Quantifying Cyber Risk

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone. Thanks for joining us for episode 67 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

This week we’re joined by Alexander Schlager, executive director of security services at Verizon. He has experience in both the technical and sales sides of the communications and security worlds, having gained experience in a variety of positions around the globe.

Our conversation focuses on his belief that organizations need to concentrate on quantifying their cyber risk, and using what they’ve learned to evaluate and plan their security programs. He explains why Verizon invests in reports like the DBIR and the Verizon Risk Report, and of course, we’ll get his take on the importance of threat intelligence. Stay with us.

Alexander Schlager:

I started, at the age of eight, to code BASIC. I did a couple of projects in school for marathon running and timekeeping, which was my first exposure to using the computer. It was the Commodore 64 that I used, predominantly for playing games, when I started discovering that we can make use of it for other purposes as well.

As I grew up and got deeper into coding and development, I started my career as a developer — called “programmer” at the time. I did a lot of mainframe automation by our 3217 infibulation. And then, somehow, I ended up networking in technology. So, while working as a developer, the internet kind of came about. At the time, I was still living in Austria. Once the internet-hype boom started, that seemed much more interesting than coding and developing. So, I pivoted and worked at one of the first service providers in Austria, and then pursued the networking technology path which ultimately ended me up at Cisco, where I worked as a technical instructor and consultant.

I spent probably seven years in that area before I moved onto Deutsche Telekom, where my focus was shifted a little bit to IT operations and outsourcing. I spent almost six years managing large global outsourcing deals. I moved around the globe with my family — Japan, Malachias, England, Germany. I ultimately ended up with Verizon, managing their Central Europe organization — predominantly sales. I got the offer from Verizon to look after our security portfolio.

We’ve been quite successful, in Central Europe, with positioning security. The ideal was to bring in somebody who has a technical background, but also sales experience to move the roadmap and strategy forward for the next five years.

Dave Bittner:

Can you describe to us where those two things intersect, both the technical side and the sales side? I think that’s not a common thing for everyone to have — that intersection of those skills.

Alexander Schlager:

I have to expand a little bit. One thing that frustrated me as a programmer was, I didn’t have a mathematical background, in the sense of, I didn’t start mathematics. So, I knew in a couple of years that I reached my limit as a developer, as a programmer, because of that lack of a deep mathematical background, which means there was always a third party being pulled in to optimize my code. This ultimately frustrated me because as an individual, I felt that I can’t become the top in my class because I was lacking that particular skill.

So, the choice was either to add that skill to my capability to utilize, or to refocus in an area where I believe that based on my background, I can actually become the top of my class. And with the rise of the internet, it was a great opportunity. I think I never wanted to be an engineer forever and full time. I really enjoyed my time with Cisco, teaching networking technologies to people, because I do like to work with people. I’m an extrovert, to a certain degree, and that made me think of how to complement my profile, if you like, to take broader roles in the tech space.

I did a lot of project management for Deutsche Telekom and that ultimately made me end up in the outsourcing space. I did my masters in business administration and then, in addition, this is how ultimately I ended up with a technical as well as salesman background, if you like.

Dave Bittner:

Right, right. I want to touch on this notion of quantifying security postures and quantifying cyber risk. Can you sort of lead us into that? When we’re talking about this, what do we mean?

Alexander Schlager:

When I came onboard last year to take over the security product, obviously, I asked my team to help me get a deep understanding of the technology space which I lacked. And one thing that struck me was, there was a flood of products, solutions, and vendors. There’s almost 3,000 vendors today in the cybersecurity space that ultimately all tried to make the same promise of, you know, “We’ll make your environment secure.” The more customer meetings I did, the more a pattern arose, which was customers being frustrated with the lack of a clear, quantifiable outcome in security.

If you look at Verizon as an example, as a service provider — everything we do for our customers, we can clearly quantify. We can articulate the outcome via the network, or telephony, or collaboration conferencing, IoT — you name it. We always can quantify, we can apply KPIs to it so that the outcome is very clear in the sense of satisfying the business need of our customers.

