Efficient cybersecurity as a driver for the promotion of information security services
Over the past year, we have clearly seen an increase in interest in the topic of countering cyberattacks. Increasingly, in conversations with UCSB partner companies not from the field of information security, the question arises: how to simply, clearly and clearly explain to key account managers what cybersecurity is, to whom and how to offer services to protect enterprise information systems?
When discussing the topic, at first we followed the standard path: formulate a list of services, describe the client profile, markers, clarifying questions, and so on. But at some point we decided to simplify the approach.
So, how information security (IS) is “sold” – a simple motivation:
1) “Fear” – so that we are not hacked, what the “neighbor” in the industry did not repeat, as they write about in the media.
This motivation works very limited. First of all, this approach works in those companies that have already encountered problems / incidents. The main disadvantage is that the gaps that are “highlighted” by the prevailing circumstances are closed, while security is not considered systematically.
In our opinion, promoting information security only through fear is bad form – this was often done before, 10-15 years ago.
2) “Regulator” (she is also “formal security”)
We understand by this term a situation where the main driver for the implementation of information security solutions are external requirements, such as the requirements of state regulators – the FSTEC of Russia or the Central Bank of Russia, industry requirements, corporate standards for holding structures, and so on.
It is necessary to immediately exclude a degenerate case – “paper security”: when customers only need documents to pass inspections. They do not plan to invest in technical solutions and provide real protection for their company’s IT infrastructure. Naturally, such an approach is a dead end and cannot lead to anything good.
Regulatory was, is and will be for a very long time the main and natural driver for the implementation of measures to protect information by companies. But is it enough for us? The regulatory approach has three fundamental flaws:
- Sufficiency and quality of implementation. Requirements are developed immediately for a large class of systems. This means one thing – in their original form for a particular system, they will be of little use: somewhere they are redundant, somewhere they are insufficient, and somewhere they simply will not cover some unique feature of a particular system.
- Redundancy (non-optimality) in many specific cases. It can be argued that modern requirements (for example, the FSTEC of Russia) offer a certain flexibility – the ability to create a threat model for oneself. In theory, this is true, but in practice, not all companies have such an opportunity. Especially if these are subsidiaries or regional enterprises.
- Time delay. As a rule, it takes at least a year to develop and agree on requirements, so there is a backlog from real attacks. Of course, this is offset by the fact that products are used in which manufacturers include counteracting current threats. But what to do if a whole class of products has not yet been included / considered in the requirements?
This means that the quality of the information security system will depend on how well the entire process of determining the composition of protective measures was completed: classification / categorization of the object of protection, selection of a basic set of measures, its refinement, adaptation and development of countermeasures. So, an error at any of the stages and a ready-made protection system no longer closes all current threats.
And here we come to the third way to promote information security.
3) “Effective cybersecurity” (aka – IB2.0.)
A few years ago, Positive Technologies summarized a number of existing practices and offered the information security market an integrated approach, which has since crystallized and become more mature.
The concept of building a result-oriented information security system: protecting key digital assets of a company/organization from negative cyber impacts.
- Invalid events. In interaction with the owners of business processes, unacceptable events are identified, and then the technical unit works out ways to implement them.
- Cyber Threat Countermeasures Center (CPC). Building an SOC and equipping it with countermeasures in such a way that any known (determined at the first stage) attack vector (chain) could be identified and terminated at one of the stages. We proceed from the fact that potentially any individual element of the system can be hacked, compromised, overcome by an attacker, but the CPC will see this and prevent it at one of the stages of the attack – and the ultimate goal of the attack will not be achieved. As an important part of building the CPC, a possible restructuring of the IT infrastructure is also being considered to reduce the attack surface.
- Cyber exercises and ongoing security analysis. The real readiness of the CPC to prevent a targeted attack can only be verified in a situation “close to combat.” And the stronger the Red Team, the more reliable the result will be.
What gives: setting priorities allows you to clearly focus the subsequent costs of security in key areas, to show the business the practical result of investments in information security.
What gives: ensuring the practical security of key assets.
There is no protection system built once and for all: new techniques appear, new vulnerabilities are found, so you need to regularly test yourself.
What gives: the confidence that our cyber defense is up-to-date and effective against the latest attacks.
The UCSB has accumulated an extensive practice of in-depth analysis of the functioning of information systems, modeling of possible negative impacts, and development of practical methods for risk assessment. The presence of a highly professional team of pentesters in the staff allows you to practically check the completed surveys. And the experience of creating monitoring and response centers was embodied in the project of creating SOC on the basis of one of the leading Russian telecom operators. Therefore, for the UCSB, effective cybersecurity is a natural development of the accumulated knowledge, and we actively support this direction.
Like any concept, “effective cybersecurity” contains elements of marketing, as well as elements of an “ideal future”, which, in fact, brings us to the question – is this a good driver for promoting information security and is there any practical benefit from this approach?
Our answer, as you can easily guess, is definitely yes. And the benefits are multifaceted:
- Simplifies the interaction of information security with business, allowing you to convey in an understandable language what we do. After all, for there to be investments in information security, it is the business that must give the go-ahead.
- Increases both the security of key assetsand the overall security of the organization. The CPC (and the SOC as a whole) is one of the most relevant forms of organization to counter cyber threats. It is due to the unification of individual specialists into a single team aimed at the final result – the identification and prevention of attacks. And cyber exercises give the system the necessary feedback.
- Equips information security / IT departments with modern tools: SIEM, VM, IRP/SOAR, TIP, NAD, and so on.
In conclusion, I would like to note that the concept of Effective Cybersecurity can be approached as a tool: if you learn how to use it, then practical results will not be long in coming.
Author Viktor Vyacheslavov, head of the Cybersecurity Center of the UTSSB.
Advertising. Advertiser UTSSB LLC, OGRN 1076672021194