Today government organisations have an array of formidable cyber defenses. It’s not uncommon for organisations to have a defense-in-depth stack that is comprised of anywhere from thirty to fifty individual security controls. It’s critical that organisations measure individual security controls effectiveness against a wide variety of evolving tactics, techniques and procedures that make up the rapidly changing threat landscape.

This isn’t common practice in cyber defense, but it should be, says Eric Hoh, President of Asia Pacific at cyber security firm FireEye. Organisations that invest a lot of money in cyber security often don’t know if their tools actually work against the latest threats.

We spoke to Hoh to learn how governments can truly understand the effectiveness of their cyber defenses.

Threats that governments face

Governments are popular targets for cyber threat actors. “Recently, there have been a lot of governments in the region that have been attacked, and their information has been compromised,” says Hoh. On top of the usual ransomware and phishing scams that all organisations deal with, governments are subjected to higher risks of state-backed espionage, he notes.

More governments are moving their workloads into the cloud. Organisations that don’t properly address security considerations during this migration will be exposed to additional risks. 25 per cent of the breaches that FireEye’s consultants helped to respond to in the past year involved the public cloud, Hoh shares. “Attackers are following the data.”

There are two reasons why the cloud can introduce risk, he explains. First, it’s difficult to have complete visibility when data is stored across multi-cloud and hybrid-cloud environments. Second, organisations need to configure their cloud policies properly to reduce the chances of exposure. FireEye’s latest Cloudvisory solution can help with these.

As governments drive digital transformation, they need to be aware of the growing attack surface as well, Hoh says. More devices mean more possible entry points for hackers.

Do you know how effective your security controls are?

It can be difficult to know how much of a government’s cyber security investments are yielding returns in protecting citizen data, Hoh notes. Governments need a good way of understanding whether their security controls are really helping to guard their networks. This is the concept behind security effectiveness.

Unfortunately, many organisations have overlooked this, says Hoh. “They assume that their security controls will always work as well as when they were initially deployed, regardless of the changing attacker tactics and irrespective of their own changing environment,” he adds.

These tools should also match an organisation’s threat profile. For instance, banks and telcos would have advanced cyber criminals targeting them because of how much valuable data they hold, and would need better tools.

Knowing an organisation’s security effectiveness can help it to identify misconfigurations, Hoh adds. A misconfigured software is a common cause behind failing to detect attacks.

How to understand security effectiveness

How then can organisations begin to understand how effective their cyber security tools are?

Typically, organisations hire professional teams to try and break through their defenses every three to six months, Hoh explains. These teams would test the defenses to their limits, to see if they would hold up in the worst case scenario. If the organisation is a hospital, for example, teams could try to steal patient data or shut down its operations to extort a ransom.

Mandiant Security Validation can conduct these live fire drills in a safe way automatically. It learns the latest threats’ tools, techniques and procedures, and continuously subjects an organisation’s defenses to realistic attack scenarios. This helps IT teams know right away where their security gaps may lie, so they can plug them before an actual attack happens.

After conducting these tests, some organisations found that some security controls were less than ten percent effective, Hoh shares. But they shouldn’t be discouraged. “Once you have that awareness, you now have the opportunity to tune that control to be much more effective, thereby maximising the value of your existing security investments,” he says.

No war should be fought on assumptions. It’s dangerous, and wholly unnecessary, for organisations to fight cyber attacks blindly. Having a good understanding of security effectiveness is key to strengthening cyber defenses