Mitigating Information Security Risks

Alexandre Pieyre, Group Head of Information Security Operations, Iq-Eq

Alexandre Pieyre, Group Head of Information Security Operations, Iq-Eq

Information security is an area that is growing considerably following the frequent cyber attacks that have been the focus of international media coverage over the past ten years. We are therefore in an era where the protection of digital information is a key preoccupation for businesses and governments. These players are increasingly subject to the digitalization of their business processes and associated documents. Cyber-attacks to which they are exposed have an increased impact depending on the criticality of their operation.

Information Security risk assessment is the discipline for analyzing the exposure of information assets held an organization. Its purpose is to assess the various security aspects to identify the risks, assess them and make recommendations to reduce them. To do this, current risk assessment methodologies are mainly based on threat scenarios that could potentially materialize in a company's IT environment. These approaches take for granted that the risk analysis process is mainly based on the enumeration of threat scenarios that are somehow generic and poorly adapted to the environment of the company concerned. In addition, some of those methodologies with scenario presets do not embed the rightful amount of explanation when it comes to understanding a threat landscape.

Don’t get me wrong, they do work to an extent and allow an entity to become aware of their main information security risks. Yet, they are not fit to be fed dynamically and adapt lively to our current threat landscape.

The more threats source you obtain and the more you’ll be able to predict and foresee risks accurately

Therefore, not only do we have to question ourselves on several aspects related to the subjectivity and accuracy of an IT risk analysis and assessment process, but we also need to determine the enhancement factor to adapt quickly to an ever-rising rate of vulnerabilities and threats.

Modern Vulnerability Management takes into consideration a wide range of treats vectors to function properly and dynamically. Before jumping in the heart of this article lets review a very good explanation of correlation between Threats, Vulnerabilities and Risks. This is based on the NIST SP800-30.

Which mechanism needs to be deployed in order to embed a dynamic and accurate management of our information security risk life-cycle The answer is simple: Threat Enumeration.

The more threats source you obtain and the more you’ll be able to predict and foresee risks accurately. Therefore, we will introduce a key function within an information security department, the threat intel officer. Whomever holds that position must focus on enriching constantly any adapted and appropriate threat intelligence sources.

The Threat Intelligence inputs are collected from the following sources:

• Client request

• Client requesting attention on a particular security issue

• Unacceptable maturity level of a security control detected during an TPM assessment

• Client requesting a specific tool/ solution/platform usage

• Red Team exercise

• Vulnerabilities identified during Penetration testing and/or by continuous security assessment including Red Team/Purple Team exercises.

• Threat Intel platform

• Vulnerabilities discovered by manufacturer, CVE and MITRE Attack Framework

• Incident Management & Alerting

• Incident revealing security issues to be treated with higher attention (problems) or alerts from your security stack (DLP, SOAR, SIEM, SOC…).

• Blue Team Observations

• Observations done during security reviews (Access control review, configuration review)

• Project, Changes and Architectures (Business Strategy)

• Vulnerabilities and risks brought by new projects, changes, and software acquisition.

• Regulatory Controls:

• Vulnerabilities and security breaches detected after regulatory controls

•Threat related to regulatory compliance and violations of laws

The Threat Intel Officer gather those inputs and enrich them with more feeds from sources mentioned in the previous paragraph and from the threat intel platform forming a threat scenario database to be analyzed. Such a collect process must occur on a weekly basis with the various inputs as mentioned above.

Once the collection steps are done, the Threat Intel Officer analyzes the feeds collected and check the criticality of each threat scenario to create the first classification and exclude the false positives (ie, erroneous detection through automated tools).

A threat report is filled for each applicable threat discovered and follows a threat profiling method which consists of creating profiles of threats that allow their detailed identification including:

• Threat ID:

• Threat Category:

• Targeted Vulnerability:

• Targeted Assets:

• Threat Description:

• Threat materialization likelihood:

• Remediation Decision:

•Remediation owner(s):

• Remediation plan:

While filling those fields, some will not be yet readily available as the analysis has led the true positives to be evaluated and managed according to your Information Risk Management Standard and Vulnerability Management Standard. The output of the risk assessment is a risk treatment plan approved by risk owner(s), which properly fills the threat profile’s missing pieces.

Therefore, this dynamic is implemented by going back and forth on the identified threat and in the process of mitigating their associated vulneraries and related risk. Feeding and transiting in between the threat analysis process and risk analysis process comforts deeply on the understanding of your threat ecosystem which in return allows to depict certain type of tendencies and patterns of threats applicability.