How to effectively organize cyber security with different investment choices
November 21, 2018
One of the greatest military strategist, Sun Tzu, once said: “Whoever is the first in the field and awaits the coming of the enemy, will be fresh for the fight; whoever is the second in the field and has to hasten to battle will arrive exhausted.” And yet, defenders are constantly playing a catch up game against the adversaries despite having the first mover advantage.
As cyber defenders, we need to recognize the simple fact that threat adversaries are highly organized and collaborative in nature, whether organically or not. Various threat actors who are specialists in their own field of expertise banded together, whatever their motivation might be, have proven to be potent and highly successful. The proliferations of underground marketplaces further proof the point. But the most of the messaging by security vendors is about equipping organizations to defend in their silos. They talk very little about the collaborative nature of the threat landscape.
Let’s be candid when it comes to cyber security, it is never a core business for most of the organizations if they are neither a security vendor or a services company. Thus, getting an IT budget and spending on the security specifically is always challenging. Business owners or executives will always measure with these two yard sticks:
- Return on investment
- Business impact of implementing vs not implementing
A simple answer is ‘relative’. Any security investments should be relative to the size and scale of the business of an organization. Cyber threat intelligence (CTI) is no different as well. Gone are the days where threat intelligence is offered as an add-on like a happy meal. According to the latest SANS 2018 CTI survey, most respondents agreed CTI is becoming more useful overall, especially to security operations teams. This has led to an increased deployment rate of standalone CTI platforms.
Any organization starting its CTI program should realize that threat intelligence is a process. But this doesn’t necessary mean it has to be manual or difficult in terms of cyber intelligence. Neither it is cost prohibiting if one knows the right sources where to digest from and how to do that. There are plenty of quality open source and private threat feeds available. For example, ShadowServer produces over 40+ different types of feeds alone.
Recognizing but more importantly, owning, the collection of threat intelligence is critical. You should be empowered to dictate the collection effort, regardless of formats or methods. And through automation, to help you focus on the intelligence that matters most for your organization.
One of the biggest challenge is how to make sense of the indicators collected. Sure, there are tonnes of indicators of compromise out there, such as the ones provided by Brute Force Blocker by Daniel Gerzo or vulnerable Netis router services by ShadowServer. But a system that could automate every single indicator you collect and inform you about the details behind every IP address can make a real difference. The details include things like the country of origin of an IP address, its network operator, which critical infrastructure it may belong to, a geo-location of the affected machine, or even its organization owner. With contextual information you can get, you can focus on the real intelligence which requires human touch.
No more alert fatigue, no more mundane tasks of searching or querying or reading large amount of texts or reports. Focus on actionable events which you can take action on, either as an analyst, a sysadmin or a network admin. The very same platform also allows your risk management team to conduct threat assessments and helps your organization posture and formulate security strategies and policies respectively. Justifying a security investment with the hard evidence and metrics is now much easier.