To get the most security for the least money, companies must create a balanced cybersecurity portfolio, similar to a financial portfolio, in which investments align to a specific priorities across a variety of areas instead of focusing on just prevention or remediation.
As part of my cybersecurity research (“Creating a Balanced Cybersecurity Portfolio”), I have focused in on all the stages of creating such a cybersecurity portfolio. One of the most interesting, crucial and difficult to execute is the last: rebalancing. It is hard to know when existing capabilities are less relevant and ready to be retired — or when new capabilities must be acquired and incorporated. In addition, nobody makes changes quickly. Solutions are phased out and introduced gradually. To meet this need and others, threat intelligence solutions have emerged as a critical part of the security stack. These solutions offer insights about emerging threats, which inform ongoing rebalancing of your portfolio.
Recently I had a conversation with Josh Lefkowitz, CEO and co-founder of Flashpoint. Flashpoint offers business risk intelligence, which tracks adversaries across multiple types of unique and hard-to-reach online communities, from elite forums and illicit marketplaces to chat services platforms. Flashpoint recommends that organizations integrate inputs from all sources – from those that provide visibility into cybercrime and fraud; to international, political and societal dynamics; malware and exploits; disruption and destructive threats; and physical and insider activities. By providing an intelligence profile of the threat landscape, this contextual view offers concrete input to more effectively rebalance your portfolio with respect to emerging and existing threats, adversaries, and relevant business risks.
I sat down to talk with Lefkowitz about two things. First, what are the signs of a healthy and effective portfolio? And what sorts of evidence indicate a need for rebalancing?
Signs of a well-balanced portfolio
Lefkowitz and I agree that a balanced cybersecurity portfolio requires a set of well-articulated goals. He suggests that a top goal must be keeping ahead of the attackers. Flashpoint is designed to meet this need by providing intelligence information that can help predict the kinds of threats a company is most likely to face.
The most successful intelligence programs are tailored to the unique needs and objectives of a business, and must be relevant, informative, and consumable.
Lefkowitz says an important part of this is knowing your intelligence requirements. Put simply, intelligence requirements are the objectives of your intelligence operation. They should be timely and actionable, reflecting key needs or challenges of your business.
For example, if in a private sector organization, requirements might include combating cybercrime, emergent malware, compromised credentials, insider threat, and the risks they pose. Keeping abreast of what is happening in all of these areas helps you rebalance your portfolio.
But just as you rebalance your portfolio, it is also important to rebalance and refocus your intelligence requirements. Just as threats, adversaries, and even organizations continually change, at some point you will recognize that your intelligence requirements—and therefore your portfolio priorities—are also starting to change.
“With our customers, we have found that intelligence requirements must always be kept at the forefront. They represent the kinds of questions you want intelligence and data to help you answer,” Lefkowitz said. “At Flashpoint, we say that all of your activities should be aligned and measured against those priority intelligence requirements. And those are ever-changing, so we see it very much as a continuous, iterative feedback loop that informs your entire cybersecurity portfolio.”
In other words, you won’t find what you aren’t looking for. By keeping the idea of intelligence requirements constantly in mind, you will be open to looking for new threats in new arenas.
When to abandon existing tools
We all know that there’s a variety of approaches for adding capabilities to a cybersecurity portfolio. Many vendors can implement antivirus protection or protection for mobile devices, for example. But when priorities change because the cybersecurity landscape changes, tools that no longer work or provide minimal return on investment should be abandoned.
Lefkowitz warns against being wedded to the status quo. You must be ready to apply the intelligence that is gleaned, which could result in ongoing changes to how you focus your portfolio.
“We have not found an experience where buyers are content to just put a solution in and have it be evergreen,” he said. “They want to see evolution and innovation. We’ve been privileged to continue to rise to the challenge but even in the eight years that we’ve been operating, we’ve seen the competitive landscape evolve dramatically year over year.”
Flashpoint drives this iterative process by using technology and human analysts to collect and analyze data about internal and external threats. A Flashpoint customer receives a piece of intelligence in a number of different forms. It could be a finished report or a contextual alert that one of their selected keywords surfaced in an illicit community. It could also be a direct exchange among like-minded members of the private information-sharing community moderated by Flashpoint that includes the company’s subject-matter experts along with customers from all sectors across the globe.
In any case, after receiving this intelligence, the company may come back to Flashpoint to better understand the nature of threat. In certain situations, Flashpoint will engage directly with threat actors on an organization’s behalf, as in case of a data breach or ransomware attack, for example. Once the customer receives this additional context and gains a deeper understanding of its relevance to their environment and risk footprint, they would typically use these insights to inform modulations or adjustments to their portfolio. This is how the portfolio is constantly rebalanced and adjusted.
Addressing insider threats and physical security of executive teams
Lefkowitz gave an example. “One high-profile topic area that we’ve seen is insider threats, which certainly received headlines post-Snowden and post-Chelsea Manning. But there has not been, from what we’ve seen, a true operationalizing of insider threat programs for the corporate environment,” he said. “We’ve homed in on a number of methodologies that insiders are sharing in underground communities. We’ve seen patterns of solicitation for insiders as well as offers by insiders to monetize their access to sensitive data and sensitive systems. This has helped increase the prioritization of insider threat technologies, insider threat processes, and insider threat programs that risk teams and intelligence teams within the enterprise are making decisions around.” Without such information and awareness, organizations would not see the risks clearly and rebalance their portfolio to address them.
He cited another frequent use case. “Another area where we see how intelligence can be an enabler and catalyst is on the physical security side, especially regarding executive protection,” he said. “We see a lot of interest in questions around executive travel as well as board meeting planning. This involves understanding the regulatory and risk landscape for travel to a range of regions, some that are obviously high risk and others that are not top of mind but that are increasingly on the front burner for executives and their physical security teams. These executives must be equipped with what they need to stay safe from a cyber and physical perspective. The goal is understanding what the adversary landscape looks like, best practices are around cyber-hygiene, and enabling executives with that situational awareness and toolkit to understand the risk that they’re headed into when they get off the plane, attend high-profile events or hold a shareholder meeting.”
What’s interesting to me about this advisory aspect of Flashpoint is that it points to a further evolution of the theory of creating a balanced portfolio. Flashpoint not only provides information that may help with rebalancing portfolio capabilities, but it also helps with the idea of rebalancing and optimizing the processes that put the portfolio to work. This is an idea worthy of more exploration.
Ultimately, Flashpoint aims to show how intelligence can play both a proactive as well as a reactive role in empowering teams across the enterprise. The idea is that you can better prevent and react to threats if you have better intelligence, and then create a more balanced portfolio by being able to recognize the most pressing threats relevant to your business at any given time.
