The Security Operations Center (SOC) of an enterprise — the heart of cybersecurity for a company — typically processes thousands of alerts each day, battling phishing attacks, injection attempts, malware and ransomware on the front lines. These monitoring activities are important, and often are the first line of defense for an enterprise — in many cases, it is also the only line needed, as astute SOC analysts and their tools are able to immediately repel attacks. Even so, some security experts, perhaps including yourselves, have identified this as a “whack-a-mole” approach, and one that risks missing the forest for the trees, as analysts and managers are forced to wade through the day-to-day monitoring of security alerts with little time for developing a strategic perspective on threats.
As security professionals like you know better than anyone, effective security requires a holistic, strategic approach — one that understands the current threat landscape, how attackers operate and what they are after, and the tools they are using. A well thought out strategic perspective is industry-specific, recognizing that the threats faced by one company are unlikely to be identical to those of another. It also takes into account the unique assets at risk, the current capabilities of attackers, and even geographical differences in tools, attackers, and local policies within which an individual organization must operate.
This perspective only comes from studying the threats outside an enterprise, understanding the perspective of a hacker, and harnessing data from a wide variety of sources and contemporary security incidents. In other words, it requires stepping outside of the SOC. It requires prioritizing assets and mechanisms for defense based on a broad portfolio of data, and then adjusting those priorities over time as conditions change.
The X-Force IRIS Strategic Threat Assessment
For over two years, IBM Security's X-Force Incident Response and Intelligence Services (IRIS) has been crafting Strategic Threat Assessments (STAs) tailored to the specific needs of companies like yours. These STAs offer critical strategic data to CISOs, SOC managers, and other decisionmakers that enables them to more fully understand the threat landscape for their organization.
STAs take into account the company’s industry, geography, and unique circumstances of the organization or geopolitical climate to paint a holistic picture of threats the company faces. They capitalize on insight gained from incident response while weaving in statistics and insight from IBM’s managed security services, spam data, dark web research and extensive open source coverage to deliver assessments beyond what an organization might be able to generate in-house.
An Industry-Specific Approach
STAs examine an organization within the context of its industry, as each industry has a slightly different threat landscape when compared to others. For example, while ransomware attacks have increased across the board since 2019, IBM X-Force data show that manufacturing companies are more than three times as likely to experience a ransomware attack compared to companies in the finance and insurance sector. But data also demonstrate that both manufacturing and finance are frequently targeted by nation-state-backed threat groups, while the wholesale sector is rarely targeted by nation-state groups. Nuances like this alter the threat landscape for each industry and changes the calculus for how companies in each industry can best defend themselves, and offer insights on how to prioritize resources to do so.
Unique IBM Data
X-Force IRIS has access to exclusive incident response data and uses this to add value to STAs for companies. This gives our team wide-ranging and deep insight into a variety of threats facing organizations today, and specific information on how threat actors are compromising companies now. We present this data as statistics that demonstrate a cross-section of threats, as well as client-obfuscated case studies and examples that can delve deeply into how an attack played out.
In addition, Managed Security Services data provides a snapshot of attempted attacks against industries by pulling telemetry from thousands of sensors worldwide. IBM spam traps allows us to search for spam campaigns against a specific company, and dark web research allows us to unearth potential threats to a specific organization.
Our teams have also conducted extensive research into and analysis on advanced persistent threat groups—insight we capitalize on within an STA to paint a picture of groups that might attack a company, what motivates them, and the tools and tactics they use to achieve their objectives. For example, we have observed Iranian threat groups tend to target transportation sector companies, allowing us to provide detailed warning and advice for companies in this sector that may face similar attacks.
Some of the takeaways from our data is also published in the yearly X-Force Threat Intelligence Index, an assessment of trends that also feeds into each STA. For example, as you may have seen, the 2020 Threat Index identified a significant increase in attacks on operational technology in 2019, which would have implications for organizations that rely heavily on operational technology, such as manufacturing, utilities, and oil and gas.
Prioritizing Assets at Risk
X-Force IRIS STAs use asset ranking as a foundation for the overall assessment, identifying general categories of assets that will be most at risk for a particular company based on our understanding of current threats to the company’s industry, unique characteristics of that company, and the capabilities and tools of current threat groups. We use a proprietary system of asset categories and ranking methodologies honed over time and coordinated with industry peers to develop a unique ranking for each STA recipient.
This ranking system can assist companies like yours in identifying your most at-risk assets and developing measures to best protect those assets, based on priority. For example, for an oil and gas company, the functionality of critical networks might be most at risk, based on the high number of destructive malware attacks X-Force IRIS has observed against oil and gas companies over the past two years, relative to other industries.
The Benefits of a Strategic Approach
While the security needs of each company will differ — along with the advantages you might achieve with an STA — several clients have pointed to tangible benefits this assessment has provided for their organization.
For one company, the STA provided a narrative the CISO could take to the boardroom that would be both understood and appreciated in the C-suite. In particular, the STA pointed out specific threat groups likely to target their company, along with an assessment of what motivated these threat groups. Being able to effectively communicate how threat actors were targeting the company — and why — gave the CISO additional traction for advocating for security investments for the company.
In another instance, a company was able to use an STA to identify concrete action items to incorporate into the firm’s security plan. The detailed recommendations provided in the STA — tailored to the assets most at risk for the company—provided ideas on how the company could prioritize security measures.
Multiple companies have also found an STA to be an effective compliment to network-specific assessments that examine their company’s infrastructure from the inside-out. By having a companion assessment that closely examines external threats and current attack tactics against industries, security professionals like you can be better positioned to make security decisions specific to your company.
Bringing Strategy Home
Incorporating a strategic perspective into an enterprise security plan enhances the effectiveness of SOC activity, assists CISOs and other security managers in prioritizing defense mechanisms, and can help create a narrative that is appreciated by other C-suite officers. It can also unearth hidden threats to a company, such as information residing on dark web forums, or new threat groups and their techniques. Depending on where a company acquires strategic threat information, this data may also include new industry threat statistics, case studies, and trend data unavailable in the public domain.
Obtaining a Strategic Threat Assessment
While X-Force IRIS offers Strategic Threat Assessments as part of the IRIS Vision Retainer, they can also be obtained on an ad-hoc basis from the X-Force Intelligence Services team, by reaching out to your IBM Security representative, or by putting a request into our online form and requesting more information on the “X-Force IRIS Strategic Threat Assessment.”
With an IRIS Vision Retainer, you’ll have access to a chorus of potential options that can help you understand and implement suggestions from an STA, and includes the option for incident response services should an intruder make it past the perimeter.