Release #1: Cyber Defense in highly regulated Markets - Intro
Today, in the middle of the 21st century terms like "Cyberwar" and "Cybercrime" are omnipresent in our society. Fortunately the Cyberwar is (yet) no real war between states; instead it is a mixture of sabotage, espionoage, psyops, manipulation of information and as well the theft of money(1)(2)(3). The relams of nation-state hackers and cyber crimnals and also tradional crimnals overlap because it is oportunistic ("Go where the money is.").(4)
Between the 80s and the 90s of the 20th century our current situation was mostly just in the heads of computer nerds and cyberpunk authors. Some of the computer freaks stepped over the border, people that were called "Hackers" pushed the technology and thinking beyond its intention and limits, found failures (bugs) in the systems and codes to get control over telephone and computer systems for fun and to learn how they work. In these days every bigger IT company had their own Unix-flavor with their own hardware platform like AIX on a RS/6000 using a PowerPC CPU, IRIX running on MIPS, SunOS on SPARC machines and so on; at that time it was a privilege to get online, connected to a wider (but still small compared to the Internet today) virtual world, and to access other systems than the local x86 PC office LAN.
A lot of technologies evolved during the late 80s and 90s, the economic interest rised and a lot of "stupid money" looks for a way to get invested, with the result that at the beginning of the new century the Dot-Com bubble bursted. The burst caused a lot of "casulties" in the IT world, even for the big and successful ones, but the digital revolution wasn't stopped, it was in the process of breaking through to what we see and live in today.
New technologies allowed new businesses or new ways for the "old" business. New ways of making money attracted criminlas, hackers, and rogue governments alike.
Cyberattacks became the new major threat in our civilized, digital life which affects the whole society and everyone is a target for criminals and Spooks, because they are all opertunistic, they always grab the low hanging fruit. (5)(6)
That is the reason why high profile targets like banks, the energy industry, insurance companies and the pharma industry are labled as critical infrastructure (in Germany subsummed as "Kritis") which are regulated by law, industry norms and mandatory standards. (7)
News about unautorized survailance of children's rooms using insecure but cloud-connected smart toys, millions of stolen money, manipulated heavy industrial facilities, or even the death of humans are no curiosity anymore and are even part of the mainstream media channels.(8)(9)(10)
This new threat can't be stopped at state borders. Police officers do not see Cybercriminals on the street in front of a bank, or an adversary nation connot be deterred by a big army, therefore traditional ways of governments to prevent and control crimes and espionage are not effective in the Cyberspace.
Governments and companies seek ways to get back control. New and adapted laws get approved, regulatory requirements get stricter and cover more fields of our daily life, industry standards like HIPAA, PCI-DSS, SWIFT CSCF and the well-known ISO 27000 series became mandatory in our ecosystems with the result that campanies create corporte policies and add the CISO (Chief Information Security Officer) role to their company structure and more ond more often as part of the executive board team.
This omnipresent, multi-level threat leads to a situation that makes everyone responsible. Citizens are responsible to protect themselves, their private data and devices but also as employees for a company or organisation. SME and big Enterprises as well as NGOs need to adress the new risk. In addition to the new regulatory requirements, governments seek for a public-private partnership, for exmple Germany's Cybersecurity strategy describes the cooperation with the private sector as important. (11) This cooperation is very important for Germany, a country where the core of our economy is build by specialized SMEs and not by a few multicorporate enterprises, which have the money and human resources to build an individual governance and information security organization.
All these organisational and legislative steps are important and build the ground for a holistic Cyberdefense from a government perspective.
Nevertheless in the last 5 to 10 years, as Cybercriminals and nation-state hackers became more and more professional, ruthless and unethical, it became very clear that corporate information security policies, risk management and the CISO role are not effective enough. Therefore Security Operation Centers and Cyber Defense Centers were build to combine the technology and knowledge to fight back Cyberattacks at the frontier and bring the lessons learned back to the management board to make the needed adjustments. These frontier fighters are only one piece in the strategy but an important one.
Running a Cyber Defense Center (or advanced Security Operation Center) is todays' non plus ultra when it comes to Cyberdefense. For example the banking auditors I got in touch with always considered a SOC/CDC as a must have.
This high demand surely exists in other market segments like energy, insurance, health and pharma too. Therefore I think it is worth talking about the experiences I made and share it with you. I will not recommend any technical solution, or vendor, even if it might happen that I name some vendors ocassionally. Additionally I will not share any sensitive internals of current and former employers but will build a picture of what I learned is best (which might not be what we implemented and might not be what you need). At the end you are responsible to decide what works best for your environment.
With the upcoming blog entries I would like to show you how a possible CDC can look like, how to integrate the CDC in your company structure, which regulatory and industry requirements (in finance) can be covered by a CDC, how to lead the people in the CDC, and much more.
Digitalization is the most important change of our century (so far) and we are only scratching the surface while we are sitting on a thin layer of our vulnerable IT systems, which are designed about 60 years ago.
The upcoming blog entries will introduce a basic CDC model, the terminology, frameworks, standards and so on.
Best,
Thomas
(1) European Unioan (EU) Institute for Security Studies (ISS): Hacks, leaks and disruptions – Russian cyber strategies: https://www.iss.europa.eu/content/hacks-leaks-and-disruptions-%E2%80%93-russian-cyber-strategies
(2) Booz, Allen, Hamilton: The Logic Behind Russian Military Cyber Operations. https://www.boozallen.com/c/insight/publication/the-logic-behind-russian-military-cyber-operations.html
(3) Bank Info Security: 5 SWIFT Cyber Heist Investigations: https://www.bankinfosecurity.com/5-swift-cyber-heist-investigations-a-9160
(4) Bank Info Security: Nation-State and Cybercrime Gangs: Lines Blur: https://www.bankinfosecurity.com/nation-state-cybercrime-gangs-lines-blur-a-11100
(5) Malwarebytes Labs:
Under the hoodie: why money, power, and ego drive hackers to cybercrime: https://blog.malwarebytes.com/cybercrime/2018/08/under-the-hoodie-why-money-power-and-ego-drive-hackers-to-cybercrime/
(6) ENISA Threat Landscape 2020: https://www.enisa.europa.eu/news/enisa-news/enisa-threat-landscape-2020
(7) IT-Kritis: https://www.kritis.bund.de/SubSites/Kritis/EN/strategy/strategy_node.html
(8) Threat Post: https://threatpost.com/serious-security-flaws-found-in-childrens-connected-toys/151020/
(9) thyssenkrupp, statement on cyber-attack 2016: https://www.thyssenkrupp.com/en/newsroom/dataprotection
(10) NY Times, Cyber Attack Suspected in German Woman's Death: https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html
(11) BMI, Nationaler Pakt Cybersicherheit: https://www.bmi.bund.de/DE/themen/it-und-digitalpolitik/it-und-cybersicherheit/nationaler-pakt-cybersicherheit/nationaler-pakt-cybersicherheit-node.html