The Cyber Insurance Incentive

I stumbled upon a blog (I wish I could find it again) that talked about Marsh's Cyber Catalyst program. Somehow I am late to the game and today is the first time I have heard about it. The Cyber catalyst program is designed to help Cyber insurance providers by giving them a baseline security posture for the insured. The premise is that if a company has implemented a solution from 1 of 17 vendors as of the 2019 list, they will have to pay a lower premium because in theory they should be operating more securely.

From Marsh, the insurers that participate in this program evaluated the submitted solutions over the following criteria:

• Reduction of cyber risk: demonstrated ability to address major enterprise cyber risk such as data breach, theft or corruption; business interruption; or cyber extortion.

• Key performance metrics: demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events.

• Viability: client-use cases and successful implementation.

• Efficiency: demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk.

• Flexibility: broad applicability to a range of companies/industries.

• Differentiation: distinguishing features and characteristics.

It's easy to criticize this approach. Below are the problems that immediately come to mind:

• It can be seen as a system that's designed to push companies into buying certain products. 
• Insurer evaluation of products were not readily transparent
• Merely owning a product does not mean you are more secure (poor implementation, management, etc.)
• Vendor solutions selected can often be beyond the price point of smaller organizations

But I have to give props where it's due. The premise is great. All things being equal it does take a step in the right direction of battling information asymmetry between the insurers and the insured. Not fully understanding risk is the principle problem when it comes to finding the right balance between insurers knowing the risk they are taking on and the insured knowing what coverage to select. I also applaud that they are attempting to make these decisions quantitatively and with input from various sources. 

My main issue with the premise is that I don't believe the list of vendors selected to this list will be attainable for all. Once again pushing security into the realms of the haves and have nots. Also the implementation of these solutions will be all over the map leading to a potential false sense of security.  What I think should be pushed for is a focus on people and processes. These will be the foundation for higher degrees of confidence that organizations are operating securely as well as implementing their tooling correctly. 

Effective policy and procedures grow the tent by enabling organizations to use any vendor of their own choice to accomplish similar capabilities of the vendors on the Marsh list.   

In any systems engineering process, there are many steps before vendor evaluation and selection. The Marsh list seems to skip many of those by implying if you have 1 of 17 you are immediately more secure. I contend that before anything else, insurers need to relay to their clients that a formalized and properly implemented security policy will have far more reaching impact than any product. Insurers should quantifiably measure what internal security operations have the most impact in limiting attack surface. This is what they should be pushing for premium discounts. And this is what can be applied to every organization of every time. 

Give a man a security product and he may be secure for a moment? Teach a man how to be secure, and he'll be secure for a lifetime?  hmmm.....I don't know, I'll work it.  

Threat Intelligence Cycle

The concept of threat intelligence has been around for centuries. Its concepts have largely become popularized by the works of Sun Tzu. The "Art of War" is a philosophical compilation of strategies to have positive outcomes when facing an adversary. This adversary can be engaged on a variety of battlefields where there are competitors with conflicting interests including playing fields and boardrooms. The cyber domain is the most modern implementation of a battlefield. One in which your adversaries are largely nameless and faceless. Your adversaries have a wide breadth of skills and the threats they pose to your environment are dynamic by nature and constantly shifting. This is a challenge for one of Sun Tzu's most principle mandates to know your enemy for positive results. 

The application of threat intelligence to the cyber domain is integral to providing deeper insights into your adversaries capabilities and intent. 

Gill and Phythian defined intelligence in the book Intelligence in an Insecure World as:

[an] umbrella term referring to the range of activities – from planning and information collection to the analysis and dissemination – conducted in secret and aimed at maintaining or enhancing relative security by providing forewarning of threats or potential threats in a manner that allows for the timely implementation of a preventive policy or strategy, including, where deemed desirable, covert activities.

Application of Threat Intelligence to your cyber defense enables the shift from a reactionary mindset to a more mature targeted approach. This approach allows defenders to put in place protection mechanisms that takes into account the context of your unique environment. While others may be in a hysteria due to a newly released exploit, you know that you already have controls in place to mitigate any attack attempt.  No longer are you always in the position of being behind the curve in an attack. You are able to predict when an attack can occur and the methods that will be utilized. Putting you in a better position for positive outcomes because intelligence allowed you to know your enemy. 

Cyber threat intelligence is just the application of the threat intelligence cycle that has been used throughout history to the cyber domain. Below is a diagram of the cycle. It is designed to be recursive in nature to depict that it is recursive and each phase supports the others. Integral to the entire process is the mission. Each phase is driven by making sure it adheres to the mission is. It allows the intelligence team to focus on the subject areas that are of critical importance to the organization. That is why it is key to make sure that the mission is clear and disseminated to all of those that are involved in threat intelligence.

Princeton university has a good example of a mission statement and has made it public to make sure everyone knows and understands its directive. The mission is to make information security programmatic and cultural on campus in order to support the University in its mission in teaching and research. It’s clear and concise and they have defined specific activities that are in place to support that mission statement.

That mission statement sets the tone for the very first phase of the lifecycle, Planning and Direction. It is the principle input into what drives the direction of the program. The initial phase outlines the goals and requirements of the threat intelligence program. The contributions that threat intelligence is meant to provide to the organization is defined here. Other inputs include organizational policy makers and feedback from the intelligence dissemination phase. Planning for developing metrics around and monitoring for continuous improvement should be a key component of the initial phase. This direction is then passed to the collections phase.

The collections phase carries out the requirements mandated during the planning phase. This phase creates the systems necessary to collect the data needed to generate intelligence. The sources of this data can be both internal and external to your organization. The decisions made here determine how well the threat intelligence team is able to meet the mandates established by the mission.

Raw data is useless without processing and analysis. The processing phase is designed to convert that raw data to present it into a structured format that allows for efficient analysis. The collection phase gathers from a variety of sources that is not structured in a universal format. It will also filter data that is redundant or irrelevant to your operations.

The Analysis and production phase is where the correlation of structured, collected data occurs. This phase builds the narrative associated with threat behaviors. Data across all of the collected sources is now analyzed to develop a single source, event-oriented report. This report highlights the insights that were derived by the insights of the analysts.

The report is then disseminated to those that consume the threat intelligence. Consumers of threat intelligence operate throughout all levels of the organization. They are the decision makers as well as the implementors. Intelligence could discover information about a prolonged campaign targeting your organization, or it could be a list of IPs that should be blocked by your firewall. Each possibility would drive different activities that are designed to protect your organization.

The phase that is implicitly defined by the diagram is feedback. Each phase should provide feedback for the phase prior to it. Processing and exploitation should inform the collection team if any additional data would be helpful in processing the data. Dissemination should inform the analyst which report formats are most helpful in facilitating decision making. There should be a continuous dialog between the phases to make sure requirements are being met. This allows for adjustments throughout the lifecycle.

Next, I'll go over operationalizing Threat Intelligence. The focus will be on small businesses who may not have the resources for a dedicated intelligence team. 

References:

Liska, A., & Gallo, T. (2015). Building an intelligence-led security program. Amsterdam: Elsevier, Syngress.

Intelligence Cycle and Process. (n.d.). Retrieved March 24, 2020, from https://www.e-education.psu.edu/sgam/node/15

Information Security Office (ISO). (n.d.). Retrieved March 24, 2020, from https://informationsecurity.princeton.edu/about