Building a World-Class Network Defense Organization
“You will never reach your destination if you stop and throw stones at every dog that barks.” – Sir Winston Churchill
This summer our team has been traveling the globe with our message of cyber enlightenment. Through real-world accounts of how we’ve helped some of the world’s most prominent companies mature their cybersecurity posture, our analysts have inspired hope and doled out practical steps both practitioners and leadership can take to shore up their networks.
The Churchill quote cited above sums up the balancing act nicely – it’s about distractions and focus. The key to building a comprehensive network defense strategy is filtering out the distractions and focusing on what really matters.
Our own experience has taught us that alignment between processes, technologies and people is the exercise to identifying distractions and implementing focus. Here are three areas where we’ve helped organizations dispel myths that were holding them back from program progress and cybersecurity success.
Myth #1: “We have smart people. We can wing it. No framework or processes necessary.”
Case Study: After an incident occurred at a Fortune 500 financial organization we were called in to help assess their network defense posture and develop a roadmap to transform and mature their cybersecurity program. One of our first observations was that although they had assembled a team of very smart people they didn’t have a consistent method by which to guide their network defense organization in performing their duties across all functions. They were all reading off different sheets of music – there was no consistent framework or set of processes to enable coordinated analysis of attacks and of the intelligence derived from the attacks to inform mitigations in a consistent manner across all of their processes, procedures and workflows.
What’s key in this case? Because of this they couldn’t agree on anything and because they couldn’t agree, they couldn’t get a consolidated view of their threat landscape or agree on mitigations they needed to prioritize. They could tell you what they should be focused on – from what they read in the latest whitepapers and generic threat intel feeds – but when it came to what they must focus on – based on intelligence derived from within their internal environment - they couldn’t agree.
The truth about processes:
You can outpace your adversaries if you all focus on the right things.
Once they were convinced that a consistent framework was needed to align their super smart team we were able to help walk them through next steps:
- Evaluate and select an analytical framework (the Cyber Kill Chain®)
- Organize and train the team around the framework to drive consistency and completeness in your investigations (EXCITE® Training)
- Commit to framing all of your investments and activities in the context of the framework (Download the Practical Guide to Measuring Cyber Resiliency and Effectiveness)
By following a framework, the organization could consistently analyze attacks, derive intelligence and attribute that intelligence to the actual adversaries. This enabled them to illustrate what their threat landscape looked like and they began to adopt a predictive mindset. We used a campaign heat map to track who, when and how attacks were being waged against our client.
The result? Patterns emerged and a threat actor, who was first identified by members of our Leidos team in 2007, showed up on the client’s campaign heat map in 2012. The cyber-threat stalking this organization had shifted their focus from defense contractors and began targeting financial organizations. Based on our historic knowledge of the tactics, tactics and procedures (TTPs) we were able to predict that the financial organization would see attack activity in the spring. They were able to put defensive measures in place before this eventual attack was executed. And right on cue, repeat activity was detected and successfully blocked in the spring of 2013.
Myth #2: “Customizing our tools for increased visibility will create more noise for our already over-allocated team.”
Case Study: We engaged with a large U.S. Utility during a time when the government was giving organizations a lot of incentives to secure the grid. The utility was diligent about investing in technologies meant to secure their critical assets but they weren’t seeing progress. Despite the investments in cybersecurity tools, they knew they were being attacked.
From the start of our partnership it was evident that they were hyper-focused and reliant on tools. Because of that they fell into this “set it and forget it” mentality – reasoning that the vendors knew what they were doing and that would be good enough. Upon further investigation we identified two factors contributing to distraction. First, that they had multiple tools alerting on the same activities and this was causing more noise than their team could handle. Secondly, because they deployed their investments out-of-the-box they were relying on template vendor settings to defend their unique environment. So in reality – even if they could wade through the duplicated alerts, they weren’t setup to focus on the things that were most important to their organization.
The truth about technology:
More visibility means more opportunities for focus.
Once they were convinced that tuning their tools and technologies would empower their team to defend their unique network we were able to help walk them through next steps:
- Command a clear understanding of the technology portfolio
- Evaluate gear for effectiveness in defending against real attacks
- Plan for increased visibility by removing duplication and taking the time to customize technology
How did we get this done? Starting with a technology and capability assessment we lined up their technologies against their analytic framework to determine areas of duplication, misalignment and gaps Once completed we considered how we could standardize so the utility was not chasing three or four alerts on the same threat.
The results of the exercise against the example chart above effectively illustrated that the organization’s most expensive technologies were in fact not blocking threats whereas less expensive tools were getting 75% of the job done effectively. Additionally, the company was able to measure resiliency – or true defense-in-depth against the actual threat landscape - by illustrating where each technology has the ability to defeat the adversary at multiple steps in the attack lifecycle. This information proved to be an invaluable asset to spark the necessary conversations with leadership that ultimately led to required changes.
Follow on projects included putting newly tuned and integrated technologies through the paces. We conducted an APT simulation using known advanced persistent threat indicators to evaluate if and how implemented tools detected and blocked simulated attacks.
Myth #3: “Network defenders are all cut from the same cloth.”
Case Study: A major Oil & Gas company running three security operations centers (SOC) around the globe brought us in to consult on their staffing project. Although they had an ambitious initiative planned – to fill 30 analyst positions across three SOCS in 18 months – we were well positioned to assist having just come off a similar activity internally.
The first thing we had to do was dispel the myth that network defenders are all cut from the same cloth. A common pitfall when hiring cyber talent, recruiters tend to look for standard resume bullet points that indicate a computer science or forensics background.
The truth about people:
Process and technology can be taught but a hunger to keep learning is a gift.
Focus on hiring talent that displays an analytical mindset.
Some of our best analysts are not computer science or forensics majors. Our bench is stacked with individuals from diverse backgrounds such as law, psychology, music – but there’s one common thread – an analytical mindset. Once this organization bought into this new way of thinking about new hires we were able to help walk them through next steps:
- Cast a wider net when recruiting and interviewing
- Look to cultivate talent from within the organization
- Incentivize with training and new challenges
A resume heavy on technology-specific certifications and experience may indicate that candidates are too dependent on tools. So we coached this organization’s hiring team to ask more thought provoking, critical thinking-centric questions to draw candidates out and see how they problem solve.
The client we met their goal – 30 analyst in 18 months.
The next challenge? How do we keep them around? Good analysts will be incented with good training programs that keeps them up-to-date on the ever-evolving threat landscape and the tools being used both to attack and defend.
In the end we helped them change their hiring mindset, prepare proper job descriptions and detailed professional development tracks to better align their team to meet business objectives.
You will never reach your destination (mature cybersecurity posture) if you stop and throw stones at every …
… workflow preference
… out-of-the-box vendor technology
… stereotypical network defender.