Cyberwar Incident Response at the Speed of Thought
- 12 April, 2016 09:51
In a combat situation, our soldiers wear and carry different types and amounts of equipment, compared to when they are on normal duties.
In some high risk situations they’re expected to carry around 60 kilograms worth of kit, including their gun, ammunition, armour, helmet and boots.
That’s a lot to carry, especially as it could make them slower and less effective as a combat fighter and could even make them more of a target.
Now there are some clear differences between military and cyber defence, including the physical danger, courage required and the severity of the consequences for combat soldiers, however the same scenario can be applied for the teams of experts responsible for national and corporate cyber security.
How do we get the best equipment and tools into the hands of incident response teams and security personnel, so they can identify, respond and protect their digital assets at lightning speed?
The usual approach is to look for the best-of-breed security products (or services) to fill every slot in a specific organisation’s technology architecture.
The “best” product in its class will be adopted and deployed if it can prove its superiority in a particular situation.
With today’s relentless threat environment, reducing the likelihood of security incidents and stopping attacks has become such a constant battle that security departments have implemented a huge variety of complex and unproven tools and techniques.
However, these security personnel are becoming far less effective than they could be if they built their detection and incident response systems from the ground up and sought speed, and leveraged from each and every tool and practice.
Attackers are becoming ever more sophisticated and, as a result, it is becoming increasingly difficult for Australian organisations to identify and stop them before they reach their goal.
Although detection technologies, threat intelligence sharing and incident response processes are improving, few are able to prevent an attack; with some not even able to identify an attack has occurred until the damage has been done.
This can have huge legal and financial consequences – as well as a significant loss of customer trust, especially if disclosure is not handled well.
In the case of our combat fighter, every addition of a new piece of sophisticated technology, no matter how amazing it might be in a given mission scenario (like heavy support or demolition) needs to be balanced to make the person wearing it more effective. And the same holds true for all things cyber.
CSOs get tired of hearing “breaches are inevitable”; however infrastructure breaches are inevitable, because the enemies have asymmetry to their advantage.
They can pick the time, place and combat tool that suits them best to get into that particular environment. While that is true, being able to steal valuable information undetected once they are there is not inevitable.
At this point, the defender enjoys the advantage of the asymmetry provided; they can effectively detect and respond to incidents before the clock runs out, provided they have the right tools.
We therefore need to enable security departments to win these fights by responding super-fast to protect their information assets.
Hollywood and the James Bond movies in particular have done the security industry a tremendous disservice.
Ben Whishaw, who plays Q, is the one who we see most often looking at a wall of giant computer screens, tracking people on closed-circuit television cameras or trying to trace insidious hackers who are counter-hacking MI6's hacking.
He also lectures Bond about how he can do more damage with his laptop in his PJs than Bond can do with his gun. James Bond also made it look terribly easy to breach his boss M’s top secret spy database in the latest Bond movie, Spectre.
Breaching a highly secure national security system or corporate network is not an easy feat. It takes time to infiltrate, expand and own that environment can’t be done easily within a few seconds, like in the movies.
In the real world, CSOs are playing a cat-and-mouse game that they can win with the right tools applied in the right places, by equipping the right people to take advantage of the asymmetry that they should have at their disposal, the battle can be won against the attackers.
Today everything is all about context: facts are cheap and are actually overwhelming. You see it in the news all the time: facts wash over us.
What we are starved of is context. We don’t want to know the fact that a particular nation has cut diplomatic relations with another or that a new security technology is available. We crave what these things mean and to whom.
The network is the place to instrument for enterprise-wide context. It is query-able and flexible and available for security personnel to ask questions without having to wonder how they ask questions. In other words, done right, it lets investigators work at speed without hindrance.
At the end of the day, we have to put people in a position to enjoy asymmetry if we’re going to start beating attackers on our networks.
In the summer and autumn of 1940, a fierce battle waged over England for control of the skies – The Battle of Britain. The Brits brought three things to bear for effect.
First, they fully leveraged radar for unmatched visibility. Operational and tactical linking of radar with air command was essential for picking and choosing fights.
Second, the new Spitfire airplane was an amazing platform able to put a stunning amount of metal on target in a short period of time due to eight forward firing machine guns (which required a whole different wing design).
Finally, the pilots themselves were often young and relatively green.
This combination of radar, platform and pilot and a clear strategy of what to shoot at (the bombers, not the fighters protecting them) made the Battle of Britain a decisive victory against overwhelming odds and represented a turning point for Hitler.
This was not a quick battle, but was a fight for survival and, as Churchill would later put it: “Never in the field of human conflict was so much owed by so many to so few.”
We won’t win these battles by burdening ourselves with a massive set of tools that are over engineered and over architected for all sorts of functions and features.
Victory will come when we place the security incident responders at the centre and equip them with what they need to be most effective.
Only then can they take advantage of the natural asymmetry that can exist when you can finally home in on the real threats, validate and prove them and enable faster enterprise-wide response…and then keep getting faster, better and more accurate.