Cyber Incident Response

Vulnerability Assessment

0-2 years

Vulnerability Assessment (VA) identifies and assesses vulnerabilities proactively to establish the security and risk posture, not just to meet compliance requirements. The vulnerability assessment market is made up of vendors that provide capabilities to identify, categorize and manage vulnerabilities, including unsecure system configurations. missing patches, and other security-related updates in the systems connected to the enterprise network directly, remotely or in the cloud. Vulnerability assessments are an important part of any comprehensive cybersecurity framework.
Vulnerability Assessment is a mature market which is seen as standard component of information security management and regulatory frameworks as a mandatory process. The adoption of MSSPs, and, recently, MDRs to execute VA for end-user organizations continues to be popular and is experiencing growth.

Use cases

Support security operations, network asset visibility and/or compliance use cases. Security use cases include vulnerability and security configuration assessments (SCAs) for enterprise risk identification, reduction and reporting against various compliance standards.

Benefits

  • Give insight into cyber exposure so you can see where you may have holes or weaknesses within your IT attack surface (i.e. assets that connect with your network) and then plan for remediation.
  • Help you understand the actual risk your organization faces so you have a clear understanding of the impact of vulnerabilities within your environment.

Verticals

All verticals

Challenges

  • For third parties’ applications some gaps in coverage exist because they are difficult to convert into new sales and are not widely deployed by clients.
  • Because most of the companies that develop VA are not large vendors, scalability and enterprise management features are inconsistency developed and maintained.
  • Also, Vulnerability Assessment is still deficient in the public cloud area (as this is accessible from anywhere) therefore it is important to assess it regularly.

Cyber Threat Intelligence

0-2 years

Cyber Threat Intelligence is the information organizations use to understand what types of threats are out there, and how and when they will target their organization, being a key aspect of security architecture that helps detect, triage, and investigate.

Use cases

Not all TI sources apply to every existing organization. Tailored TI services to organizations needs can add real value to security programs. If the TI provider does not cover adversaries that target specific industries, a great deal of the benefits provided by TI will be lost.

TI can be used by: CISO, IT Risk, SOC Analyst, Threat Intel Analyst. Or in: Incident Response, VM, Fraud, Risk, Security Ops, Security Metrics, including the following technologies: FW, IPS, SIEM, Could Security, EDR, SOAR.

Benefits

Improves organization’s detection and response capabilities, increasing alert quality, reducing investigation time, adding coverage for the latest attacks and adversaries.

Verticals

All verticals

Challenges

  • Lack of guidance in how to use TI can lead to more noise and false positives. Improper use of TI can result (again) in many false positives – so, proper upfront planning of TI usage is highly important.
  • The increasing number of vendors of TI services that do not provide clear insight on the capabilities they support alongside improper configuration leads to the effects mentioned above, few of them providing anticipatory content and curation based on customized intelligence.

Threat Hunting

0-2 years

Threat hunting activities belong to a second layer of more fine-grained threat detection . The ultimate goal of the threat hunting process is to find malicious actors already present in the environment who have the intent, capability and opportunity to cause harm. The growing availability of both the tooling and the needed expertise in data analytics allows to take Threat Hunting to new levels and all of that using the data from many already implemented solutions further improving theirs ROI.

Successful threat hunting activity should provide at least three visible effects:

  • Security Incidents being reported only for identified and properly scoped intrusions. Reducing false positives.
  • High quality threat intelligence combined with Indicators of Compromise that can be utilized by detection and remediation tools being created.
  • Gradually improving the automation of hunting and detection capabilities.

Red Teaming –Applying an adversarial mindset without use of known threat intelligence for the purpose of conducting an exercise is increasingly developed within threat hunting activities.

Use cases

  • Providing context for known and unknown threats: it learns from previous threats using ML and AI, in order to enrich the context of the detected threat.
  • Detection of unusual behaviors and anomalies: through continuous monitoring of the activity in the network it allows to find anomalous behaviors in e.g. browsers or domains that can be considered as signals of an attack in progress, but not detected yet using other cybersecurity countermeasures.
  • Increase the response speed by data integration to hunt what is hiding: through the correlation of multiple sources of security information, e.g. network and endpoints, detect in a global and fast manner, several steps of the kill chain that are happening in order to react before the damage is materialized.
  • Hunting for enlightenment: leveraging threat hunting capabilities to distinguish normal behaviors in the Customer environment, making the security threats detection and response activities more efficient and focused.

