Shhh! I’m Hunting (Cyber) Risks
The best modern security professionals are comfortable in complexity. Protecting complex modern enterprises involves a continuous process of mapping and evaluating the IT estate, operational processes and the external business and regulatory landscape. Trained professionals are required to use a range of tools and techniques across vast and unique estates. Amidst all of this complexity, it is heartening to see enterprises putting a renewed focus on the basics.
Cyber hygiene is a term that is becoming fashionable again, and for good reason. Fundamental practices like deleting redundant accounts, scanning for vulnerabilities and updating software versions are just as crucial as ever and risk being lost in the increased activity of managing larger estates. The fundamentals of security are as important as ever, so protecting the modern corporate landscape starts with applying cyber hygiene at scale.
Security risks often start life as poor cyber hygiene. Passwords stored in cleartext, incorrect patch management, anonymous access enabled to LDAP. Every organisation that collects data will always need to get the fundamentals right. The elite ones are now beginning to extend the practice further.
Introducing risk hunting
Multiple layers of checks and balances are present in the enterprise security apparatus. IT and security teams are doing their job of managing cyber hygiene, boards are providing oversight and investment, but there will still be unassigned risk. This needs to be proactively identified.
Addressing this unassigned risk requires a new form of security oversight that we call Risk Hunting. Risk Hunting adds proactive searching for Indicators of Risk (IoR) on top of the ongoing cyber hygiene work. It takes the concept of Continuous Control Monitoring (CCM) and layers in a deep understanding of business processes and cyber risk appetite. Identifying these new risks allows the security team to absorb them back into the cyber hygiene process, providing enhanced protection that reduces the disproportionate reliance on detection.
Risk hunting is like committing to healthy lifestyle choices. It is possible to ignore best practice on sleep, diet and exercise, instead relying on weekly trips to the doctor to detect health problems. The result is that your health risk profile will rise, your costs will increase dramatically by addressing issues further down the funnel and you are wholly reliant on detecting illness after the fact.
An exercise regime is a lot cheaper than a triple bypass in the long run.
In cyber security, an increasing reliance on detection has led to growth in solutions such as Managed Detection and Response, and Threat Hunting. This has been a boon for the industry as a whole, but over-emphasising them to the exclusion of prevention equates to a focus on the symptoms, rather than addressing the underlying cause. An exercise regime is a lot cheaper than a triple bypass in the long run.
Risk hunting is a frame of mind and an attitude, without which the associated tools and dynamic data become just another security cost. However, as the team grows and incorporates these layers into a culture of risk hunting, it provides enterprises with an early warning system that can root out IoRs early, prioritising and addressing them before they cause lasting damage.
The benefits of a happy hunting ground
Investing in risk hunting allows organisations to achieve a deeper understanding of security posture and reduce their costs. Hunters catch control failures before they become incidents and project future exposure by identifying new risks before the need for new controls is even recognised.
This minimises the time between a potential control failure and the correction of this control. Doing risk hunting right means treating control failures as security incidents and ensuring that they are prioritised and addressed just as quickly. The prevailing culture in security is for SOC and incident response teams to spring into action when a diagnosis is confirmed; we need to treat the security equivalent of poor diet or lack of exercise with the same urgency.
Creating a hunting ground
Existing security risk data within enterprises could fill data lakes, so tools are needed to support risk hunters. Priority risks can change on a daily basis, so the data used needs to be current and dynamic. New risks emerge in areas without existing controls, so risk hunters need to be broadly skilled with visibility across all areas of the business. Enterprises can either build a risk hunting team or look to partner with their Managed Security Provider, although the current focus on detection means expertise is still more difficult to find than it should be.
Frameworks and analytical tools are a necessary element to getting this right, but they are not sufficient. The job of “graduate risk hunter” does not exist. Tradecraft and operational expertise are also needed to get to grips with this multidisciplinary approach to making enterprises safer and more efficient.
Cyber hygiene is as old as security, but the expansion to risk hunting is just starting to gain momentum. Most boards have not heard of Risk Hunting yet, but with every breach and GDPR fine they will be hunting for a solution before long. Expect to see more enterprises shift their budget towards risk hunting in the next two years.