Risk monitoring should not be limited to compliance with regulatory requirements. These audits should be part of an ongoing cycle to enable security teams to stay ahead of threats and ensure that the security system remains fit for purpose.
Today’s threat landscape has never been more complex, and the speed at which an attacker can exploit security system vulnerabilities continues to increase. Faced with this daunting combination, businesses are beginning to realize the limits of their traditional, reactive approach to cybersecurity and are moving more toward “threat hunting.”
In general, “risk hunters” are alert for possible vulnerabilities or malicious actors in their environment and seek to limit the damage. However, the very concept of “threat hunting” assumes that the organization has already been compromised before it reacts.
But this is no longer enough… Companies actually need to change their mindset: get an overview of the environment that allows them to identify risk areas in advance, instead of reacting to threats as they arise.
Specifically designed to encourage businesses to adopt a more pragmatic and cautious approach to cyber security, new regulations such as NIS2 and DORA aim to encourage this new form of ‘risk hunting’.
Much more proactive in its approach, this tracking allows companies to identify, assess and mitigate risks before they become real threats. But how can companies track risks?
In which sectors of activity should we look for risks?
In our industry, we still do not fully understand the motivations of threat actors and therefore the risks that exist within an organization. For what ? As businesses find it difficult to gauge how quickly threats are evolving. In other words, they continue to defend themselves by maintaining their security to fight against old attacks without anticipating developments.
definitely NIS2 helps raise the basic level of security, but the directive does not provide enough detail to help businesses fill these gaps on their own. They must form specialized teams capable of acting as raiders and testing the limits of existing policies and structures.
The scope of “risk hunting” should not be limited to looking for digital vulnerabilities that can be exploited by external threats. It should be comprehensive and able to determine the sustainability of the business in case of DDOS attack or an internet outage, for example.
What is the best way to track risks?
There are several methods for tracking risks, such as using advanced analytics, threat intelligence, and anomaly detection techniques. The “risk hunting” method, based on available information, is, in my opinion, the most effective. This includes using threat information to guide risk assessment.
Unlike ‘threat hunting’, which uses indicators of compromise (IOC) and tactics, techniques and procedures (TTP) to identify risk points or locations where an attacker can exploit a risk, ‘threat hunting’ in risk’ focuses on Indicators of Attack (IOA). These are patterns or behaviors that signal an ongoing or impending attack. These indicators help determine the TTPs that hackers use during an attack.
A wide range of technologies can help businesses map their environment and integrate data to identify risk points. Many companies perform simulations of digital attacks, for example, to assess the resilience of their security infrastructure in the event of attacks of various scales. In this case, security teams can adjust their policies based on this information to better prepare for a real attack.
Consequently, there is no shortage of tools and information to help companies identify risks. The problem is the skills required to properly use these tools and apply them in an already very complex environment. Few people have the skills or knowledge sufficient to implement a strategy and understand what needs to be done to mitigate identified risks.
Made up of members of both the Red Team and the Blue Team, the “Purple Team” is the team that is best armed and best suited to track down the risks. Each of these teams involves specific skills: The Red Team typically seeks to identify vulnerabilities within a company, while the Blue Team helps fill gaps.
To do this, companies should not hire new teams to perform effective auditing, but build heterogeneous teams with a combined skill set to track internal risks together, both defensively and offensively. These purple teams, using AI technologies, can analyze the relevant data and interpret its meaning to make the necessary changes and updates.
Simplify risk hunting and make them exploitable
Even with the best teams and tools, security teams still struggle to understand the risk data they collect. Unfortunately, CISOs and security professionals are often ill-equipped to track risks. They rely on a variety of tools producing impressive amounts of disaggregated data.
This data should then be cross-referenced and prioritized to identify key trends. The current process makes it virtually impossible to assimilate and obtain useful information. Separate security tools and manual processes provide an incomplete view of cyber risks and limit the ability of security teams to effectively address them.
To assess the relevance of data, CISOs need to bring all tools together into a comprehensive solution capable of connecting data and quantifying risks across the enterprise in a visible manner. Raw data is of no use to a resource- and time-strapped security team. Using technologies like AI, they can analyze data and present a clear, concrete plan to their management.
For too long, businesses have simply reacted to cyber threats, perhaps due to a lack of investment in security teams or a misunderstanding of the threat actors. The adoption of NIS2 and DORA will put security at the top of priorities and thus offer professionals the opportunity to upgrade their devices and claim more funding.
By highlighting the gaps in the current system in a clear and concise manner, security teams will be able to stand out and help their management take the necessary steps to comply with the law.
Risk monitoring should not be limited to compliance with regulatory requirements. These audits should be part of an ongoing cycle to enable security teams to stay ahead of threats and ensure that the security system remains fit for purpose.