In mijn functie als Account Manager bij F-Secure heb ik het voordeel dat ik dagelijks te maken heb met intelligente collega’s die veel weten over onderwerpen als AI, Machine Learning en Cybersecurity breed. Het leek mij interessant om eens een aantal interviews te doen met mijn collega’s over deze onderwerpen.
Hieronder een (engelse) weergave van het gesprek dat ik onlangs voerde met Jonas Lundberg, managing director bij F-Secure Consulting in Finland.
F-Secure uses the Gartner 360 approach for cyber security, so: Predict, prevent, detect and response. Can you tell us a bit about what F-Secure means with that from your point of view?
“It’s important to understand that our main driver at F-Secure Consulting is solving the challenges of our clients with the competences and capabilities we possess. The Gartner 360 degrees model is a simple way of displaying and understanding the main areas of a holistic cyber security approach. I feel it matches our thinking at F-Secure well, hence it’s a good way of presenting our services and thinking at F-Secure. The important part for our clients is that it maps how services relate to the different challenges within cyber security. At the same time we have a reference point to Gartner which makes it easier for our clients to relate to the approach.”
How does red, blue, purple and gold teaming fit in that picture? And how does your business unit help customers with that?
“You are referring to what we call ‘Rainbow teaming’ as an umbrella term for all of these. Personally I’m very excited about these services, and even if I’m biased to say so, I think all organizations (mid-enterprise size) should run at least some these exercises on regular basis. These services have been derived from industry advancement in recent years and describes our thinking in consultancy very well. They enhance the development of an organization’s cyber security across all of the four pillars of Gartner 360 – Predict, Prevent, Detect and Respond. The following presents each approach shortly.
Blue team exercises: improving the defence and resilience of an organization
Our blue team assignments often focus on assessing the readiness and capability to respond to an attack by simulation. This gives a good, realistic view of the current resilience of the client organization. The outcome of a blue team exercise is clear recommendations and improvements to the mentioned readiness and capability and the clients will have a better understanding of what to do to improve their key detection and response measures .This exercise speaks pretty directly to the detect and respond sectors of the Gartner 360 model.
Red teaming exercise: simulating a realistic, real life cyber attack with specific objectives that would undermine the organization’s ability to operate
In order to perform a successful red team exercise, the objectives need to be aligned with business risks, collaborative learning needs to be ensured, and tactics and techniques need to be realistic. Although this is a very intriguing and interesting approach in all it’s realisticness, it’s not suitable for all organizations. If you know your security maturity is low-ish, start with something else like purple teaming. Otherwise I would say that red teaming touches upon the full Gartner circle.
Purple teaming: collaborative and done in close cooperation with the client
The purpose is to collaborate on mapping the most potential attack routes, or paths, that an attacker would take when targeting your organization. This is called attack path mapping and it provides a very visual map of most potential, high risk entry paths. Based on this we build attacks to test those paths, measure success of the attacks and monitor the detection capabilities of your organization. With all this collaborative learning and improvement, this is my personal favorite as the value delivered is extremely high. I would place this in partly in the predict and partly in the detect and respond areas of the Gartner circle.
Gold teaming: AKA a crisis management exercise
It’s about evaluating your organization’s capability to manage a company wide cyber crisis. Aimed at the company executive level and essential functions, this is quite different to the nature compared with the three other ones. Shortly, we build a realistic cyber breach case with considerable business impact and practise on the management and response thereof from multiple angles. Organization, decision making, communication, internal stakeholder management and response actions are all tested in a stressful scenario to provide valuable input on how to improve crisis management and recovery when a real or potential business disturbance is present.
Common to all of these services is that areas of both strengths and weaknesses are reported and highlighted. Our recommendation is that these are performed sequentially and continuously, because this enables organizations to utilize the outputs from each development area and measure incremental improvement. It’s important to understand that your business aspects and your security maturity, posture and desired state defines what approach to take, in which order and when.
You can download our interesting whitepapers on each of these four services on our web page. Each paper in this four-part series explores one such testing approach through the eyes of the teams. It’s good reading and much recommended!”
Where do you think most companies are when it comes to cyber security maturity?
“I don’t think it’s relevant or even possible to give general estimations of maturity. Cyber security should always be assessed from the relevant points related to the company itself. There is no one size fits all or silver bullets to solve issues – industry, business, size, level of digitalization are examples of factors to be counted in when estimating maturity.”
What is low hanging fruit companies can look into if they want to take steps?
“For the low hanging fruit I would say that ensure adequate prevention and prediction (like EPP and Vulnerability management), but equally ensure detection and response capabilities are in place. From our consulting services point of view, start with understanding your own business and risks and take appropriate action. We’re happy to give insights on this part as well. Related to the services discussed above, I would strongly recommend a purple team to start with, but that’s only one example.
All of that said, we have 100% success rate in our Red Team assignments – so there clearly are improvements to be made.”
Which developments get you excited as a cyber security professional?
“There’s a lot to be honest, and that’s what keeps me going! Cloud, security be design (hardware and software development), Industrial control systems, and autonomous anything are good examples of where I see growing demand and very interesting work for security professionals. These areas are already developing quickly so it’s already on and will develop on very short term. We’d be happy to talk more about our approaches on these as well, but that’s for another interview, I suppose.”
What final tips can you give to customers?
“Listen and learn from others, filter and plan to suit your own business realities. Educate yourself but accept that you cannot know everything. Start from measuring and understanding your current cyber security maturity.”