But if you look to security, there is a complete lack of outcome. We can quantify operational parameters, such as the time needed for repair, response time, and all of these things. But in the sense of security, like, what your security outcome will be, if we or any service provider for that matter take care of your security posture — there’s no such thing.

So, your average enterprise today can have five to seven different technology vendors that they stack on top of each other — we jokingly call it “the frankenstack” — in the hopes that it would make them more secure. Imagine a conversation between the CISO and the CFO, where the CISO says, “Look, we want to invest in vendor ABC. This will make us more secure.” The response is, “How much more secure?” And there’s no answer to that question. So, there’s also a lack of clear understanding of the return on investment in the sense of security investment. If I invest into, let’s say, a different endpoint protection solution, how much more secure does this make me?

So, this started making us think about, is there an abstraction layer that we can create on top of the tech layer, so that we can move the conversation from a pure technology conversation to an outcome conversation? In the sense of, if we would be able to articulate an outcome, would this help our customers? And this is ultimately how we started the journey in exploring. Is there data and information out there that we could collect, select, and correlate everyday in order to quantify security posture?

Dave Bittner:

Are there other organizations, other types of businesses, that were already doing this that you could use as an example?

Alexander Schlager:

This is a very new space, and you see a lot of activity in that space. There are established players, such as BitSight or SecurityScorecard. FICA now has an offering in that space. So, you will see a lot of movement in that area. I know of at least 10 startup companies that deal with the matter of quantification in one or the other way.

Dave Bittner:

It strikes me that security, by its very nature, deals with a lot of uncertainty. So, take me through the process of quantifying that, of being able to tie down that uncertainty and transform it into something that people can actually use.

Alexander Schlager:

So, if we accept the fact that there is no 100-percent protection against a breach — and I believe we need to accept that fact — the question changes from, how do I 100 percent secure my environment to reduce risk to a maximum extent? Collecting any signals we can pick up about an enterprise from either an external and/or internal point of view allows us to quantify posture. So, what I mean with that is, let’s take the outside into view.

If we look at an enterprise from an outside perspective, there is a massive amount of signals that leave the enterprise, be it the beginning of the HTTP or the HTTP header, be it the open ports, be it compartment effects that we see, signal effects, and stolen support. So, aggregating all this data and quantifying it in the sense of how good a company is doing in a particular aspect, in the sense of open ports or the way they patch, allows it to basically assign a score. So, the core principle is not very different to a credit score.

A credit score ultimately expresses the risk of an entity or individual defaulting and not being able to beat its financial obligations. The same principle is true here, but we don’t measure the risk of defaulting, we measure the likelihood of the breach or the vulnerability to a breach, expressing it in the form of a score.

Dave Bittner:

How much of a challenge does it present to you that this all is relatively new? So, you don’t have a hundred years of historical data to look back on?

Alexander Schlager:

It’s a good question. Well, first of all, we rely on a lot of partners. So, Recorded Future, for example, is one of our core partners, and they help us a lot with insight into deep and dark web activity. So, part of the answer is, there is no such thing as too much data when you try to evaluate or estimate a posture.

The fact that we don’t have too much data or historical data is half true. What I mean is, we run the Data Breach Investigations Report, which we’ve done since 11 years ago. And we examine in there, on the industry basis, the trends and dominant development when it comes to intelligence and breaches. So, dominant attack vectors, attack varieties, and motives.

That information, which as I said, we’ve been doing for 11 years, helps a lot in order to do this assessment.

Dave Bittner:

So, what are the benefits for an organization that takes the approach, the approach of quantifying these types of risks? What do they gain from that?

Alexander Schlager:

Multiple things. The first thing is … Security itself has moved out of the IT department, right? So, in the past, it was sub-functional IT and it was limited to that. There was very little attention by executives, the board, as to how good security posture actually is. This has dramatically changed with more and more of commerce, as well as our private lives, moving into the digital space. It obviously opens up tremendous opportunities with people with criminal energies as well.

The increase of regulations, in parallel, be it GDPR or breach modification requirements, or look at the FCC guidelines that recently came up, moved security out of IT. So, all of the sudden, security, if you like, is almost a corporate function because it has taken a dominant position when it comes to enterprise risk.

