WHITE PAPER COMPROMISE INTELLIGENCE
Transcript of WHITE PAPER COMPROMISE INTELLIGENCE
COMPROMISEINTELLIGENCE
The Future of Cyber Risk Management
WHITE PAPER
T A I L O R E D I N T E L L I -© P R E V A I LO N 2 0 1 9
1
INTRODUCTIONSeizing Control from the Adversary
Years of cyberwarfare have taken their toll on businesses today. The old models that kept organizations safe have become expensive posturing in a struggle against adversaries who have long since evolved to newer, more devious modes of attack.
These traditional defenses have given businesses an overabundance of information about
the data that passes through their networks, but little visibility into the active threats that have
set up shop there. These problems become far more complex once the security blanket of
an organization is also expected to cover any unseen security problems within hundreds or
thousands of partner networks, which have become essential for most businesses to remain
competitive in the global marketplace.
To survive today, businesses need visibility into the threats trying to subvert their networks.
Without it, they are blindly fending off attacks in the darkness against adversaries capable of
laser targeting their vulnerabilities.
What if you could augment your perception of those enemies with the cybersecurity equivalent
of night-vision goggles?
By evolving their focus from threat intelligence to Compromise Intelligence, they protect not
only their intellectual properties and their customers’ data, but the most valuable asset they
manage in today’s marketplace — trust.
This report covers the challenges around managing third-party data risk that have accumulated
into a global mess and what the alternatives are to effective governance today.
Organizations that have gained a competitive advantage in this struggle layer advancedrisk management practices with a fresh approach to monitoring active threats— Compromise Intelligence.
2
ONLY AS STRONG AS THE WEAKEST LINKThe Cost of Third-Party Data Risk
Third-party compromises represent the most expensive breaches for organizations, according
to a 2018 survey from Kaspersky Labs. And examples of businesses that have paid the price
for overlooking the dangers inherent to third-party data risk are in no short supply. Between
2017 and 2018, 59% of companies surveyed by the Opus & Ponemon Institute reported
experiencing a third-party breach, yet only 16% say they effectively mitigate third-party risks.1
Third-party data risk costs the healthcare industry alone more than $23 billion each year,
according to a July 2019 report from Censinet and the Ponemon Institute2, which also noted
that 56% of healthcare organizations have experienced a data breach over the last two years.
And while that cost is spread across a huge industry, the average breach costs an individual
healthcare organization an average of $6.45 million per incident, according to IBM Security’s
2019 Cost of a Data Breach Report.3
One such breach that occurred in 2013 has become an enduring case study for the damage
that can be wrought by vulnerable third-party access points. One of the largest credit card
breaches ever occurred on Target’s authentication servers, resulting in more than 40 million
consumers having their information compromised, and global attention for the dangers
inherent to how business networks are governed.
The breach at Target began when threat actors intruded into the global retail chain’s network
undetected after passing through the network of an HVAC system that does business remotely
with Target. These actors then exploited this access to upload malware onto a majority of
Target stores’ point of sale systems, and ultimately stole data on about 40 million debit and
credit cards globally.
The fallout from the breach was swift and brutal, with lingering aftereffects. Trust in the
company declined, as evidenced by the company’s stock shares dropping overnight; a class-
action lawsuit from affected customers resulted in an $18.5 million settlement4, which, prior to
Equifax’s data breach settlement in 2018, was the largest of its kind; and Target executives,
including the CEO, president, and chairman, resigned.
3
WHY TODAY’S SECURITY TOOLS ARE LACKING
The Failure of a Castle and Moat Defense
Though the Target breach is now six years old, the fundamental weaknesses that led to the
incident remain as relevant today as they were since the dawn of civilization.
In today’s globally distributed marketplace, such weaknesses are manifold. Vulnerabilities
can arise from anywhere among the supply chain of private infrastructures, hosted and cloud
infrastructures, remote-access points, mobile solutions, and more. All it takes for any business
to relive the Target breach is for someone with nefarious intent to find and exploit the weakest
of those myriad links.
A standard course of action when developing cybersecurity measures is to ensure a businesses’
coat of armor is consistently thick throughout its supply chain. But given the prevalence of
cyber risk today, adopting a posture of total defense through a “castle and moat” strategy is
expensive folly.
