takes a back seat in operational technology for the Energy Industry, just like it does for Silicon Valley product development.
The bigger challenge is often integrating regular IT and application developments that need constant upgrades with OT technology that can’t take the upgrades on time. A “move fast and break things” mentality in OT could get someone killed.
Ransomware and other malware events have the capacity to take down OT production lines for weeks, costing millions of dollars.
While the Colonial Pipeline ransomware event only attacked the IT environment, it did not attack the OT environment, thus demonstrating the potential for future calamities to occur.

Attacks Against Oil and Gas are Geopolitical in Nature and Will Likely Get Worse

Attacks against critical infrastructure are going to get worse and the attacks are often conducted by nation states who have the time to build exploits against the IT environment and are also leveraging sophisticated OT technology.

Strategies for Protecting Operational Technology in ONG

OT security is protecting the IT administrator who can access oil rigs, energy systems, and OT devices.
Reporting must make it from the OT systems to the corporate IT systems so they can see profit and loss. Therefore, many critical infrastructures use the Purdue Model to segment different layers in network infrastructure from the machinery to different levels in the corporate environment so customers can be billed. More granular strategies include:
1. Updated EDR products in the corporate environment
2. Multi-factor authentication separating corporate and OT environments
3. Separate domains for engineers’ ability to browse the internet and check email and upgrade software on the OT networks
4. Robust firewall policies on the network layer controlling port protocol connectivity back and forth

Threat Intelligence for OT Security

Integrating Indicators of Compromise (IOCs) into a SIEM has become an antiquated practice, but they are still valuable for OT environments since they are modeled around constant connectivity and up times.
Client-specific intelligence of what threat actors are doing is most critical because the remediations will take place over weeks and months. A cost-benefit analysis is always going to be levied when allocating resources to fix vulnerabilities. A “block all” approach to threat intelligence is not going to work.

Next Episode

Evolution of Incident Response Playbooks in the Last Five Years

In episode 57 of The Cyber5, we are joined by Colby Clark, Director for Cyber Threat Management. He’s also the author of the recently published book, The Cyber Security Incident Management Master’s Guide.

We baseline incident response playbooks around customer environment, threat, landscape, regulatory environment, and security controls. Afterward, we discuss how incident response (IR) playbooks have evolved in the last five years and they have scaled in the cloud. We discuss telemetry that is critical to ensure an IR team can say with confidence that an incident is accurate, complete and truthful in order to avoid breaches. Lastly, we discuss the criticality of threat intelligence in the IR process and what boards really care about during an incident.

Four Topics Covered in this Episode:

The Shift in Incident Response Playbooks

Playbooks used to be contact lists, and an outline of roles and responsibilities of who to call during a cybersecurity incident. It was typically based on recovery from natural disasters. Today, threat -based playbooks are more specific and actionable tailored to the enterprise environments that were based on compliance and insurance requirements.

In Clark’s book, in his execution with clients, 13 distinct domains are relevant for baselining these playbooks; including customer environment, threat landscape, regulatory environment, and security controls. Most importantly, incident management is a repeatable process over a period time that adapts to regulators. Enterprise solution tooling is always behind the tooling of the attackers, and therefore, gap analysis within IR playbooks is a constant job for any IR team.

The Need for Consolidating Cybersecurity Solution Tools

Security practitioners sometimes struggle with knowing the business functionality of applications and systems within enterprise networks, which makes identifying what is normal or malicious challenging.
If security technology is not tuned with consideration for the people and process involved, the tooling is useless.
Network encryption pervasiveness is making network traffic analysis tools increasingly irrelevant; all important telemetry, to reduce visibility gaps, is moving to the endpoint (devices, servers). Realizing big companies cannot have endpoint detection and response agents (EDR solutions) on every endpoint, means some network traffic capture is still important to track.

Incident Response Migration and Evolution to the Cloud

Tooling: In 2014, EDR tools started to be developed that took over anti-virus software and since then has detected 80% of breaches. EDR, and now XDR (Extended Detection and Response), solutions that operate in the cloud (AWS, GCP, Azure) are the only means to quickly detect and recover from cyber incidents, especially with a distributed workforce.
Protecting Environment: Customer applications that run on cloud servers (production and non-production) bring tremendous frustration for incident response efforts. They do not have on-par visibility to their physical counterparts, particularly with containers. They have reduced controls and limited investigative capabilities, allowing malicious backdoors into environments.
Important Strategies: First, maintain, update, and patch baseline images for containers. Second, turn on logging; nothing is logged in cloud environments by default. Companies have to pay extra money to turn on logging and pay additional licensing fees for security tools (cloud trail logging for AWS, for example). Third, turn on network decryption at the right points. Last, keep maintenance of EDR tooling.

The Importance of Threat Intelligence in Cloud Security

Threat intelligence should be built into EDR logging by default and will likely be part of the XDR paradigm in the future.
A deep dive RFI (request for information) capability must also be included to ascertain if the intelligence is directly relevant to the organization or just an industry trend.