Argus - Fotolia

Security should be driven by business, says Corvid’s Andrew Nanson

Information security should be business-driven and investments assessed for their effectiveness and business value, according to Corvid CTO

Information security systems driven by products are no good for business, according to Andrew Nanson, chief technology officer of Corvid, the security services division of the Ultra Electronics Group of 26 defence engineering companies.

“Security systems should be business-driven – it should be about finding the right security products for your business,” the former cyber security adviser to Nato and the UK’s intelligence and defence agencies told Computer Weekly.

Nanson also believes that security investments, particularly in high-ticket items such as security operations centres (Socs), should have a measurable benefit or value to the business.

“If you have a Soc, you should be measuring the financial outlay for the self-provision of cyber defence against the effectiveness of your Soc because every pound a private-sector company spends on cyber defence is a pound off profit,” said Nanson.

Corvid uses several metrics to justify its expenditure, such as cost per incident, which goes down as the number of incidents the Soc investigates each year goes up, and the number of detections made that are missed by systems such as antivirus detection systems.

“The really scary thing is that I know there are Socs out there that cost millions of pounds to set up and spend millions of pounds a year, and yet only have tens of incidents, but that is not really a good cost per incident ratio and it’s doubtful whether the company is getting good value for money,” said Nanson.

All Socs should be looking to increase their efficiency by improving their quality of service while reducing their costs, he said.

“This is what cloud services have done for many organisations and why they have taken off, but it is also the reason why many IT managers feel threatened because they have failed to innovate and consequently failed to improve the quality of their service,” he added.

Evolve continually

Socs need to evolve continually to keep pace with the threat actors, he said, and if they are failing to do that, businesses need to question why they are investing money in the Soc. But the reality is that most Socs rely on alerts from security information and event management (Siem) systems.

“But this has to be the most inefficient type of cyber defence, which is why organisation should challenge their Soc by asking how many innovations it has come up with for detecting attacks in the past month or even the past year, and if the Soc can’t point to any, the business should ask it how its static detection methods are keeping up with agile threat actors who are continually changing their techniques and tactics,” said Nanson.

“Unfortunately, what most Socs do is aggregate their logs and look for the antivirus log that says a virus has been detected, at which point you have got to ask why the organisation just doesn’t spend more money on antivirus systems.”

Before setting up a Soc, Nanson said organisations should first assess if there really is a need for one, and if there is, they should ascertain whether it is something that has to be done in-house or whether it can be outsourced.

“Most organisations outsource their payroll because it would cost 20% to 30% more to do it themselves, so it make sense to outsource it to a company dedicated to doing payroll that can do it at a much lower cost,” he said.  

Read more about security operations centres

It is challenging for organisations to do their own cyber defence and go beyond what antivirus systems can do, said Nanson, because it is difficult to find, attract and retain people with genuine talent who really know what they are doing.  

“It is relatively easy to find people to run security systems using graphical user interfaces, but when those systems are not keeping pace with the threat actors and they need to deal with attackers on a hexadecimal code level, they may not be able to cope,” he said.

According to Nanson, it is hard to really know if people have the right skills – and even past experience in cyber security at the Ministry of Defence (MoD) or intelligence agencies is no guarantee that they know what they are talking about.

“Most MoD systems are not connected to the internet and consequently do not face anything like the number of attacks that most private-sector systems face, which means that someone from the MoD has probably not dealt with the scale of attacks that businesses are facing,” he said.

The lack of genuine talent is compounded by the fact that people who are talented will not stay with an organisation where those skills are not being exercised fully, said Nanson.

“If your organisation is not facing serious levels of crimeware and state-sponsored attacks, the good people are not going to stay because they won’t feel they are being challenged,” he said. “And if an organisation is unable to attract and retain the best minds in cyber defence, they should seriously consider outsourcing their security to companies that do.”

Defence-in-depth strategies

Another challenge of maintaining an in-house cyber defence capability is that IT security teams typically encourage organisations to invest in the latest security technologies in pursuit of “defence-in-depth” strategies, he said.

“The reality is that attackers know this and test their exploits and techniques against standard security products, which means there is very little value in tactics such as deploying a variety of antivirus systems because attackers test against all of them,” said Nanson.

Other defence tactics, such as segmentation of networks, are also of limited value, because threat actors are increasingly attacking at the application level because applications are designed to work across organisations, he said.

“Segmentation often makes networks more difficult to manage, but IT systems are designed to be available to users, and if users are compromised, any system available to those users is available to the attackers as well,” said Nanson.

He pointed out that nowadays, most attackers gain access to organisations through applications and most compromises will be at an applications level to begin with.

“Even Malvertising, which has seen a resurgence recently, is an application-level attack because it is rendering code and executing the attack in the browser, and no amount of network segmentation will stop it,” said Nanson.

Read more about MSSPs

  • As the economic climate becomes more uncertain, many enterprises are considering the security and cost-saving benefits of managed security service providers (MSSPs).
  • Michael Cobb outlines the key issues for businesses to consider when examining managed security service providers.
  • Intelligence and forensics will become the most important differentiators for companies selling APT defence systems and services, says Frost & Sullivan.

He stressed that although network segmentation is not wrong, organisations must consider the risk it is mitigating and assess whether the cost of doing it is worth that mitigation or whether there are other things that could be done that cost less and have a bigger impact on raising security levels.

“For example, using a safe browser, ensuring all browsers are patched up to date, disabling browser plugins and serving browsers through a compromisable DMZ [demilitarised zone] machine rather than on the local host would probably be a more effective way of preventing compromise than most Socs,” said Nanson.

For dealing with the threats beyond the scope of antivirus and firewall systems, he said using a managed security services provider (MSSP) is more logical than trying to set up a Soc, but he conceded that at the lower end of the market, MSSPs need to do some work to make their services more affordable.

“It is up to all MSSPs as responsible service providers to innovate to make the costs for what we are doing more affordable,” he said, but cautioned against a “pile-it-high, sell-it-cheap” approach because that would not be able to keep pace with the agility of attackers.

Until there is business model for making managed security services affordable for everyone, including micro businesses, Nanson said the smallest businesses need to be aware that there is a risk their computers will be compromised.

“Any machine can be compromised, so a good starting point would be not putting anything onto a computer that you could not afford to be compromised, and to take basic precautions such as ensuring your bank uses two-factor authentication,” he said.

Hunter approach

As a high-end MSSP, Corvid does not rely on any standard security products that can be studied by attackers. Instead, Nanson advocates a hunter approach, whereby a team of analysts, backed by repositories of attack information, proactively seek attackers they assume have compromised systems.

“Hunters will look at what appears to be ‘normal’ as well as anomalies because that is where you will find the attackers – they operate in the grey space,” he said. “If you are not getting at least 50% false positives on your investigations, you are not investigating the grey space where attackers often operate.

“Generically speaking, we analyse at the network level, at the host level and at a metadata level, applying our intelligence to as many different places as we can in the IT environment.”

A purely product-based approach to security is doomed to failure because attackers are extremely intelligent and agile, he said. “Instead, you need a continually evolving platform of capability and to be as agile as the attackers.”

According to Nanson, this is the most effective way of detecting compromise because if organisations hunt instead of “sitting back and waiting for something to advertise that an attack is under way”, they are being proactive rather than reactive, so they are potentially reducing the window of opportunity for attackers.

“In the absence of a security product that guarantees finding attackers 100% of the time, that stops them in their tracks and can tell you where they are and how they got in, you need a constantly evolving, proactive hunting approach whereby you are constantly looking at what is going on and you are constantly devising new techniques of detecting compromise,” said Nanson.

Read more on Hackers and cybercrime prevention