If you work at a rank and file corporation in the U.S. or Europe, stories like those about the breach at the defense contractor Qinetiq are terrifying. Here’s a company that’s on the bleeding edge of technology, making autonomous vehicles and other high-tech gadgetry for the U.S. Military. Despite that, it finds itself the hapless victim of a devastating cyber breach that lasts – by all accounts – for months, or years. In the end, the attackers (likely linked to China’s People’s Liberation Army) make off with the company’s intellectual property (likely all of it) and, soon, defense contractors in Mainland China start turning out devices that look eerily similar to the ones Qinetiq makes. Ouch!
If a company like Qinetiq can’t stop an attack by advanced persistent threats (APT) – or whatever name you want to use – what hope do overworked IT admins at rank and file enterprises have? After all, Qinietiq won multi-million dollar contracts from the U.S. Government to provide services to detect APTs. But Rocky Destefano (@rockyd), an executive at the firm Visible Risk, says that if you assume the big guys know how to manage cyber risk, you’d be wrong.Even sophisticated firms often get it wrong, by turning security incidents into silo’d IT projects that are managed by discrete groups within organizations.
Destefano’s company helps organizations identify cyber incidents and then understand their impact. In a recorded interview with The Security Ledger on Thursday, he talked about how many breach investigations are too limited in scope and focus on the wrong things.
“We try to ask ‘What is going out and why are we being targeted?’ ‘Why that information?'” Destefano said. “We try to iterate the question ‘Why?’ as many times as we can to understand more about the impact rather than just the technical details of how it happened.”