Cyberwar Incident Response at the Speed of Thought

In a combat situation, our soldiers wear and carry different types and amounts of equipment, compared to when they are on normal duties.

In some high risk situations they’re expected to carry around 60 kilograms worth of kit, including their gun, ammunition, armour, helmet and boots.

That’s a lot to carry, especially as it could make them slower and less effective as a combat fighter and could even make them more of a target.

Now there are some clear differences between military and cyber defence, including the physical danger, courage required and the severity of the consequences for combat soldiers, however the same scenario can be applied for the teams of experts responsible for national and corporate cyber security.

How do we get the best equipment and tools into the hands of incident response teams and security personnel, so they can identify, respond and protect their digital assets at lightning speed?

The usual approach is to look for the best-of-breed security products (or services) to fill every slot in a specific organisation’s technology architecture.

The “best” product in its class will be adopted and deployed if it can prove its superiority in a particular situation.

With today’s relentless threat environment, reducing the likelihood of security incidents and stopping attacks has become such a constant battle that security departments have implemented a huge variety of complex and unproven tools and techniques.

However, these security personnel are becoming far less effective than they could be if they built their detection and incident response systems from the ground up and sought speed, and leveraged from each and every tool and practice.

Attackers are becoming ever more sophisticated and, as a result, it is becoming increasingly difficult for Australian organisations to identify and stop them before they reach their goal.

Although detection technologies, threat intelligence sharing and incident response processes are improving, few are able to prevent an attack; with some not even able to identify an attack has occurred until the damage has been done.

This can have huge legal and financial consequences – as well as a significant loss of customer trust, especially if disclosure is not handled well.

In the case of our combat fighter, every addition of a new piece of sophisticated technology, no matter how amazing it might be in a given mission scenario (like heavy support or demolition) needs to be balanced to make the person wearing it more effective. And the same holds true for all things cyber.


CSOs get tired of hearing “breaches are inevitable”; however infrastructure breaches are inevitable, because the enemies have asymmetry to their advantage.

They can pick the time, place and combat tool that suits them best to get into that particular environment. While that is true, being able to steal valuable information undetected once they are there is not inevitable.

At this point, the defender enjoys the advantage of the asymmetry provided; they can effectively detect and respond to incidents before the clock runs out, provided they have the right tools.

We therefore need to enable security departments to win these fights by responding super-fast to protect their information assets.

Hollywood and the James Bond movies in particular have done the security industry a tremendous disservice.

Ben Whishaw, who plays Q, is the one who we see most often looking at a wall of giant computer screens, tracking people on closed-circuit television cameras or trying to trace insidious hackers who are counter-hacking MI6's hacking.

He also lectures Bond about how he can do more damage with his laptop in his PJs than Bond can do with his gun. James Bond also made it look terribly easy to breach his boss M’s top secret spy database in the latest Bond movie, Spectre.

Read more: Siemens industrial switches vulnerable to DROWN decryption bug

Breaching a highly secure national security system or corporate network is not an easy feat. It takes time to infiltrate, expand and own that environment can’t be done easily within a few seconds, like in the movies.

In the real world, CSOs are playing a cat-and-mouse game that they can win with the right tools applied in the right places, by equipping the right people to take advantage of the asymmetry that they should have at their disposal, the battle can be won against the attackers.

Today everything is all about context: facts are cheap and are actually overwhelming. You see it in the news all the time: facts wash over us.

What we are starved of is context. We don’t want to know the fact that a particular nation has cut diplomatic relations with another or that a new security technology is available. We crave what these things mean and to whom.

The network is the place to instrument for enterprise-wide context. It is query-able and flexible and available for security personnel to ask questions without having to wonder how they ask questions. In other words, done right, it lets investigators work at speed without hindrance.

At the end of the day, we have to put people in a position to enjoy asymmetry if we’re going to start beating attackers on our networks.


In the summer and autumn of 1940, a fierce battle waged over England for control of the skies – The Battle of Britain. The Brits brought three things to bear for effect.

First, they fully leveraged radar for unmatched visibility. Operational and tactical linking of radar with air command was essential for picking and choosing fights.

Second, the new Spitfire airplane was an amazing platform able to put a stunning amount of metal on target in a short period of time due to eight forward firing machine guns (which required a whole different wing design).

Finally, the pilots themselves were often young and relatively green.

This combination of radar, platform and pilot and a clear strategy of what to shoot at (the bombers, not the fighters protecting them) made the Battle of Britain a decisive victory against overwhelming odds and represented a turning point for Hitler.

This was not a quick battle, but was a fight for survival and, as Churchill would later put it: “Never in the field of human conflict was so much owed by so many to so few.”

We won’t win these battles by burdening ourselves with a massive set of tools that are over engineered and over architected for all sorts of functions and features.

Victory will come when we place the security incident responders at the centre and equip them with what they need to be most effective.

Only then can they take advantage of the natural asymmetry that can exist when you can finally home in on the real threats, validate and prove them and enable faster enterprise-wide response…and then keep getting faster, better and more accurate.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersprotectioncyber attacksNational Security Agencyspeedpreventionhackingcyber securitydefenceattackerscombat troopsdigital assetstechnologyhack the hackerscyber dfencebreachescyberwar

More about Q

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nick Race

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place