Benefits

  • Proactively uncover security incidents.
  • Faster threat response, by reducing the time required for investigation.
    Improvement of the SOC efficiency, by reducing the number of false positives.
  • Reduction of the cybersecurity threats impact and risk to the Customer organization.
  • Improvement of the understanding of the threat discovery maturity for Customer organization.

Verticals

Threat Hunting services are applicable to all the verticals, though they are further developed for some of them, like manufacturing, financial or healthcare.

Challenges

  • Expert security staff is required. An alternative might be to outsource this service.
  • Time required to conduct threat hunting activities is another challenge, even when supported by machine learning tools that handle a huge amount of data.
  • The Threat Hunting process is based on a big pool of data related to the behaviour of the components under monitoring that is updated with latest changes. On top of that machine learning systems are required to prioritize potential incidents that will be analysed through forensic tools. All these tools would require a relevant investment, in order to accomplish the threat hunting goals and it might be a challenge for many companies that cannot afford it.

MITRE ATT&CK Mapping

0-2 years

MITRE ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. ATT&CK focuses on how external adversaries compromise and operate within computer information networks

Many organizations, private sector, governments alike, are starting to use MITRE as a central and key barometer of their operational security and threat preparedness and the ATT&CK knowledge base as a foundation for the development of specific threat models and methodologies. MITRE is also used to prioritize and roadmap, in a risk driven approach, the deployment of new security use cases and projects.

At a high-level, ATT&CK is a behavioral model that consists of the following core components:

  • Tactics, denoting short-term, tactical adversary goals during an attack.
  • Techniques, describing the means by which adversaries achieve tactical goals.
  • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques.
  • Documented adversary usage of techniques, their procedures, and other metadata.

Use cases

Adversary Emulation – ATT&CK can be used to create adversary emulation scenarios to test and verify defenses against common adversary techniques. Profiles for specific adversary groups can be constructed out of the information documented in ATT&CK (see Cyber Threat Intelligence use case). These profiles can also be used by defenders and hunting teams to align and improve defensive measures.

Red Teaming – ATT&CK can be used as a tool to create red team plans and organize operations to avoid certain defensive measures that may be in place within a network. It can also be used as a research roadmap to develop new ways of performing actions that may not be detected by common defenses.

Behavioral Analytics Development– ATT&CK can be used as a tool to construct and test behavioral analytics to detect adversarial behavior within an environment. The Cyber Analytics Repository (CAR)is one example of analytic development can be a starting point for an organization to develop behavioral analytics based on ATT&CK.

Defensive Gap Assessment– ATT&CK can be used as a common behavior-focused adversary model to assess tools, monitoring, and mitigations of existing defenses within an organization’s enterprise. The identified gaps are useful as a way to prioritize investments for improvement of a security program. Similar security products can also be compared against a common adversary behavior model to determine coverage prior to purchasing.

SOC Maturity Assessment – ATT&CK can be used as one measurement to determine how effective a SOC is at detecting, analyzing, and responding to intrusions.

Cyber Threat Intelligence Enrichment – ATT&CK is useful for understanding and documenting adversary group profiles from a behavioral perspective agnostic of the tools the group may use. The structured format of ATT&CK can add value to threat reporting by categorizing behavior beyond standard indicators. Multiple groups within ATT&CK use the same techniques. For this reason, it is not recommended to attribute activity solely based on the ATT&CK techniques used. Attribution to a group is a complex process involving all parts of the Diamond Model, not solely on an adversary’s use of TTPs.

Benefits

  • Offer a blueprint to teams with focused direction on detection efforts ;
  • Can be valuable in evaluating current tools and depth coverage around key attacks techniques ;
  • Help in taking better decision about assessing risk and deploying new security controls.

Verticals

All vertical industries are included, with a focus on organizations that have significant brand presence or high-risk profiles. Some vendors are expanding their focus on midsized organizations by providing prepacked, easier-to-consume offerings at a lower price.

Challenges

  • Finding a practical way of applying the overwhelming amount of information and to synthesize the framework into a strategic plan.
  • Different group names, given by organizations to track the activity of those, can be a challenges.

Digital Surveillance

0-2 years

Digital Surveillance tools are part of threat intelligence activities, and focus on dark web monitoring and social media monitoring.

Such tools and services unveal information exposure (data leakage) and contribute to better protection against reputational damage, credential leakage…

Use cases

Recent pandemic has forced many governments to gather data on mobile users to track their movement to trace potential cases in case the user turns out to be a positive case for the disease. Other use would be with respect to national security and governments around the world are changing or modifying data privacy laws to make digital surveillance easy in case there a threat to national security. Retail organizations use this technology to check on possible shop lifters or to gather data on which product gets more attention based on where it is kept in the store.

