The risk of an Advanced Persistent Threat (APT)—the possibility of an advanced cyber attacker moving under cover in an enterprise network—keeps CISOs awake at night. But it's making more C-level executives and their board members restless, too, because of the potentially massive damage advanced attacks can cause to business reputations, critical systems, data manipulated or stolen and operations compromised. Boards and senior execs are demanding better accountability and assurances that their organizations are adequately protected.
I first started to understand this years ago when, at an analyst conference, a session about security metrics was beyond standing-room-only—it flowed out into the hallways. I was one of the lucky ones to have a seat. A couple years ago, the organizers of a private industry conference altered the agenda on-the-fly to pull together a workshop on cyber metrics because of demand from the CISO audience.
Security leaders, of course, often track good technical metrics—alerts received, incidents handled, incidents resolved, vulnerabilities patched, and so on. At a similar level of technical detail, compliance checklists help them bushwhack their way through the regulatory jungle. Metrics and checklists may help make security operations more effective and efficient, but they still don’t answer the question that C-level executives and Board members want answered—how certain are we that our company won’t be in tomorrow morning’s headlines? What level of risk are we facing and how can we reduce it?
Years after that analyst conference, many CISOs are still haunted by the challenge to measure cyber risk posture in terms that are meaningful to business leaders. Besides hopefully enabling better sleep at night, the ability to quantify cyber risk helps organizations make more informed decisions to commit greater resources to security, or to optimize limited security resources against the risks that matter most to the company.
I think it’s the responsibility of cybersecurity vendors to embed tools that give security teams risk visibility – both to perform their tasks in a way that contributes to actually reducing business risk, but also to help them effectively communicate risk to their senior executives.
Illusive steps up to that task. Because Illusive discovers the entire endpoint environment, and knows where the “crown jewel” systems are and where domain admin credentials can be accessed, risk awareness is at the heart of the product. Illusive leverages this information to compute the number of lateral moves between each endpoint and these high-risk systems so that incident responders can more soundly prioritize response activity.
With this foundational visibility, the information can be mined to identify high-risk users, spot anomalous connections to crown jewel systems, and other detail that can help security teams proactively tighten up defenses against APTs. For example, a list of the most at-risk servers could be provided to a patch management team so they can prioritize software updates, or system admins could see the relative security level of the senior executives’ computers to drive better protection of the strategic information they handle. Illusive also tracks the density of deceptions in the environment and does the math to show the impact this density has on the ability of an attacker to move laterally or grab powerful credentials.
But most interesting to the CISO is that our dashboard rolls up a series of metrics to quantify the likelihood of detecting an attacker within a handful number of moves – a figure that is ready-made to roll up into an executive report as part of the larger picture of an organization’s cyber risk posture.
And of course, that’s not a static figure—it changes as the environment changes. Illusive gives security teams the tools to continuously adapt the deception environment and monitor its effectiveness over time—and the visibility to help their organizations continuously reduce the risk of an APT attack successfully striking their most sensitive data and systems. It’s not a complete solution to the cyber metrics challenge, but with Illusive deployed, everyone can get a little more sleep – or if they’re not sleeping it’s because they’re attending to business in ways more productive than worrying about APTs.
For a quick primer on how deception works, check out this 25-minute webinar.