The state of information security is in disarray. Governments and organizations from every industry are not only failing to prevent or detect initial attacks but also fail to prevent data exfiltration or damage. Attackers are typically resident on the victim’s assets for months before they are detected. Sadly it is often outsiders that are the first to discover the attack. It is time for InfoSec professionals to acknowledge that technology won’t stop all attacks, even technologies targeting a specific type of attack such as APTs. Our current processes for securing data and assets are simply not effective for managing cyber threats.
Although security has always involved both detective and preventative controls many InfoSec leaders scoff at the value of detective controls, “What’s the point if you don’t stop the attack?” This has lead to poor investment and strategy around detective controls. Think about it for a minute. In the medical field this would be the equivalent of focusing mostly on preventing disease vs. treating it. Once the patient had a disease all is lost with this mindset. That simply is not good enough; the cyber threats require attention to both prevention and treatment. Much more can be done to manage these cyber threats. Generically, I’ll define this Cyber Threat Management: a vigilant program for continuous identification of threats, situational awareness, and accurate decision-making for timely response. Purposely I’m leaving out the word “security” because security has unfortunately become synonymous with prevention.
Cyber Threat Management (CTM) is an advanced management program enabling early identification of threats, data driven situational awareness, accurate decision-making, and timely threat mitigating actions.
If this sounds familiar to you it’s because it’s borrowed from USAF Colonel John Boyd’s decision cycle of Observe, Orient, Decide, Act or “OODA loop”. This is a renowned framework for defeating a human adversary first developed for fighter pilots.
InfoSec and risk management are important practices and organizations should continue to invest in these areas. The issue is that these practices are much too broad to include effective CTM. InfoSec is already overwhelmed and traditional risk management is not built to manage real-time threats. In the business world marketing and sales professionals may work closely together and have the same goals however these are distinct disciplines requiring different skillsets and resources for success. The time has come for CTM to emerge from InfoSec and Risk Management and develop as a distinct discipline and focus within organizations and across the industry at large. Separating CTM practices from InfoSec could significantly advance the development of both CTM professionals and CTM knowledge.
While initial compromise is inevitable, we don’t have to accept that the subsequent massive data breach has to occur. Implementing a focused CTM program complementing traditional InfoSec and risk management can significantly reduce damage resulting from attacks. More importantly, CTM professionals can dedicate more time to developing the specialized skillsets required to effectively manage threats. A strong CTM program severely limits the size and scope of damage or data breach resulting from the inevitable successful attack. CTM incorporates tightly integrated process and technology all executed by highly trained people including:
- Manual and automated intelligence gathering including data derived intelligence such as behavioral profiling and network base lining
- A comprehensive methodology for real-time monitoring
- Use of advanced analytics to improve intelligence, discover threats and provide Situational Awareness
- Technology and skilled people enabling rapid decisions and automated responses
The persistent well-funded hacker will eventually break in, but a high functioning CTM program can limit the ensuing data breach or asset damage. Organizations should examine the resources available for a CTM program and better align or acquire those resources to ensure effectiveness.
Wondering how well you manage cyber threats? Here are a few questions to ask:
- Are you identifying phishing and malware campaigns targeting your organization?
- Are you using analytics to improve intelligence, identify suspicious internal activity, and build behavioral profiles on applications, third parties and insiders?
- Does all intelligence data get managed under one heterogeneous system?
- Are you tracking how quickly intelligence data get integrated into action systems such as IPS and end-point protection?
- Are you baselining permitted activities such as data transfers, authentications and data accesses and then examining anomalies?
- When a potential incident arises do your response teams have the information at their fingertips needed to make quick decisions or do they waste precious time pulling information together before they can make a decision?
- Are you tracking KPIs on intelligence data use, incidents response times, decision accuracy or incidents broken down by VERIS categories and Kill Chain stages?