An Avengers approach to cybersecurity is not fantasy, it’s compulsory

Should your organisation adopt an Avengers-style strategy to security to stand the best chance of countering emerging cyber threats? Davey Winder has been speaking to industry experts who think that psychologists, spooks, and scientists hold the key to locking down your cybersecurity defences.

Fans of Marvel’s The Avengers comic books and films know the team comprises numerous superheroes, with the line-up changing with the times to best counter the villainous threats of the day. Fans of keeping organisations secure should know where we are going with this… interdisciplinary expertise within your security operations team is not optional.

“If Bletchley Park had used people all from similar backgrounds then I’m convinced that the war would have taken a very different course,” Nigel Thorpe, technical director at SecureAge Technology, says. “We need people who think about problems from as many different angles as possible.”

How important is an interdisciplinary approach when building a successful team?
According to Charlee Ryman, director of recruitment at Trident Search, which specialises exclusively in the cybersecurity sector, says that rather than being important it’s vital. “It crafts a diverse team that draws on knowledge and ideas from multiple backgrounds.” He admits that some teams and organisations “do not currently see the value in bringing in others from different backgrounds and see it as a risk”.

But that’s a big mistake. People are different. “Having a cultured and symbiotic team will allow you to predict and prevent a threat actor’s efforts at multiple layers.”

So, what should the ideal Avengers security operations team look like?
Raffael Marty, VP of research and intelligence at Forcepoint, singles out three professions in particular that should be core members of the Cyber Avengers: psychologists, counter-intelligence operatives, and data scientists.

It’s not exactly news to anyone that a behavioural-centric component is essential in combating social engineering in all its many nefarious forms. The game of ‘spotting the anomaly’ has become even more important as pandemic working patterns have changed behaviours in ways that are likely to produce more, and certainly different, cyber risk impacts to the old normal.

“Many companies, for example, are going through financial difficulties or having to make difficult decisions, such as layoffs,” Marty says, which, when combined with a macro situation of high stress, “may result in some employees acting in a way that negatively impacts risk to the company.”

The skill set required to understand such behaviours and help contain the risk they present is a psychology background. “Principles of psychology allow us to understand which people are susceptible to threats and how human error impacts systems.”

Next are the counter-intelligence experts. The Forcepoint X-Labs team, Marty told SC Media UK, includes people with such skill sets “who, through their experience, help develop approaches that identify and prevent malicious actors, competitors, nation states or criminal organisations from collecting sensitive information.”

It’s easy to downplay the importance of such people, to suggest that ‘spooks and spies’ are more window dressing for the marketing team than core competence for sec-ops, but easy wouldn’t be correct.

“Understanding the counter intelligence world, the world of espionage informs approaches and methods that allow us to detect quicker and with higher accuracy malicious users and their actions,” Marty explains.

Martin Rudd, CTO at Telesoft Technologies, says: “Who better than psychologists and spooks to address the issues of nation state attacks, espionage and corporate sabotage? With active defence, the skills of the psychologist and spook are invaluable for enhanced situational awareness, strategic decision-making on the front line and testing of adversary capability, all while keeping cybercriminals engaged and unaware.”

Which just leaves the final slot in this triumvirate of cyber-talent to fill. The Hawkeye of our Avengers security team: the data scientist.

But Hawkeye isn’t just a bloke with a bow and arrow – he’s an exceptional marksman. Data scientists are equally accurate in their ability to hone in on a target among all the noise, often before that target has committed the crime.

“Used properly, data science can help people and decisions to adapt in real-time to a changing threat,” Marty says. “Data scientists can help IT teams to predict bad events before they occur.” They do this by helping to build systems that collect all that behavioural data and analyse changes over time, for example. Those changing actions are scored and, Marty says, “once a score hits a certain, pre-defined point, the system takes different actions to prevent the user increasing risk.”

This sounds like an expensive movie
Kevin Tongs, director of customer success (EMEA) at Flashpoint, who started out in threat intelligence for the UK Ministry of Defence, says a former boss of his once said specialists become too expensive, get sacked, and are only hired when needed. “Turning that piece of cynicism around, you can run the risk of hiring people who you can’t keep fully busy with interesting work, so they get bored and leave,” Tongs warns, “or you can skill them up to the point where they thank you for the enhanced CV by taking it to a higher-paying gig.”

Recruitment expert Ryman counters with an argument that “the broader your team, the more effective it will be in deciphering an attack and innovating your defences – building a strong culture will in turn reduce staff turnover.”

So, is outsourcing the bottom line answer here? “I would hesitate to completely farm out any of the disciplines,” Steve Giguere, director of solutions and community (EMEA) at Stackrox, told SC Media UK, “but instead bolster them with additional intelligence from both the external threat landscape as well as internal using spot assessments/audits of company security maturity to guide budget and strategy.”

Critically, he insists, the doers must be in-house; the process drivers and “pedantic right brains” to make sure the detail from the technologists who are keeping you ahead of the game “provide a backplane of communication to enable the people of your organisation to make it happen.”

But Morgan Wright, chief security advisor at SentinelOne and a former US State Department special advisor with a background in criminal psychology, isn’t totally sold on the Avengers argument.

“When it comes to cybersecurity I prefer the lesson of Albert Einstein,” he says. “Namely, everything should be made as simple as possible, but no simpler.”

This, for the vast majority of companies Wright argues, means employing highly specialised personnel such as psychologists and CI specialists is beyond the budget.

Wright concludes: “The bottom line is that SolarWinds has forever changed the prism by which we view cybersecurity. We have to develop solutions that scale and protect the significant majority of governments, corporations, institutions, schools: the Avengers approach sounds sexy, but doesn’t scale and doesn’t solve the bigger problem. It is a solution that very few companies can implement.”