Are dashboards the future of cyber security reporting? Part 1

Today, C-level executives are making more of an investment in IT security than ever before. In response, information security officers are now regularly needed to report on the security posture of their organisation and communicate their findings to the board. Now more than ever, CISO’s and their lieutenants are in need of robust reports that provide visibility into security-related metrics.

The legacy reporting tools that used to be the standard for CISO’s are becoming obsolete and ineffective. More cyber security activities than ever before require detailed and condensed reports. Pulling together a few useful documents and summaries is no longer enough; CISO’s need deep dives that provide visibility into critical security metrics. Join us as we explore new technologies to answer a single question: are dashboards the future of cyber security reporting?

Data visualisations and considerations

Data is only as good as what the enterprise or organisation that collected it can do with it. In this new era, all organisations need to collect cybersecurity data from within their organisation as well as external sources in order to create actionable insights and be able to roll out security programs accordingly and effectively. Effective cybersecurity requires ongoing monitoring of threats and vulnerabilities. With continuous monitoring, organisations can catch even the smallest security breach before they become a bigger issue. It is also effective to monitor for patterns and anomalies in your security metrics by taking advantage of machine learning. With this technology, you can not only pick up on weaknesses where you might have missed them, but also predict future cyber risks.

Consider the following:

  1. With the changing threat environment and evolving attack surface, traditional static cyber security methods such as customised and static reports are no longer effective. This leaves analysts, supervisors and leaders in the dark while valuable data is at risk. There is a need for dynamic, real-time and actionable insights that give decision makers the necessary information to make good decisions.
  2. While clear and concise reports are still important for security analysts and administrators, CEO’s and the board need to understand the full picture of a company’s cyber security posture. A single actionable view covers many metrics on a unified dashboard, which CEO’s and board members can quickly visualise in real time. These dashboards should include data from key cybersecurity controls, as well as an integrated view of all the security controls that a company uses.

The strategic importance of cyber security cannot be overemphasised. The fact remains: business leaders are making changes and investing in robust cybersecurity controls and tools. As reported by Security Boulevard, the strategic importance of cybersecurity is evident in board composition; Gartner found that at least 40% of boards now have an officer with cybersecurity expertise. They demand a robust and dynamic tool that enables them to create, update, and visualise key security metrics. This is essential for the board of directors and senior management to make critical decisions.

Data visualisation is an important requirement for such a cybersecurity tool. It makes the practice of understanding and interpreting cybersecurity data easier. The use of visual analytics tools can sort and convert data into metrics and values to shed light on cyber security posture as well as provide actionable information.

Data security issues that may impact your organisation consists of many components. Risk, threat, vulnerability, exploit and cyber threat intelligence (CTI) are key terms which are often used interchangeably within the cyber security industry. They are, in fact distinct terms which carry different meanings and implications within the cyber security world:

What exactly is a risk?

A risk can be defined as the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. In simple terms, risk refers to the assessment of potential threats to an organisation’s security and vulnerabilities within its network. Cyber risks include:

  • Compliance posture
  • Hacking
  • Vulnerability
  • Reachability of an organization’s systems and data to outside actors and hackers.
  • Financial losses
  • Legal implications

Cyber risk can also include risk of financial loss, reputational damage or disruption of an organisation resulting from the failure of it’s IT systems. Poorly managed cyber risks can leave you open to a variety of cybercrimes, with consequences ranging from data disruption to economic destitution.

It can be summised that risk involves a combination of threat probability and loss/impact. Consider the following scenario to illustrate: an organisation has an SQL injection vulnerability causing a sensitive data theft threat. The impact of such a threat is significant financial and reputational loss. The probability of an attack is considered high. Therefor, this scenario is considered a high-risk situation.

What constitutes a threat?

Typically, IT security staff have no direct control over threats. As a direct result in this digital economy, the emphasis is placed on vulnerabilities and control failures as factors in cyber risk assessments. But, unfortunately, it’s becoming more and more difficult to remove every vulnerability without vetting the impact and likelihood that they will be exploited.

A threat can be defined as anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage or destroy an asset. In other words, a threat is what an organisation is defending itself against.

Cyber threats are constantly evolving, and organisations must take steps to protect themselves against black market hackers, state-sponsored cyber criminals, and other nefarious individuals and groups. The most effective way to protect against cyber attacks is by implementing a layered approach to cyber security — reviewing your current cyber security measures regularly and adapting them as needed.

