03 May ECA Webinar on Cybersecurity: Better know your enemy to build victory!
On April 26, 2022, the ECA gathered 5 excellent speakers to discuss Threat detection and Vulnerability assessment.
Though looking technical, this topic is of key importance as cyber-attacks have never been so intensive. The first step to building robust protection is to know what can happen, and how hackers work, and then to make sure you have an updated evaluation of your risks.
The ECA is grateful to our speakers :
- Frédéric Le Bastard, president of INTER-CERT France, a structure that organizes the circulation of information about threats among all the watch teams ;
- Pierre Calais, VP of International Sales for EGERIE, a French company delivering risk assessment tools and services ;
- Cody Barrow, Intelligence VP for ECLECTICIQ, a Dutch company providing threat detection services and XDR capabilities ;
- Fabien Dombard, VP Strategy and Business development for SEKOIA, a French company providing threat detection and analysis.
Many questions were on the table: What tools are used? How efficient are they? What are the benefits for users? How do public services and private players cooperate to confront cybercrime? How is Europe faring in this field?
And, to start, let’s all remember that Cyber-attacks are by no means behind us, on the contrary they hit where it hurts. Please refer to this recent attack against a French group of health facilities, reported by « L’Usine Digitale » : L’hôpital de Vitry-le-François en proie à un ransomware, des données personnelles dérobées (usine-digitale.fr)
All speakers converge on some key points. In summary :
- Threat detection is now handled by a lot of structures, some being public, some organized at a »vertical » size (for instance, the Finance sector), and some internal to large companies. These structures tend to cooperate more and more. This is true at the France scale, thanks to the network of CERTs (Emergency Response Teams), and its INTER-CERT umbrella organization. This network comprises some 60 teams with some 500 experts. This is also the case in other European countries, as well at Europe’s scale, with the network of C-SIRT teams mobilizing some 300 experts. In the USA, the trend is the same, even though some cultural aspects trigger differences from Europe.
- To better detect threats, cooperation between public and private sectors has now matured, especially in Europe. Partly thanks to the pandemic and the way it has changed our ways of working and has seen a dramatic increase in attacks.
- Vulnerability assessment is about detecting the weaknesses of a specific IT system. But it’s easy, alas, to find hundreds of defaults and weaknesses. So the real challenge is to make sure of the quality of the alerts, and to have a clear view of what could be the impacts, what risk could lead to either a disruption in operations, a financial disaster, or a negative image. The real challenge is to understand which key assets are at risk and to decide what risks have to be treated as a priority.
- All this leads to a communication question. People in charge of Cybersecurity need to speak to their colleagues, as one critical vulnerability is staff behavior and level of awareness. They also need to speak to top management, as the decision to invest in reducing the risks will be taken at that level. Some tools provided by risk assessment will be useful, as they « translate » technical findings into management data. But on the other hand, CISOs have to learn to « speak business »: no EXCO will listen to too technical a presentation, but they will certainly listen to a short report giving evidence of potential business impacts.
- Going one step further, a question can be raised about the position of CISOs within their company. So far, the dominant case is they report to CIOs. Some organizations are building a risk management department, with CISOs part of it. For those who advocate such a system, the advantage is to have CISO being seen as protecting business and assets, more than a pure IT technician.
- In a nutshell, it’s all about going from threat and risk detection to planification of risk reduction. It’s all about shifting from a defensive position to building real Cyber resilience for the long term, which should be based on better anticipation and efficient proven plans to recover in case of disaster. The NIST framework is precisely an attempt to encourage going that way. The EU is working on translating such a framework into European regulation.
- Finally, are these tools and approaches good for large organizations only? Are they dedicated to Fortune 100? It’s true that when it comes to SMEs, due to a lack of means it’s harder to prioritize Cybersecurity. The good news is that efforts are undertaken in that direction. For instance, in France, CERTs begin to be set up at the regional level, a layer more at the hand of SMEs. Germany is also active, about the weight of the Mittelstand (SMEs) there.