Benefits

  • Digital Surveillance tools can give a major advantage to organizations to identify if they are a target, prioritize the patching lists, have better security systems in place.
  • Time is essential when it comes to an attack : having the knowledge of a vulnerability before an attacker can exploit it gives a change to avoid damaged brand reputation, sensitive data leakage to the public, etc.

Verticals

  • Government
  • Health care
  • Manufacturing
  • Retail
  • Defense
  • Banking
  • Information technology

Challenges

  • To adopt this solution, a good knowledge of the criminal underground is
    required.
  • Visibility – Even if you have knowledge, monitoring activities in such a specific area is a challenge.
  • Some expertise is necessary to identify the potential risk of an attack or interest of threat actors in attacking organizations.

Automated Threat modeling

2-5 years

Threat Modelling is a method for designing secure systems by implementing a risk-based approach. Automating threat modelling provides the means for building secure systems in a repetitive and methodical approach with little to no human intervention.

Use cases

  • Automated response: proper security response can be developed for specific attacks in a repetitive way;
  • Reduce human error: by automatically assessing threats as well as responses the human error factor is greatly reduced;
  • Risk management: based on risk, possible threats can be categorized and prioritized accordingly and a mitigation applied to the threats with the biggest score or potential for business loss.

Benefits

Threat Modelling identifies possible vulnerabilities, threats. Doing this process in an automated way greatly decreases the chances that an attack is successful as well as reducing the time and human effort needed for the implementation.

Verticals

All vertical industries are included, with a focus on organizations that have significant brand presence or high-risk profiles. Some vendors are expanding their focus on midsized organizations by providing prepacked, easier-to-consume offerings at a lower price.

Challenges

Threat Modelling heavily relies on very good understanding of the business infrastructure and processes. Introducing errors or missing information can have a negative impact on an automated approach. This could also lead to improper security response used during an attack.

Security rating services

2-5 years

Security Rating Services provide continuous, independent, cyber security scoring and rating for enterprises based on their information available on the internet. They collect public and private information from multiple sources but not being intrusive. Based on that data a score is provided regarding the security posture of the organization based on own tools and methods. These services are useful for multiple use cases as shown below, though they should not be considered as a complete approach to monitor the security status.

Use cases

  • Assess on a continuous way the security posture of an organization (Customer or provider) and allow comparison with competitors.
  • Assess the security posture of a cloud service.
  • Help manage the security risk of a business partner or a service provider.
  • Improve selling process showing the seller security posture in comparison with others.
  • Support in Merging and Acquisition process when it comes to the security status.

Benefits

  • Reduce the cost of demonstrating a good security posture.
  • Handling third-party risk in almost real time with lower cost.
  • Allow to include security topics in M&A processes.
  • Detect security issues in a proactive way.
  • Improve the vendor selection criteria involving Procurement.
  • Non-intrusive approach as no deployments are required.
  • Flexibility based on subscription model.

Verticals

All vertical industries are included, with a focus on organizations that have significant brand presence or high-risk profiles. Some vendors are expanding their focus on midsized organizations by providing prepacked, easier-to-consume offerings at a lower price.

e-GRC tools

2-5 years

GRC means governance, risk management, and compliance. It is a concept that tells how a company works to achieve its targets. Governance shows how the management is doing to achieve the company’s objectives. Risk Management means forecast and anticipation and creates a “cripple zone” to protect itself against impacts of financial risks. This comes in shape of procedures, policies and software. Compliance is a company’s potential to follow the law and rules. E-GRC is similar to GRC, the E stands for Enterprise. E-GRC shows how a Company manages risks and compliance by following strict procedures, controls, policies, risk monitoring. The Tools represent software that help companies achieve their goals.

Use cases

E-GRC tools are used for: Audit Management, Policy Management, Vendor Management, Enterprise Risk Management, Incident Management, Financial Reporting , Plugin Portal, SOX and Internal Controls, IT Governance and Security, Environmental Health and Security and Business Continuity.

Benefits

EGRC Tools enhance the governance program by well organizing all manual tasks and reaching to all the business levels. It automatizes all the tasks, that means that the human factor wins more time by not creating spreadsheets, meetings silos. It keeps track of all policies the company has. All platforms are Cloud based.

Verticals

  • Banking
  • Financial Services
  • Credit Unions
  • Education
  • Government
  • Healthcare
  • Insurance
  • Manufacturing
  • Charities and non-profit organizations
  • Telecom and IT
  • Transportation

Threat Intelligence platform

2-5 years

Threat Intelligence Platform provides the means for different security teams to aggregate, correlate, and analyze threat data that come from different sources (internal/external). It helps identify threats by going through large amounts of feeds and log information coming from different sources and devices in order to identify Indicators of Compromise which in turn help build a proper security defense strategy.