A more prudent strategy is to layer sound security practices along with techniques that
position an organization to be prepared for the inevitable breach. To fully take advantage of
this security mindset, businesses need a tool that can provide them with visibility into potential
or even active threats, so they can remain vigilant and prepared for the next attacks before
they occur.
One of the greatest threats to establishing an effective security suite around a modern business
network is the lack of visibility into the activity on partner networks. Many of these barriers exist
for good reasons, such as ensuring data privacy and safeguarding user information. But many
other challenges are legacy problems within the security industry that can be surmounted
through an outside the box way of thinking.
The truth underpinning all security efforts is as valid as ever: If the bad guys want something that’s locked up, they will find the weakest path inside.
4
Regulations Can Become Obstacles
Before accepting a partner, many businesses will conduct due diligence investigations by
probing a partner network’s security compliance in the form of a questionnaire. But the red
tape surrounding privacy laws can effectively get in the way of good security and obtaining
true visibility into the level of compromise in a server. Ultimately, businesses must trust that
their partner’s barn door on a distant cloud server isn’t being kept wide open at night to
hungry wolves.
Standard Solutions Create False Sense of Security
The hype and hyperbole of cybersecurity organizations over decades has resulted in the
formulation of a false security net, leading many businesses to believe they are safe. This
is due to in part to the noisy level of activity in standard security software sweeps. When
a handful of malware are caught, an organization builds confidence that they are one step
ahead of threats. But often, the bad guys will leave behind traces of easily caught malware to
ease attention on the network, while the more sophisticated malware is stealthily humming in
the background. Cracks in the armor like these can be the sources of crucial data leaks.
A Report Card Mentality to Cybersecurity can Lower Defenses
Current practices for third-party risk management commonly involve the application of some
risk model to compute a “risk score” for businesses and their partners.
But a business could have a great risk score and be lulled into a false sense of safety, all while having active compromises contributing to unseen loss or damage.
5
5 immediate challenges and limitations around the use of cyber-risk scores for understanding third-party risk: 1. Risk scoring is about potential, not actual compromiseA risk model may probe, test, and evaluate a cyber-security solution. It is an abstract measure of potential weakness; it does not represent an actual compromise. It is possible to have a great risk model score but still have an active dangerous compromise. 2. Risk scores do not account for threat actor(s) campaign intentA risk score is an assessment independent of threat context. An industry or sector may be the deliberate target of one or more threat actors. If so, then an a priori risk should be higher and would warrant taking additional precautions. A risk score without threat context can lead to an inaccurate sense of safety. 3. Risk scores do not consider business contextDepending on the risk model, an organization’s risk score may not take into account the underlying structure of relationships in its third-party ecosystem. If a large set of companies share the same small set of third-party partners, that represents an inherent structural risk because a debilitating compromise to those specific third parties could represent a drastic impact on a business. 4. Risk scoring is only a snapshot in timeIf the risk model is at all dependent on the results of any type of scan, that data starts becoming stale immediately after the tests are complete. Compromises can occur between such scans and running such continuous scans can be prohibitively costly and negatively impact an enterprise’s operations. 5. Risk scores are not standardizedDifferent third-party risk models use different criteria, apply their own scoring models, and report the results differently. A risk rating report will vary depending on what the third-party risk modeler chooses to include or emphasize. A “high risk”, “A”, or “red” rating will likely vary somewhat from amongst risk modeling vendors. Third-party risk management and the associated risk scores are indeed useful for establishing and enforcing compliance with a baseline cybersecurity plan. But for increased confidence in an organization’s cybersecurity posture, businesses need to complement any third-party risk modeling-based assessment with additional intelligence to address the weaknesses mentioned above.
6
WHAT IS COMPROMISE INTELLIGENCE?
In this age of cybersecurity, a castle-and-moat style of defense is not enough. The new defense
is offense — taking the fight to the doorstep of the adversary.
Compromise Intelligence is cyber counterintelligence at scale, empowering organizations
to gain visibility on targeted threats before they impact their business. Most cybersecurity
solutions are focused on protecting each potential victim with an endless perimeter defense.
But with Compromise Intelligence, these potential victims are given Continuous Compromise
Monitoring capability, empowered to peer over the shoulders of the adversaries themselves.
