Combatting unknown unknowns – taking an intelligence-led approach to visibility

Josh Neame, CTO at BlueFort Security, shares the challenges faced by CISOs and highlights the need to move to intelligence-led visibility ensuring the identification of the most dangerous threats facing a business. 

When he was US Secretary of State for Defence, Donald Rumsfeld, gave a speech which contained one of the most well-remembered and often quoted phrases from the recent past: “We know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.” 

A bit of a tongue-twister, but the essence of what Rumsfeld said can be applied to all walks of life. When it comes to cybersecurity, IT landscapes are complex, often untamed and unpredictable. There are many known unknowns and there are even more unknown unknowns.  

In an environment where attack surfaces increase as fast as the workforce disperses and cybercriminals become sophisticated in their methods of attack, CISOs are balancing on the precipice of losing control of users, data, assets and inability to protect their infrastructure. 

A BlueFort 2022 CISO Survey which spoke to 600 UK CISOs revealed the extent of the challenge, stating that many admitted to a lack of visibility, intelligence and control over much of their organisation’s estate. Over half (57%) admitted that they do not know where all their data is or how it is protected. 

The lack of, or limited visibility, over an organisation’s estate is the root cause of many challenges CISOs face. When there is no clear visibility over the IT estate, it is impossible to gain accurate intelligence or have any control over it. When visibility is clear, intelligence can be applied to known elements enabling the implementation of positive controls. 

Visibility roadblocks 

Many CISOs are familiar with common visibility obstacles, often caused by either information overload or lack of information. 

• Information overload: With the plethora of tools available, it would be hard to find a CISO short of information. The vast majority find themselves suffering from information overload (lots of visibility, but little context).  
• Cloud adoption: Enabling cloud transformation is now a key focus area for UK security leadership. BlueFort’s 2022 CISO Survey found that more than half (57%) of CISOs use multiple clouds and 37% utilise a single cloud environment. Securing the cloud and cloud-based applications must be a priority, yet it remains one of the biggest visibility roadblocks for organisations today.  

• Skills gaps: The compounding effects of information overload, high shortage of cybersecurity skills and regulatory compliance burdens, drains the already limited resources allocated to threat detection and response. 
• Employee churn: Most CISOs are also losing track of movers, joiners and leavers across the business. This is a common security challenge encountered by organisations resulting in lost data on leavers’ machines.  
• Employee working behaviour: Employees routinely practising insecure working behaviours like connecting to public Wi-Fi and not flagging suspicious or malicious emails only makes the situation worse. 
• Changing external threat landscape: Cyber-risks are on the rise. The volume and variety of attacks, especially ransomware, are growing exponentially. According to analysis by The Stack of Common Vulnerabilities and Exposures data (CVEs), the number of critical vulnerabilities in 2022 was up by 59% compared to the previous year. 

Moving to intelligence-led visibility  

These challenges prevent CISOs from establishing full visibility and control over their IT estate. What’s needed is an intelligence-led approach to visibility, one that focuses on gaining insight and context that enables you to identify and prioritise the most important threats facing your business. This requires a transformational approach, a clear understanding of which bit of visibility you are dealing with and the ability to turn that information into contextual and actionable intelligence. 

The goal is for visibility to be organic, removing manual processes and reducing noise to establish visibility of all data, threats, remediation opportunities and effectiveness of existing protection. It is important to remember that improving visibility is not about seeing more problems that you can’t solve but solving problems before you see them. While this might sound like an insurmountable task, breaking the journey down into priority-based steps provides a clear building roadmap over time.  

• Establish a view of your external attack surface: The first step to gaining true visibility over your organisation’s cybersecurity estate is transforming the unknown into the known, identifying what your attack surface looks like to an external threat actor. By adopting an external viewpoint, you can effectively assess your security landscape, identify gaps and determine the most susceptible areas for potential attacks.  
• Conduct robust internal testing: Once you have a continuous, automated process for the discovery of the organisation’s systems and assets, the next step in the visibility journey is to start actively testing and validating. The aim of this process is to establish key strengths and weaknesses in the attack surface. 
• Address and test critical cloud security issues: Cloud security posture management is crucial for any organisation operating in one or several cloud environments automating security and compliance validation across any cloud environment, from AWS, Azure and Google Cloud to Kubernetes. The process identifies, prioritises and remediates risks and provides complete coverage across vulnerabilities, malware, misconfigurations, lateral movement risks, weak and leaked passwords and overly permissive identities. 
• Assure identity across the organisation: The cornerstone to securing an organisation’s IT environment, preventing intrusions and maintaining compliance is the management of identities including users, devices and entities. Assuring identity involves a comprehensive assessment of the IT environment and a combination of tools, technologies and services designed to centralise controls, simplify management and increase the granularity of access permissions. 

Taking control of the situation  

The final and arguably most important step is in linking all these aspects together. Only then can effective controls be put in place to mitigate the dynamic nature of the cybersecurity risks facing modern businesses. Visibility is an on-going journey, no single tool, technology or process will deliver complete point-in-time visibility over this changing and often unpredictable IT security landscape.  

Every set of processes and solutions must be tailored to the specific needs and structure of the organisation. Even the tools and technologies available to better protect organisations from cybersecurity threats are constantly evolving.   

This framework offers a clear pathway to IT estate visibility, but this is only the start of the journey. Visibility leads to intelligence, which leads to control. The key to introducing effective controls lies in covering the basics and obtaining actionable intelligence. By laying a strong foundation through a comprehensive understanding of fundamental elements, we can implement controls that yield the desired outcomes.