So, the first benefit companies get is that they’re able to articulate their risk exposure to non-security individuals. So, if you don’t have a security background, you don’t want to look at the result of the vulnerability scan or penetration test, because if you sit on the board of a company and you don’t have a security background, this means little to you.

So, abstracting that information in the form of a score, in the form of a risk assessment, in the form of an industry comparison. One thing we also do is, we show customers how well they do in comparison to their peers within their industry. It helps customers understand their actual risk exposure. That’s one thing.

The other thing is, it will drive technology decisions more accurately. Meaning, if you look at what they call the risk factors, this is where we aggregate all this information. There is a relatively easy connection to be made to a specific piece of technology. Let me give you an example. If you look at botnet infections or malware or ransomware that we would detect sitting on an endpoint, the next question would be, is the customer using endpoint protection solutions? If they are, it gives you insight into how well the solution is actually doing. I have botnet infections that will be reflected by the reporting tool. Why do I have them if I have vendor XYZ installed on my endpoint?

So, it will start helping customers scrutinize the technologies they have in place today and help them make better decisions moving forward about where they should invest.

Dave Bittner:

Now, is this a communication process, this translation layer? Is it bi-directional? In other words, we’re quantifying things so that folks on the board level can understand the technical side. Does it flow back in the other direction as well?

Alexander Schlager:

It does. With the tool that we developed — and I’m sure it’s not dissimilar to other players in the market — we wanted a single report that equally speaks to a board member and security analytic operations. So, the way that we have instructed the data is in the way that you can look at these high-level parameters, such as the score, but you can also dig very deep into the underlying, what we call, the forensic details.

So, to your question, let’s say a board member says, “Look guys, we’ve dropped our score by 50 points. What’s going on?” The operations, or IT, or security analyst can go into the same report, dig into the details, and then articulate the technical reasons, if you like, as to why the score has dropped by 50 points.

So, that was the idea. We wanted to connect anything we sold, for example, that the board would like. It should be traceable and comprehensive also to the operational and technical level.

Dave Bittner:

I want to touch on threat intelligence and your take on that. Where do you see it fitting into companies’ security postures?

Alexander Schlager:

I think it’s a key requirement, and it’s a key piece of data that companies require, be it for risk assessment, as we had just discussed, or be it for the security analyst to develop proactive measures in case of an infection or a breach. I think it’s probably one of the most vital functions companies require in the complexity of cybersecurity.

Dave Bittner:

I want to switch gears and talk about the DBIR, the Verizon Data Breach Investigations Report. Why is this an important thing for Verizon to support and to put out there for the rest of the community?

Alexander Schlager:

That’s an interesting question, and I think it is also an interesting mind-change that happened in the last years. If I look back three, four years, many companies including Verizon would see threat intelligence … And I would count the DBIR into that category, to a wide extent. It is kind of a part of threat intelligence. They saw this as a core asset. They looked at it as, “It’s my core asset. I differentiate with threat intelligence. I have it, nobody else can have it, and this is how I will position myself in the market.”

Luckily, this has dramatically changed in the sense of basic understanding in the industry, that threat intelligence is something we have to share, we need to share. We need to unite against the dark forces, if you like a better term. And so, I’m very pleased to see that including Verizon, threat intelligence, or insight into threats, has become a community responsibility, if you like. So, we see a lot of players in the security space actively sharing threat intelligence with each other. The DBIR is our contribution to that, if you like.

Dave Bittner:

Now, you also recently put out the Verizon Risk Report. Can you take us through what that covers?

Alexander Schlager:

That is what I mentioned before, where we basically collect any kinds of signals. We can see and detect them about an enterprise. I mentioned outside-in … So, we structure the product into three levels. The first one is outside-in. We pick up everything we can see and find about an enterprise from an external perspective. You can think about it this way: anything a hacker could see, if he does extensive research about a potential target — we pick it up and we correlate it, aggregate it, and we score it. So, it is the maturity score from an external perspective.

Level two, then, is the mirror image. We go inside-out, we go behind the parameter, and we collect additional so-called risk factors to complement the score for them to make it more accurate to increase the confidence. And then, level three is a professional services assessment where we look at the human aspect, if you like. Policies, processes, procedures, human behavior.

