Cyber threat assessment: in conversation with Fortinet’s Tyson Macaulay

An increasing cyber threat requires organisations are more vigilant than ever across all their IT assets. Fortinet’s Cyber Threat Assessment Program (CTAP) has been designed to look deep into an organisation’s network traffic for indicators of compromise (IoC). By analysing this CTAP data from hundreds of users, Fortinet can gain insight into the actual threats that are emerging across the attack ecosystem.


So, with the top threat types including malware, botnets and application exploits, how can the security-savvy enterprise mitigate against the risk they represent?

Tyson Macaulay Chief security strategist and vice president of security services Fortinet

Tyson Macaulay Chief security strategist and vice president of security services Fortinet

“These threats attack both large enterprises and smaller businesses alike from a variety of different vectors, from e-mail and malware individually tailored for each business to ‘drive by malware’ pushed to innocent users via malicious adverts while they are merely browsing the internet,” says Tyson Macaulay, chief security strategist and vice president of security services at Fortinet.

While it is common to think of attackers in terms of external hackers and cyber criminals, the insider risk is just as great, as Tyson explains. “Insiders continue to be a form of threat that the Fortinet CTAP pulls back the curtain on,” he says.

“With productivity issues, compromised devices and data exfiltration all of concern, CTAP can expose the deliberately reckless, the merely careless and the deceitful insiders.”

According to Tyson, one of the most interesting elements of Fortinet’s CTAP is the ability to make meaningful comparisons across industry verticals. In other words, what does a participant or data set look like relative to other organisations in the industry? “This gives a whole new meaning to industry standard,” he says.


But what about the fact that many threat actors are increasingly using what might be best described as fully automated attack systems? The bad guys have access to these mechanisms which are able to probe networks for exploitable vulnerabilities, and which can be built extremely rapidly and at relatively low cost. How can the good guys fight back?

“This form of highly targeted attack, sometimes called an advanced persistent threat, can be difficult to defend against using conventional, signature-based detection methods because the malware has been custom-made for the victim,” Tyson concedes.

This is why much of the burden of detection and prevention has to in the end fall on to IoCs. “Network IoCs include source-destination reputation and heuristics, or patterns if you prefer, of malicious behaviours visible to the network, while end-point IoCs are detected through payload content inspection and safe detonation in simulated end-point environments called sandboxes,” Tyson explains.


It would be remiss not to mention the cloud and in particular whether this brings new challenges to the security table? Tyson prefers to think of the cloud more as a security enabler than a threat. “Cloud-enabled security can allow sophisticated and powerful detection tools to be enabled at remote sites or for smaller businesses that might not be able to justify large, premise-based investments,” he says.

Indeed, it is no accident that cloud systems for cleaning e-mail, web-filtering and sandboxing are now mainstream defence staples. “In the future, as technologies like software-defined networking (SDN) and network function virtualisation (NFV) take hold, other cloud-based security solutions will become not only accessible, but automated and available on demand,” says Tyson.

“This is because the network will itself become a form of cloud, hosting firewalls, intrusion prevention systems (IPS), application control and other types of security control.”


Let’s look at another buzzphrase that dominates the emerging threat-scape debate: the internet of things (IoT). What new threats does this really introduce to the enterprise and how can the switched on chief information officer mitigate the risk?

“There are ways to manage the risks, but above all they require awareness and a systemic, well-informed approach starting early in the IoT life cycle,” says Tyson.

So, while in the conventional world of enterprise IT, adding security as an afterthought is merely expensive, when it comes to the IoT, implementing security as an afterthought has the potential to cripple or destroy the service and even ruin the business case entirely.

“From a security perspective, IoT differs from enterprise IT in a variety of ways,” says Tyson. “For instance, physical safety can often be a major factor and design requirement for IoT in ways very uncommon in enterprise IT.” Similarly, while much emphasis is placed on confidentiality in enterprise IT, availability is often the key security requirement for many IoT systems, and that includes industrial control systems.

“We are about to publish a book called RIoT Control: Managing Risk and the Internet of Things on this very topic,” Tyson reveals.


Briefly then, how can you best contain the threat of this ever-expanding threat-scape?

“The only way that defending against advanced persistent threats, cloud integration and IoT can actually work as intended is if the network and its security infrastructure are fully integrated with each other,” he says.

The Fortinet Security Fabric, Fortinet’s technology vision, lays out the blueprint for integrating the necessary technologies needed to meet the security challenges of today and in the future

Importantly, specific solutions for these and other requirements need to be seamless extensions of the network, not just bolted on. Tyson concludes: “The Fortinet Security Fabric, Fortinet’s technology vision, lays out the blueprint for integrating the necessary technologies needed to meet the security challenges of today and in the future.”