If you ask organizations about their top objectives, you will likely hear they need to increase visibility, reduce toolsets and adopt automation to counteract the cybersecurity skills gap. And what most don’t realize is that these initiatives are driven by hurdles the industry has created for itself.
Countless hours are spent trying to overcome hurdles in a process that doesn’t get us any closer to thwarting threat actors. Consolidating tools, for example, is just a preservation tactic — therein lies the problem. So, how can security professionals stop using Band-Aids and reevaluate what’s really going on and how to defend against threats?
Understand the Race, Focus on the Finish Line
The race we’re running is to develop cyber-defenses that prevent harmful impacts from attacks. The severity of those impacts differs wildly — from disrupted customer service to reputational damage from stolen data, and multifaceted extortion to regulatory fines. Thus, security teams often place focus on the race itself and forget about the actual goal or finish line.
This is often shown when looking at a security function’s mission statement, which typically highlights the lack of “so what?” and connection to the business. For example: “Our mission is to continuously improve the organization’s security posture by preventing, detecting, analyzing and responding to cybersecurity incidents.” It is missing the finish line.
The finish line is the business’ ability to continue to operate in the face of threats.
Increasing Visibility Is Not the Starting Line
When I speak with security leaders, most say that visibility is the starting line for the success of their program. It is not. Increased visibility is needed because poorly configured systems and poor network hygiene require collection of massive amounts of data for threat monitoring. Yes, visibility is vitally important to enable threat monitoring; however, collecting a trove of data is not going to solve problems and will add to them if not part of a larger plan.
Visibility does not drive action. It can enable execution, but it is not the trigger.
Intelligence is the Starting Line, and the Power Behind the Racer
Threat intelligence provides critical information on the cyber-landscape and active adversaries that shape threat profiles and unveil vulnerabilities in an organization, along with the likelihood of compromise and its potential impact to the business.
Unfortunately, organizations don’t know what to do with threat intelligence once they have it. It’s seen as another feed into a SIEM that provides CVE information. Intelligence must be operationalized throughout cyber-defense operations to drive action and inform decision-making.
The orchestration of how this is done is driven by a command-and-control (C2) function to ensure communication is flowing properly to increase effectiveness of cyber defenses and reduce duplicate efforts.
C2 functions can activate intelligence by:
- Triggering hunt activities. A hunt team should use information about active APT groups and the latest relevant breaches to identify active or past compromise.
- Prioritizing vulnerabilities based on the likelihood and impact of compromise. IT and Security groups use this to inform patch and upgrade priorities.
- Informing security engineering teams what types of monitoring need to be in place to alert on activities tied to active APT groups (not just CVEs).
- Prompting security operations groups to refresh playbooks to handle updated alerts.
- Providing context around breaches so that incident responders can rapidly contain a breach and prevent repeat compromise.
Intelligence is used to drive all actions of cyber-defense. With proper intelligence, organizations can: (1) understand what actions need to be taken, (2) identify the level of visibility needed, and (3) then determine what tools are needed to fully operationalize this intelligence.
Fight the Desire to Start with Tooling
There is a deep-rooted force within the cybersecurity industry to buy shiny new tools that promise to solve all problems. Tool-buying fads have come and gone (remember when HIDS and WIDS were a thing?) Believing that shiny new tools are going to be the silver bullet against attackers is like thinking new shoes will win the race for you. Tools don’t provide value unless properly activated and coordinated with other cyber-defense functions.
Don’t Forget About the Racer
Now that we understand the race, we have new shoes, are standing at the starting line and know where to find the finish line, now we can activate the racer. Okay, maybe this metaphor has been taken a little too far — but in the spirit of breaking things down to build them back up, let’s not forget about the fitness of the racer: The architectures, the tools and the users that make up organizations. This means exercising good hygiene, implementing resilient architectures and practicing secure coding practices.
Organizational planning for security often focuses on hurdles created by the industry, not the harmful threat actors in play. There are many disparate technologies that put immense effort towards consolidating tools — effort that should be spent fighting threats. The root of the security skills gap hurdle is not due to untrained experts on the frontlines, but because the industry has aged in a way that requires people to solve problems, which is unscalable.
Whatever hurdles the industry faces (and creates for itself), knowing where the starting line is, focusing on the finish line and using threat intelligence as the power behind the runner provides the best chance of winning the race.
Kerry Matre is senior director at Mandiant.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.