Vicious to virtuous: using analysis to create an effective cyber defense
An evolving threat landscape, persistent adversaries, and a shortage of talent and skills are some of the reasons security teams struggle to successfully defend their organizations. However, the biggest roadblock to a successful defense is often self-inflicted.
The Vicious Cycle of Computer Network Defense
More often than not security organizations operate their computer network defense in a “vicious cycle.” This revolving pattern starts when something bad happens—an attack, network breach, system intrusion, etc. While it’s difficult to prevent bad things from happening, what triggers the vicious cycle is when there are gaps that allow an attack to be successful. These gaps can be a number of different things, from people to technology to process, that prevent an intrusion from being detected, analyzed, or stopped in time.
What follows is a firefight—all-hands-on-deck to fix the problem. While firefighting isn’t a bad thing, when you’re in an emergency response mode you don’t have a chance to find and fix the gaps that created the situation.
The result is the gaps are never addressed to prevent a similar intrusion from happening again. You then become stuck in a vicious cycle with a negative outcome leading to more negative outcomes.
Making the Move to a Virtuous Cycle of Cyber Security
While the vicious cycle shows how easily security teams can be trapped by good intentions, there is an alternative—the “virtuous” cycle of security. This cycle serves as the underlying enabler for an organization to reach a level where defense is both effective and efficient.
By using three critical building blocks, security officers can create a “virtuous cycle” to create a defendable enterprise.
Visibility is the building block to a virtuous cycle. You need to be able to see what’s happening across your entire enterprise, as well as see what adversaries are doing across the entire attack lifecycle. In most environments, visibility is primarily a technology challenge – getting the right platforms in the right places to gain visibility. There can also be organizational challenges, political hurdles, or ownership red-tape. Look for opportunities for platforms that meet multiple needs (e.g., compliance and visibility), or look for “read-only” opportunities to gain visibility using existing platforms without creating turf battles with the existing owners.
Assessing your visibility early and often is a good practice. Understand where gaps still exist and where purpose-built technologies (network sensors, host-based agents, or log collection) might address the most critical gaps. Analysis frameworks can be helpful here to ensure end-to-end visibility is available or created.
- Human Analysis
Once you have that visibility, you can more easily detect incidents and then analyze them to learn how, where, when, and why they happened. To do that you need focused, skilled analysts, to execute structured, disciplined, thorough analysis. Analysts that seek to understand and drive results, not just respond to alerts and check off boxes.
Unfortunately, this is where we see the virtuous cycle break down. Analysis is helpful, but the benefits of that analysis aren’t realized until the intelligence is applied to address gaps and achieve a more defensive posture.
- Organizational Buy-In
And finally, to successfully create a virtuous cycle you need organizational support from top to bottom. This can be tricky because results aren’t always immediately visible and executing thorough, structured analysis may impact existing metrics in negative ways (e.g. “mean time to closure” for tickets is likely to increase if analysts begin measuring completeness objectively and drive to a more exhaustive analysis approach). It is important to message the objectives and future impact of these changes realistically to build support. Highlight the progress as the cycles begins to build, even if the wins are small to start.
Get analysts on board by showing the potential for greater impact and more measurable success. Make sure they’re empowered to execute on this approach and drive the cycle; otherwise, buy-in will disappear as analysts run into artificial roadblocks.
Security teams that have fallen victim to the vicious cycle of chasing alerts and measuring success by volume rather than victories can break the cycle and become a defendable enterprise. It doesn’t happen overnight, but by doing these activities over and over again, you nurture the cycle and reap the benefits.
Looking for a partner to jump-start your virtuous cycle?
Learn more about Leidos Managed Detection and Response and how it balances robust visibility, human analysts, and leading tradecraft to enable predictive prevention. Contact a cybersecurity expert today to get started.