What The Tempest Can Teach Us About Security Operations
“What’s past is prologue.” This famous line from The Tempest by William Shakespeare is engraved at the entrance of the National Archives Building in Washington, D.C. It sets the stage for the collection of historical documents held within, reinforcing the importance of being able to go back and refer to history for context to understand what is happening today. The same holds true for cybersecurity. Context helps you understand the who, what, where, when, why and how of an attack. But are we prioritizing the value of learning from the past and experience to combat the latest cyberattack?
When an attack happens, a defense-in-depth architecture compels us to throw another security tool into the mix to address that specific problem. In fact, the 2018 Hiscox Cyber Readiness Report shows that new technology continues to top the list for security investments for a majority of the 4,100 respondents, leading researchers to conclude that many see cyber threats as primarily a technology problem. Yet research from Cisco finds that using technology alone to remediate security vulnerabilities only solves 26 percent of issues, leaving the majority of issues unresolved. While some of these technology investments can help us gain context, the biggest untapped resource to a greater understanding of the past is people and their past experience.
Clearly, we’re all very aware of the ever-widening shortage of cybersecurity talent and many organizations are feeling the pain. Loading up on more people isn’t a viable option. What I’m referring to is making the most of the talent we already have. For example, our threat intel analysts are closely following the challenges and details surrounding emerging threats that may target us. They’re looking forward, to be proactive. Meanwhile, incident responders possess a deep understanding of attacks against an organization. They’re looking at the past and what happened to react. But what if they could share their respective vantage points to better mitigate risk? What if threat intel analysts could use learnings from the past to help them be more proactive? And what if incident responders could get data from those looking forward that may help to surface something in their efforts? They’re each a great source for additional context; imagine the impact if they could work together and learn from each other. But they don’t because it isn’t part of their normal workflow and, therefore, isn’t easy.
In most security operations, teams and even individual analysts work in their own respective silos. They use specific tools and different data points to analyze and bring their part of the picture into focus. Under pressure to assess a situation, make a recommendation and act, security experts often operate without context of the entire issue at hand. Without knowledge of how an attack played out in the past – who patient zero was, how the adversary moved laterally and how the data breach occurred – threat intel analysts can’t accurately assess and prioritize a threat and thus accelerate mean time to detection (MTTD). Likewise, when an attack happens, incident responders don’t know that this is a threat that analysts have been tracking for some time and have documented information about the adversary and mode of operation – their tactics, techniques and procedures (TTPs). Access to this information can facilitate investigations and help to accelerate mean time to remediation (MTTR).
So, what can we do to tap into that knowledge about the past to understand more fully what is happening today and even anticipate what may happen in the future? The tools and data points security teams use often aren’t integrated, so sharing and collaboration is incredibly difficult and time consuming. And simply having a conference call during a crisis won’t suffice. What’s needed is a way for team members to document, store and share the same pool of threat data and evidence on an ongoing basis. Using visualization, they can see the work of others and identify key commonalities they would have otherwise missed. Commonalities that provide valuable context to a current investigation.
In a virtual cybersecurity situation room, team members can collaborate on investigations to detect threats faster, accelerate response and even anticipate what the future may hold. With a way to document, share and learn from history they can move from a reactive approach to proactively detecting and responding faster than ever before. The information already exists within your current systems and your teams’ brains. Like the National Archives, you need a place to store it centrally, share it broadly, update it continuously and facilitate ongoing dialogue and collaborative discovery.