Nearly every security technology to date involves either a signature-based solution or an
anomaly-based solution, both of which require the threat to be properly identified before
any preventative action can be taken. But neither solution is ideal. Both are labor-intensive,
requiring the ingestion of immense amounts of data from network traffic to sort the signal of
the threat from the noise of the standard communications.
This exercise is like searching for one or two needles across dozens of different barns, inside
hundreds of haystacks, among millions of pieces of straw.
Standard data security solutions look for Indicators of Compromise (IOC), which would be like
going into each barn, inspecting each piece of straw, bending it, and categorizing it based on
its observable properties. Some pieces could be rightly discarded as threats, but many would
defy the ruleset and be stacked into a pile for further straw analysis. Eventually, the offending
needles would indeed be found, ideally sometime prior to the heat death of the universe.
Instead of reading a comprehensive postmortem examining the vulnerability after the fact, for the first time ever it’s possible to see exactly what is happening before and even during an attack on a network.
7
But what if you could stand outside those barns and sitting beside you is a powerful
electromagnet? You flip a switch, and in seconds, those dangerous needles are pulled through
the barn’s walls, straight to your trusty magnet.
Instead of sifting through endless amounts of data captured on-premises, proprietary beacon
technology waits for the threat to signal outbound from an organization, back to its home,
where the telemetry (i.e. Compromise Intelligence) is captured and documented. Shifting
the focus from IOC to Evidence of Compromise (EOC) empowers organizations to swap the
traditional roles of victims and adversaries in the dangerous world of cybersecurity.
Most malware that compromise networks operate similarly to Cold War spies. These secret
agents are sent across enemy lines on discreet missions. But once they land in their target
zone, they phone headquarters to acquire further instructions to carry out their objective.
Compromise Intelligence can ensure that when that beacon is sent back to headquarters, the
metrics for that communication are captured.
To return to the spy metaphor, a counteragent can decode that call, effectively compromising
the secret agent’s handler. Armed with that knowledge, the agent and the country they work for
are unmasked. It provides critical information that allows a potential target to know who around
them has been compromised by that agent, and to use that information to drive decisions that
can help them avoid becoming victims of the agent themselves.
How does Compromise Intelligence work?
Traditional defenses and identification tools aren’t effective against anonymous,
polymorphic malware.
Compromise Intelligence can disrupt adversaries on a global level by targeting a critical weak point in their arsenal — the need to remotely acquire new instructions.
8
WHAT A BUSINESS CAN DO WITH ENHANCED THREAT OPTICS
The job of standard cybersecurity solutions is to serve as the primary layer of defense against
an outright disaster. But as has already been reviewed, if a breach is an inevitability for many
organizations, what happens when that disaster has already happened or is
actively happening?
It’s not enough to just lay eyes on the bullet that will soon kill you if it’s already lodged in your
chest. Ideally, you’d be able to know a gun was being aimed at you beforehand or going even
further back in time, that there was someone in your home with the intent to do harm.
Compromise Intelligence can give businesses that level of visibility into potential threats to
their networks and provides a lifeline to businesses when a potential threat has evolved into
an actual threat.
A public leak following a data breach can fundamentally change the course of an organization.
It can potentially alter its stock value and has a direct impact on the public’s perception
of the organization.
The danger of a data breach isn’t just in losing critical data around a valued intellectual property, sabotage, or ransomware. It shakes the confidence in investors. The organization’s trust is put on public trial.
9
Threat or Opportunity Without CI With CI
The Lifeline Offered by Compromise Intelligence
How an organization reacts to these scenarios in the minutes, hours, and days following a
breach can lay the foundation for either recovery and prosperity, or faltering failure
and bankruptcy.
Instead of being hamstrung by a data breach that’s gone public, organizations armed with
Compromise Intelligence are given valuable time and knowledge about the breach that allows
them to retake control of a chaotic scenario and gain a competitive advantage.
Knowledge of nature and
extent of the breach
Able to respond quickly and
efficiently to a public data breach
Have adequate time to craft a
response and disclosure plan
Armed with foreknowledge to
control the public messaging
of a breach
Trust in the organization is secure
10
With the insights of Compromise Intelligence, organizations can:
1. Gain key insights into who is behind a compromise, the associated campaign, the type of
malware that was used, and even how long a threat actor dwelled within an affected system.
2. Make pre-emptive business decisions to ensure that their first- or third-party’s active
compromises won’t negatively impact their bottom line.
