This year’s FOSE conference featured two separate panel tracks on Cybersecurity: “Program and Policy Management” and “Tactics, Tools, and Technologies”. Each track examined Security Innovations, Continuous Monitoring, Threat Intelligence, Security and ROI, Insider Threat, and New Attacks.
I participated on a panel titled ‘Threat Intelligence – New Products and Their Payoff,’ moderated by Mischel Kwon, former US-CERT Director, and featuring John Watters, CEO of iSIGHT Partners and Rick Howard, GM of Verisign's iDefense group. We had a great conversation within the panel and among attendees, where we discussed cybersecurity in the government.
We touched on some really interesting points on the shifting perspectives in cybersecurity, looking into the tactics, techniques, and procedures (TTP) that have largely failed to protect enterprise infrastructure. We also discussed the ever-expanding connectivity of vendor and partner networks, which is continually creating a large and very dynamic ecosystem. No question - we were out to slay some dragons.
John Watters kicked off the discussion with a commentary on the “3 Pillars” approach, which includes:
- Attack surface – What network assets are at greatest risk for targeted attacks that could expose and compromise sensitive data? This includes the extended enterprise and information chain assets. This is the screen 3 inches in front of the defender's face. This is where security practitioners have historically operated, with little focus on the other pillars.
- TTP (tools, tactics, and procedures) – How sophisticated is the attacker? What do they have as leverage? What is their end desire? How will they use what is gained from this event to fuel another event?
- Attacking infrastructure – Where is the attack coming from? Is it from malicious IPs communicating with internal network assets? How do we attribute? This approach aligns with understanding the screen 3 inches in front of the attacker's face.
Rick and I, along with John, described how the advocates of such a framework might consider setting up and managing a cybersecurity risk organization in a manner which tightly aligns with business operations and embraces these pillars.
To many, that sounds hard, but it is possible. For security practitioners who grew up within a solely technical, ‘stop any and all security events, and don’t worry about businesses continuity, resiliency and other priorities’ approach, it is a significant, but clearly necessary course correction.
We also all talked about the opportunities for those technicians who don't currently think in terms of the business needs, business risks, and can't contextualize threat actors, motives, attack surface, TTP and attacking source. They have an opportunity to align business needs with the shifts in security demands, to seamlessly integrate security components with core business objectives through the implementation of these pillars.
Spending time with people like Mischel, John, and Rick is incredibly interesting and thought provoking for me. The more-than half decade of R&D work we've done at Lookingglass will clearly pave the way for operationalizing the kind of methodology and mindset we discussed. In addition, it will challenge the industry to be focus and prepare better for whatever comes next. As I said in the session – “Getting threat intelligence and situational awareness is like looking at a weather radar - it won't keep it from raining but will tell you when you need an umbrella and boots.”
Oh - and it might get you promoted too… Thanks