Azeem Aleem and Dave Gray
Nothing will work if you are not serious about it - Sam Abell
This blog is intended to take a different perspective (pun intended) of how we view our security platforms and how to go about rationalizing our Business-Driven Security decisions about cyber threats and mitigation strategies. It all comes down to perspective, which is a cognitive capacity and is essential in understanding the threat mitigation concerns with the cyber industry.
Jeff Bezos (founder of Amazon) initiated the use of an empty chair (representing a customer) during meetings to encourage attendees to consider perspective from the other side), for example, how will the customer be impacted by what we are putting forward in that particular meeting; what will the customer's main concerns be; and so on. This change of perspective has helped Amazon drive excellent customer satisfaction (CSAT) results.
In our hunt for perspective analysis we were lucky enough to meet Hal Gregersen, MIT Executive Director, and Sam Abell, Ex-National Geographic staff photographer, who run an executive course at MIT on developing leadership skills through the medium of photography. Photography is a subject very close to our hearts, which got us thinking about how the subject relates to our world of cybersecurity. Now, this is not going to be a cliché about focusing in on a problem, or looking at the big picture (you should be doing that already!!!). We want to take photography from its decision-making aspects and apply it to defending our networks.
Photography, like the world of cybersecurity, has evolved through a lean maturity phase. Although the evidence of various light sensitive substances, and the formation of a camera predate the 1800s, the invention of photography (Greek words photos and graphos meaning "drawing with light") came across in the 19th century.
The latest Digital Single Lens Reflex (DSLR) technology/camera uses a mirror mechanism to reflect light from the camera to an optical view finder, or onto the image sensor.
Before you snap the photo (even on your smartphone) you have an idea in your mind of what you want to record. Or, in other words, a plan! So, translating this into our cybersecurity world, we need to understand what it is we want to achieve (for example, business-driven security strategy) and how we are going to go about it. There is no point in throwing an intrusion detection system (IDS) out there with a standard AV product and expect to have good results (yes, you will have a baseline - but is it what you wanted?). Planning an intelligence-driven advanced security operations center (ASOC) deployment and setting up for a good photo are not that different in approach.
- Identify your target (your picture objective)
- Set about identifying the threats that you face (your landscape)
- Wait (monitor)
One of the things Sam spoke about resonates so well with our world: "Don't chase the Rabbit". In the world of Photography this is all about chasing the perfect picture, which is ultimately going to fail as you are relying on luck rather than skill and perception. In our world, "Chasing the Rabbit" is where we are constantly responding to threats instead of taking a step back and identifying just what it is we want to achieve with our security program. Again, taking us back to planning, we want to be able to sit back and identify what we want to do with our security program (proactive approach) and not react on a case-by-case basis (reactive). In the world of photography it is "compose the picture and wait". This is where planning out a Use Case Library from specific attack scenarios comes into play.
We know what our crown jewels are (we should know, at the very least, what it is we are attempting to defend) and, as such, can plan out just how an attacker will go about gaining access to that asset/information. Identifying each of the attacker's steps gives us an additional detection capability (especially if we are mapping our capability against the Cyber Kill Chain). This allows us to monitor and adapt to the given attack scenarios as they appear. Of course, we have to keep adapting to the threats just as we would adapt to a given opportunity to take a photo we would be proud of.
The next item to look at is our tech. Staring longingly at expensive camera lenses at airports is a common occurrence, just as we see SOC & CIRT Managers and CISO's attending Conferences looking at the latest detection capabilities. Making an impromptu purchase would be regretted in the long run. Scoping out your requirement from a threat and engineering point of view is critical to getting the right detection and response capability in the RIGHT PLACE! Having a clear understanding of what you wish to achieve here and mapping it against equipment/services is the right approach. Monitoring equipment itself is not a cheap undertaking either; yes there are Open Source projects out there, but these are not necessarily Enterprise-level tools, nor is there a full level of support outside of the Forums and User community.
Therefore, plan out what you want to achieve and make sure to use your metrics to identify gaps in capabilities (tool efficacy), which will allow you to focus your efforts on the key areas requiring improvement. It is essential for organizations to identify their current capabilities/gaps, comparing them with their industry peers to help develop a prioritised road map for technical, operational controls. In this way, you can make the most of your budget.
Photography is fun, and whilst we are not going to suggest the same for cybersecurity it is most rewarding, especially when faced with new or unseen attacks. Serious photographers are passionate about their activity, which is most definitely something security professionals can match. We have seen different approaches to working in SOCs. In one case, what began as a release at the end of the week with a few NERF darts flying round became a free for all. In another where there was ZERO communication between either the SOC analysts or their management. In both cases there was a lack of focus on the task at hand and both the staff and organisation were degraded as a result.
Security staff understand this is serious work requiring professionalism (so no NERF!); however, if we make the job too dull and process driven we risk burning out our staff. To keep our staff engaged (and stop them going to other vendors) we can look at cross-training to give them additional skill sets. Most analysts, at some point, want to dabble in penetration testing, and it makes sense for the penetration testers to sit on the other side of the fence as well. This has the added bonus of letting each team understand the other's motivation and approach. Another approach to put the fun side into analysis is to run a live exercise (depending upon monitoring constraints). While not necessarily a penetration test or Red Team exercise, it gives the SOC team the chance to respond to simulated attack traffic on their own networks.
This not only keeps your team engaged, but it allows you to have your team and security program assessed. It is a controlled environment allowing you to showcase to senior staff just how well your team is developing. However, just looking at your own work and that of your team is not enough. Just as we learn by looking at fantastic work by leading artists and photographers we can do the same for our own security teams. Whilst it is common practice to attend Conferences and listen to presentations by experts in our field it is worth taking a different approach as well.
Talk to your peers to establish what is working in their organisations and what issues they are facing. You may not be surprised to find they are similar to yours; however, the approach to the problems may be different and worth investigating further. It goes without saying that you should be sharing this information as well (it's not just IOC's we should be sharing).
Make sure that when you are responding to threats that you are not "Chasing the Rabbit".