Taking all of these three levels together gives us a 360-degree view of the security maturity, the security posture, and ultimately, the risk that an enterprise is facing. The big difference is, if you look at how risk assessment has been done in the past, they are mostly human-driven. Meaning, you know, a person comes onsite and does the full assessment, including the technical parameters. The problem is, it’s a questionnaire base, it’s subject to human bias, and it’s a snapshot in time. Meaning, the next day, your report is basically obsolete.

This is another reason why we wanted to stand up and feature something like the Verizon Risk Report, which is refreshed every 24 hours to allow customers to get a more interlinear view on their risk and security posture. The Data Breach Investigations Report, which we want to lead them near, is solely embedded in the product, which means it’s all the raw data we collect. For example, from BitSight or Recorded Future, we correlate against that dataset because we do have that insight about, as I mentioned before, which industry is facing which specific threats. There’s a big difference in the sense of how you wait and how you prioritize certain data points based on that information. So, if you like, we have instrumentalized the DBIR. It’s another way of looking at it.

Dave Bittner:

Now, Verizon’s certainly one of the largest telecommunications companies in the world. How does having that sort of global scale enable you to have a vision of the security world that perhaps others don’t have?

Alexander Schlager:

The biggest benefit is global visibility, as in, we are lucky to have the insight as to how individual governments — but also enterprises in countries all around the world — look at cybersecurity. Envision a country-level maturity, if we could quantify that difference between countries. So, whether you look at Germany, or Japan, or Australia, or Israel, just to pick a few, you’ll see significant differences in how serious it is taken on government level. How much money is being put in R&D, how much money is being put into proactive measurements and initiatives of helping the local industries become more secure and more mature and aware, if you like.

Dave Bittner:

Now, in terms of recommendations for companies who are looking to do a better job securing themselves, what are your suggestions?

Alexander Schlager:

I think companies need to look at the option of quantifying their posture. Whether they do it themselves, whether they use a third-party service, I think it’s very important that companies move to that, what we call, the abstraction layer above technology. Even if it might not be perfect, as it is an ever-evolving area, I think companies need to create better awareness and transparency at the CEO management and board level.

I think companies need better help to understand their risk. There’s also a financial benefit, obviously, as return on investment becomes more feasible in security. But think about it in conversation with your insurance company. Having insurance premiums, if you’re a large enterprise, is a significant cost expenditure. Now, if you could demonstrate to your insurer that you have a very mature posture, that you have low risk, that you are very diligent in caring for your security environment — they’d benefit from a financial and commercial point of view.

So, I think companies that have to move to the level of evaluating hundreds of tech vendors, they should evaluate solutions that are out there to help them quantify their posture, and once they have established that practice, then look at technology and connect the dots between what they see from a risk perspective and what this means in technology terms.

Dave Bittner:

So, when an organization gets this information about quantifying their risk, how does that integrate with their technology? How does it work with things they may have or things they’re thinking about getting?

Alexander Schlager:

Two ways. Number one, Verizon, as well as other players in that space, are actively working on connecting the dots between a risk factor, as we call it, and piece of technology automatically. So, in the future, you will see that we are able to map vendors and their products in cybersecurity directly to the risk score methodology. That will further improve and accelerate using that information for the right technology decisions.

The other aspect is, think about security analytics in the sense of, most companies today have some sort of analytics in place. Whether they are actively looking for indicators of compromise, whether a breach has occurred, and so on and so forth. The hanging fruit is by taking all of this information and intelligence that you have on the risk side, and for example, feeding it into your analytic stack.

The quantity of your security analytics is, to a large degree, determined by the contextual information you have. Meaning, you have a primary collection of information. Only by pulling that information into context does it become truly valuable, as it reduces what we call false positives. So, in all, the hanging fruit for companies who acquire any kind of risk quantification capability is that they can immediately take that information and feed it, for example, internally into their stack as an additional point of correlation, for example.

Dave Bittner:

Our thanks to Alexander Schlager for joining us.

If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinator Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner. Thanks for listening.