External self-awareness is key to accurate and actionable cyber risk quantification

October 2022 | By Yonatan Israel Garzon

Self-absorbed is not a fair description of most organizations' cybersecurity risk postures. Unfortunately, neither is external self-awareness, and looking only within can be dangerous, ineffective and inefficient.

A continuous evaluation of the dynamic threat landscape provides the missing bigger picture. It elucidates the who and why—or attribution and motive—of ongoing and future threats. What results are clear actions with high returns on investment for security control implementation and risk management.

Enterprise cybersecurity spending will reach US$172.5 billion in 2022, according to predictions by IT research firm Gartner. While cybersecurity budgets are generally rising in tandem, pressure to spend these budgets efficiently is also increasing in response to growing regulatory oversight and fears of an economic downturn. Yet even after timely threat and vulnerability assessments, 2 in 3 security executives still lack confidence that they are investing in security controls properly aligned with the cyber risks they are facing, according to a study by consultancy firm PWC.

Inward-looking cyber risk assessments generally focus on prioritizing business-critical assets, identifying gaps or misconfigurations in security controls to protect those assets, and then calculating risk based on the probability and potential impact of exploitation of vulnerabilities. Scant attention is paid to ever-shifting "personalized" threats affected by geo-politics, the economy and technology. Comprehensive frameworks, such as ATT&CK or CAPEC, only account for differences in attackers and their tactics, techniques and procedures (TTP). And just 30% of organizations include cyber threat intelligence (CTI) analysis as a critical component of their cybersecurity operating model, according to the PWC study.

Change is already happening. The International Organization for Standardization (ISO) recently updated their ISO 27002 information security standard to include CTI. Organizations are expected to proactively collect and analyze external data on targets, motives and attack behaviors to reshape their own perceptions of their specific risk pictures at strategic, operational and tactical levels.

To meet these expectations, an organization's chief information security officer (CISO) or cybersecurity decision-maker needs:

• tools to quickly visualize relevant data and trends in real time
• objective data scraped directly from quality sources of active threat intelligence
• objective metrics for evaluating current trends as bases for forecasts and meaningful action

A dynamic threat landscape analysis meets this CTI need. It begins with the collection of real-time intelligence from the depths of the internet via direct scraping or third-party sources, which are continually added and curated to ensure quality and integrity. The analysis further includes exclusive access to closed communities, such as forums, marketplaces and invite-only chat groups.

The next stage is data processing. Automated text analysis of even the lowest resolution data identifies multilingual entities and synonyms across attackers, attack methods and TTPs, geopolitical regions, industry sectors, and business assets.

Finally, statistical analysis removes redundant permutations of the same entities and then outputs trends and patterns tailored to an organization's circumstances. It also provides short-term predictions that help in the run-up to expected events, such as political elections and busy shopping seasons, or less expected events, such as wars and recessions.

The integration of dynamic threat landscape analyses within a quantitative cyber risk solution can correlate an organization’s tailored threat landscape with an extensive internal assessment of the organization's cybersecurity maturity. A “dollar tag” based on potential losses allows the ranking of cybersecurity gaps to highlight the best return on investment in terms of ratios of positive cost to risk reduction.

A regional US government entity was preparing an annual cybersecurity strategy and budget. Before finalization, the CISO ran a quantitative assessment using a dynamic threat landscape analysis. It uncovered an emerging and growing threat to public administration organizations in the region from foreign state-sponsored actors who were weaponizing emails to steal personally identifiable information (PII).

The CISO had not planned to invest in an improved data loss prevention (DLP) solution but revised that strategy based on the findings. Soon after, the organization began experiencing external cyber-attacks zeroing in on PII. The new DLP security controls successfully warded them off.

Misunderstandings and mispredictions of the dynamic adversarial landscape often lead to poor and costly security control investment decisions. Threat landscape analysis solutions—such as Mastercard Cyber Insights, which works in combination with Cyber Quant—ensure cybersecurity decision-makers have the correct tools to accurately pinpoint high-risk attackers and attack scenarios for their organizations, and gain insights into the risks associated with business actions and geopolitical events.

Effective protection comes from aligning correct cybersecurity investment actions with trend forecasts. Learn more about Mastercard’s cybersecurity and risk solutions here.