Common cyber threats include:

  • Backdoors
  • Formjacking
  • Cryptojacking
  • DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks
  • DNS poisoning attacks
  • Malware
  • Phishing and spear phishing
  • SQL injection attacks
  • MitM (Man in the Middle) attacks

Accurately identifying threats is the first step to understanding the risk to your assets. For further reading about the topic of cyber risk and cyber threat, click here.

When is something vulnerable?

In the cyber security world, a vulnerability is an inefficiency or weakness which can be exploited by cyber attacks to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access a system’s memory, install malware, and steal, destroy or modify sensitive data.

To exploit a vulnerability an attacker must gain access to the system. Vulnerabilities can be exploited by a variety of methods, including SQL injection, buffer overflows, cross-site scripting (XSS), and open source exploits that look for known vulnerabilities and security weaknesses in web applications.

What is an exploit?

An exploit is a piece of software or data that takes advantage of a vulnerability to help the exploiter gain unauthorized access to sensitive data. Once vulnerabilities are identified, they are posted on Common Vulnerabilities and Exposures (CVE). CVE’s are searchable repositories of exploits and workarounds. The goal of CVE is to make it easy for organizations to identify vulnerabilities, fix them as quickly as possible, and reduce the likelihood of new exploits.

Cyber Threat Intelligence (CTI)

In essence, cyber threat intelligence can identify and analyse cyber threats to your organisation. It’s what becomes of data after it’s been gathered, processed and analysed. CTI relies heavily on analysis: sifting through large amounts of data to spot realistic problems and then deploying suitable solutions specific to the relevant issue uncovered. CTI is accurate, actionable, relevant and timely.

The definition of threat intelligence is often confused with other cyber security terms, such as “threat data”. Threat data is a list of possible threats a computer system may encounter. Threat intelligence is current and relevant information about those threats. Typically, threat intelligence is raw data collected from multiple sources and methods such as tools, blogs, news reports, and social media commentary. The more channels you have that provide information about potential threats, the more useful the information will be. Threat Intelligence is a vital part of any healthy cybersecurity ecosystem.

Now that the relevant terminology has been defined, let’s investigate cyber security dashboards.

 

A proposed cyber risk dashboard

Cyber security companies provide services that scan an organisation’s public access methods for possible security risks, such as known but unpatched vulnerabilities or open network ports. These services also monitor social media, dark web forums, and other sources of information leaks, searching for information about an organisation such as compromised passwords, email addresses, or network structure details. Other vital attack methods such as fake or fraudulent websites or programs masquerading as legitimate sites or products of an organisation are also hunted down.

This cyber security technology uses open-source intelligence (OSINT) techniques to gather information. Both hackers and legitimate security companies continually scan social media websites and networks for information on vulnerabilities and publish their findings on the internet. Hackers make use of OSINT resources, namely hacker forums, social networks, Google, leaked database dumps, paste sites, and even legitimate security services like VirusTotal, Censys, Cymon, Shodan, and Google Safe Browsing for reconnaissance. Risk scorecards are created by gathering data from all these sources and performs contextualisation and analysis to convert data to “risk” intelligence in the form of a scorecard.

To generate the scorecard, generally only the domain name of a company is required. An asset discovery engine collects the related information from VirusTotal, PassiveTotal, web search engines, and other Internet-wide scanners.

Black Kite has one of the largest IP & Domain Whois databases that holds more than one billion historical items. The asset-discovery engine searches the database to find all IP address ranges and domain names related to the company in question. The results generated by the asset-discovery engine, company assets, are used as the input for passive vulnerability and configuration scanners, threat intelligence agent, and reputation engine.

Grading Methodology

Grading assesses the associated risk and converts it into numbers and easy-to-understand letters and grades. Often grading methodology follows and applies the well-known and commonly used Cyber Threat Susceptibility Assessment (CTSA) and Common Weakness Risk Analysis Framework (CWRAF™) – developed by the MITRE Corporation. CTSA and CWRAF provide a framework for scoring software weaknesses in a consistent, flexible, open manner, while accommodating context for the various business domains.

CTSA and CWRAF benefits:

  • Include mechanisms for measuring risk of security errors (“weaknesses”) in a way that is closely linked with the risk to an organisation’s business or mission.
  • Support the automatic selection and prioritisation of relevant weaknesses, customised to the specific needs of the organisation’s business or mission.
  • Can be used by organisations in conjunction with the Common Weakness Scoring System (CWSS™) to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance.

 

For a cyber security program to succeed, data must be turned into actionable insights. The faster this data is conveyed, the quicker you can analyse and neutralise risks and threats, ultimately achieving an effective cyber security program.

To find out more about cyber security platforms and their visualisation dashboards, contact the Elasticito team here.