Use cases

  • Correlation: As per the MITRE standards, helping identify patterns in an attack can significantly reduce the impact or even deflect and attack;
  • Enrichment: Having the capability to add useful information to any Indicator of Compromise helps increase the value and usefulness of the threat intelligence feeds;
  • Dissemination: being able to share threat information significantly enhances the capability of security teams from different departments/regions/countries to manage and reduce the impact of an attack.

Benefits

Having the proper intel on potential attacks or threats can greatly increase the chances of disrupting an attack that targets a specific business. The response time is significantly reduced in case of a security incident and the proper tools and methods can be used without using additional resources.

Verticals

Threat intelligence covers different verticals, ranging from IoT devices to controllers and terminals found in OT as well as many IT devices. It can provide useful information for public sector industries, the medical sector, banking and social media, among others.

Challenges

One of the challenges of adopting and implementing a Threat Intelligence Platform is the volume of threat information that needs to be filtered, analyzed and processed. Another challenge is having the proper processes in place for addressing specific threats. Combining strong security controls with proper tools (including the use of AI/ML) can help overcome some of these challenges.

Threat & Vulnerability Management

2-5 years

Threat and vulnerability management is the process of identifying and remediating security threats and weaknesses and modelling their potential risk.
This covers the following areas:

  • Secure Configuration Assessment
  • Vulnerability Assessment and Management
  • Vulnerability Remediation and Mitigation
  • Threat Intelligence
  • Threat Simulation
  • Penetration Testing
  • Security Awareness and Training

Use cases

  • Discovery
  • Prioritization
  • Remediation

Benefits

Vulnerability management tools initially assess the network, then prioritize remediation so that the most significant issues are addressed first. Conducting more extensive scans delay remediation while the scan completes leaving weaknesses found during the scan unresolved until the scan is complete. Remediation should happen quickly, and according to the vulnerability software’s prioritization schedule. Eliminating network weaknesses reduces dependence on peripheral intrusion detection technologies.

Verticals

All verticals

Challenges

  • Vulnerability reports can be overwhelming.
  • Not enough resources.
  • Threats need to be prioritized.

VR/AR Security Awareness Training

5+ years

VR/AR Security Awareness training consists of leveraging immersive technologies such as Virtual Reality and Augmented Reality to educate users about information security.

Use cases

VR/AR is better suited for specific activities within a Security Awareness training program, that takes users through threat scenarios: it is not only that users engage further, but it is also the data captured from the user helps to better analyze the learning experience (e.g. eyes movement when reading a phishing email, sweating, finger response when clicking on the window,… etc).

Benefits

VR and AR have been identified as the next step for the evolution of education -create more interest from users, more engagement, better comprehension, immersive experience…- so leveraging such features in Security Awareness programs helps to make those exercises more effective.

Verticals

Any vertical is susceptible of adopting VR/AR in their Security Awareness training programs, but the ones already used to such technologies would be the ones with more chances to become early adopters and benefit from it. Good examples are Manufacturing, Resources, Healthcare or Hospitality verticals which are adopting VR/AR technologies in their business process, such Digital Twin, Remote VR assistance or VR tours.

Challenges

Technology behind VT/AR is still at an early stage. There are still no well stablished standards around those technologies with regard education, so each vendor comes with their own ad-hoc solutions, which might bring concerns about support, scalability or interoperability.

Such emerging technologies come at a cost, so budget might create a challenge versus other more traditional training methods.

AI-Powered cyber range

5+ years

AI-powered Cyber Range will transform the approach to Cyber Range exercises and simulations by autonomously generating new exercises based on the Cyber Threat intelligence updates, the environment security posture evolution and the analysis of previous teams’ performance. This is a major change from static virtual simulation environment to an environment that learns from its surroundings to propose tailor-cut training simulations.

They help new and hardened security specialists participate in simulated real-world scenarios for training purpose or seeing new threats and attack tactics.

Use cases

  • Training Security Analysts and Security Incident response teams to improve detection and response metrics and to play out different scenarios and experience first-hand on how to react to specific threats. The use cases can vary from research and testing, to digital forensics analysis, to SOC training to capture the flag etc.
  • Security Awareness for larger audience for employee security training that help them better understand the security issues and speed up the training.