3. Proactively craft a response plan, including public messaging and preparation for disclosures,
instead of being driven by potentially damaging headlines from the media in an instance
of a leak.
4. Maintain an edge in protecting their most valuable commodity in the marketplace: Trust.
The most expensive industry to protect against cyber intrusions is healthcare, according to
IBM Security’s 2019 Cost of a Data Breach Report.5
Healthcare organizations are targets for cyber intrusions because they are warehouses for
Personal Identifiable Information (PII) and Protected Health Information (PHI), making them
treasure troves for threat actors. But utility companies and government entities have also
emerged over time as prized targets for infiltration.
WHO STANDS TO BENEFIT FROM COMPROMISE INTELLIGENCE?
11
Within these industries and hundreds more, key business decisions that stand to benefit from
Compromise Intelligence include:
Third-Party Cyber Risk Management
• Evaluate and track a third party’s historical, present, and ongoing security posture using Compromise Monitoring • Identify their active compromises and assess risk before their compromises become your own • Gain greater peace of mind with Evidence of Compromise, instead of vetting thousands of indicators of compromise • Conduct ‘always on’ risk management by evaluating the compromise status of a third-party ecosystem
Mergers & Acquisitions • Gain a competitive edge and make profitable decisions with actual Evidence of Compromise associated with potential acquisition targets • Identify if an acquisition target has systemic security issues and how they compare to peers in similar industries or geolocation • Continuously monitor the compromise status of acquisition targets and their third-party ecosystems throughout the lifecycle of a deal Cyber Due Diligence • Expand a security and risk analysis team’s reach and precision with Evidence of Compromise • Support strategic business decisions that influence M&A, investment, supply chain, and cyber insurance claims and policies • Use Compromise Intelligence to evaluate the current landscape and identify the threat actors that might target the parties in a transaction • Identify a target’s prior and active compromises and assess remediation steps and practices
12
CONCLUSION
Cyberwarfare has always favored the bad guys. The flexible and amorphous nature of today’s
business supply chains has not done any favors for that balance. Instead, they’ve learned that
defensive positioning alone cannot fend off endless attacks.
The bad guys can make thousands of attempted infiltrations and score a win with just a single
success. Conversely, the good guys must fend off all these unstoppable attacks, and evolve
their network defenses, because if just one attack breaks through, it’s all over.
Compromise Intelligence is, for the first time ever, arming businesses with their own asymmetrical
advantage in the threat landscape over adversaries. With this newfound visibility, the targeted
victims can stop a malware’s outbound communication, and limit the dwell time on secure
networks by potential adversaries, shortening an unwanted stay from anonymous bad guys
from months down to minutes or seconds.
Imagine a future where this advantage plays out on a global stage.
Suddenly the tables have turned for the hunters. The hunted have become the hunters,
empowered to cordon off their adversaries. The theater that such attacks could freely operate
in would shrink, creating a safer, more transparent landscape for organizations to feel more
secure about their investments in securities.
That’s the audacious world that Prevailion hopes to help companies build.
LEARN HOW YOU CAN EXCEL WITH PREVAILION
Watch our 30-minute webinar led by Karim Hijazi, CEO and Founder of Prevailion, where he
explains why the future of cybersecurity will demand that the industry shift its focus from the
victim to the adversary, and the role that Compromise Intelligence will play in delivering a
strategic, competitive edge to the companies that leverage it.
Learn More at PREVAILION.COM
13
ABOUT THE AUTHORKarim HijaziCEO and Founder, Prevailion
1https://www.marketwatch.com/press-release/opus-ponemon-institute-announce-results-of-
2018-third-party-data-risk-study-59-of-companies-experienced-a-third-party-data-breach-yet-
only-16-say-they-effectively-mitigate-third-party-risks-2018-11-15
2https://censinet.com/ponemon-research-report-the-economic-impact-of-third-party-risk-
management-in-healthcare/
3https://www.ibm.com/security/data-breach
4https://www.insurancejournal.com/news/national/2019/07/23/533657.htm
5https://www.ibm.com/security/data-breach
SOURCES:
Karim Hijazi is the Founder and CEO of Prevailion, a first-of-its-kind
cybersecurity SaaS platform that provides businesses with unprecedented
visibility into their own network as well as existing third-party partners and
potential new partners, acquisitions or investments, empowering them to
mitigate their compromise before it becomes their own.