 |
Nearly one quarter of the successful threats included in the FTI are categorized as “undetermined.” But far from being uninformative, this valuable data can either indicate liabilities or opportunities to secure your environment.
THREAT PROFILE
In both the general populace and in most industries, undetermined threats are prominently represented in FTI threat clusters. But while threats named “Undetermined Vector” appear less informative than “Misdelivery” and “Spyware Keylogger,” we are actually observing how commonly organizations do not detect or record security incidents within their environments.
This, of course, creates a liability. To attorneys, judges, and regulators this appears to be negligence. Why would an organization not monitor its systems for suspicious activities?
But this data also creates an opportunity. Organizations that are prioritizing their security programs are able to consider how commonly this lack of awareness contributes to security incidents in their industry. This of course helps them determine how critical monitoring technologies would be for their own security strategies.
KNOWN UNKNOWNS:
Turning Blind Spots into Powerful Defenses
BREAKDOWN:
Undetermined Threats by Industry
FINDINGS
The wise learn many things from their enemies.—Aristophanes
Understanding the data about information security incidents and breaches may tell us as much about our enemies as it does about ourselves. One of the key pieces of data that comes from the FRI that illustrates this point perfectly is the commonality of “Undetermined” threats and vectors that cause breaches.
As organizations initially use the FRI, they become engrossed in the details of the threat landscape. They explore how frequently their peers are hit by Command-and-Control malware, insider threats, and ransomware. But they tend to look with disappointment at the large blocks of data named “Undetermined” as if that data tells them nothing. In fact, those blocks are screaming out the need for organizations to become more capable of looking for threat activities on their systems, at their applications, and in their networks.
A key reason why incident response analysts are not able to determine the cause of breaches is that many organizations do not operate monitoring systems sufficiently to detect and record suspicious activities.
Log management and SIEM systems have frustrated IT teams since log management was born. And despite advances in technologies that can correlate events, and draw attention to suspicious activities, logging and alerting are still evidently challenging to many organizations.
Commonality of Undetermined Threats per Industry
SOURCE: FRI 2018
WHAT WORKS FOR OTHERS?
- If you don’t have in-house expertise, hire SIEM-as-a-Service solutions that provide tha hardware, monitoring, and initial response. Look for services that correlate your events with events at other organizations to detect broad-based attacks.
- Think of every system, device, application, and security tool as a logging tool. Consider what you would want it to tell you if something suspicious was happening to it. Then use the FRI to understand the common causes for incidents in environments like yours. Configure logs, correlation engines, and alerts to inform you of when those behaviors are occurring in your environment.
- Select and configure security tools so they consider how much detail they report.
Foreseeable Threat Index Analysis Methodology
HALOCK makes no claim or representation that these data predict the causes for breaches in any one institution. To satisfy common regulations, information security standards, and due-care standards, organizations must evaluate their risk of these threats, and must plan and implement safeguards that reduce their risks to a reasonable level.
 |
 |  |  |