Benefits

  • With an AI-powered cyber Range, organizations can train their personnel to real-world threats and focus on improving the performance of the security teams. It can help also bring together different organizations, for instance around test scenarios such as company security teams, security service providers or the vendor and representatives of national security agencies.
  • It can also help validate operational readiness of the teams with respect to immerging threats or ongoing cyber attack campaign.
  • With AI-powered Cyber Range, security experts do not need to spend too much time on developing the test scenarios as those will be generated and prepared automatically and autonomously.

Verticals

All verticals

Challenges

Having a dedicated AI-cyber range comes with high cost in both infrastructure and resources.

Dynamic risk-based security

5+ years

A risk-based approach to security helps companies build security strategies that are customized to their environment, specific industry threats as well as business objectives. Continuously monitoring and updating the security strategy helps a business to stay up to date in a rapidly changing threat environment.

Use cases

  • Dynamic risk management response: based on threat modelling, having a dynamic automated response to threats can greatly speed up incident response and improve security posture.
  • Continuous security strategy improvement: by constantly updating the risk-based security framework policies and control mechanisms, a company will be up-to-date and prepared for new threats and vulnerabilities that might affect their environment.

Benefits

The main benefit of the technology is that it allows companies to keep up with the latest threats and vulnerabilities that might impact their environment. It provides a flexible security framework which can be expanded and adapted as needed.

Verticals

All verticals

Challenges

As the threat landscape changes, the security framework needs to be continuously adapted and updated. This implies that security teams must be always up to date and capable of responding or mitigating the latest threats. Although it can help reduce the risk, zero-day attacks are a big challenge for this security approach.

Augmented reality threat modeling

5+ years

Threat Modelling is a method for designing secure systems by implementing a risk-based approaches.

Extending the process by using augmented reality helps security experts enhance their experience when interacting physical security devices or even visualizing threat model flows.

Use cases

  • Enhancing physical security: by providing the means to visualize the path that an adversary can take through a building or facility, physical security can be increased;
  • Physical device security assessment: by using RFID tags or QR codes attached to security devices, a security engineer can quickly walk through an assess the security posture of physical devices.

Benefits

  • Having the capability to assess at a glance the security posture of physical devices.
  • Extending the visualization experience for threat model flows.

Verticals

As this is a new domain, the main verticals that could benefit from this would be the IT sector as well as the ICS area.

Challenges

As it is a relative new technology, it comes with a high implementation overhead. Adding tags to physical devices or designing flows for this technology can be cumbersome or costly.

Targeted security awareness

5+ years

People influence security more than technology or policy, and cybercriminals know how to exploit human behaviors.

By 2022, 60% of large enterprise organizations will have comprehensive security awareness training programs, with at least one dedicated full-time equivalent (FTE) for fulfillment.
Gartner defines Targeted Security Awareness as a set of activities and objectives that elevates security competencies and motivates employees to make better decisions in line with the organization data security postures. The organization’s education process should prepare the staff for decisions that align with enterprise security performance objectives and expectations.

Use cases

  • Change employee’s behavior and attitude towards cyber threats
  • Target improvements for social engineering defense
  • Training programs can target a diverse audience within the organization
  • Embed a Cyber Security culture within the organization
  • Collect feedback from the groups for the program improvement
  • Improve overall security and compliancy posture within the organization
  • Risk and responsibility management

Benefits

By training staff with the information required to recognize and react to cyber threats, this will mitigate risk and embed a culture of Cyber Security awareness within the organization. Security awareness helps organizations create a shift in employee mindset and behavior change, reduce human error and mitigate security risks, enhance organizational resilience against cyber threats which will also demonstrate regulatory compliance.

Verticals

All verticals

Challenges

Ultimately, security is a people problem. People are often a key target for cybercrime and cyber-attacks are continuing to increase in size, sophistication and cost. Studies show 90% of data breaches are caused by human error.

Autonomous & Integrated Threat Hunting

5+ years

Autonomous and integrated threat hunting (ATH) analyzes data using advanced machine learning that mimics human analysts at machine speed, and will speed up your detection, investigation, and hunting operations.

Use cases

  • When threat hunting, many analysts or teams may feel overwhelmed by data, trying to find a single drop of malware. Third-party tools can help augment hunts via automated detection, link analysis tools to enrich data, help visualize and display data relationship.
  • Helps in reducing/discovering lateral movement and insider threats.

Benefits

  • Significant improvement in the attack surface.
  • Reduce threat hunting time.
  • A fully autonomous approach to threat hunting allows security teams to overcome the data overload and hunt down leads autonomously.

Verticals

Public Sector Organizations and Enterprises.

Challenges

The lack of experienced hunters in the market.