Armed With the Right Information, You Can Make Intelligence-driven Decisions to Help Better Defend the Enterprise
Ever wonder why Frederick the Great was called Frederick the Great? Probably not, but I’ll tell you anyway. Frederick II, King of Prussia, somehow managed to offend France, Austria, Russia, Saxony and Sweden at the same time. So, during the Seven Years' War (1756–1763), those countries’ armies laid siege to Frederick’s kingdom. But Frederick was smart enough to identify immediate threats, concentrate his forces, and move effectively against one enemy at a time. What’s more, he built up strong points and used terrain to his advantage. Although he didn’t win the war, he did manage to hold off his enemies long enough until a favorable diplomatic solution was reached. That’s why he’s “the Great.”
Now, do you wonder what relevance all of this has to enterprise security? Well, Frederick the Great had great vision when it came to individual battles and the entire theater of war. In other words, he had superb situational awareness. And it’s something that every IT security manager needs in spades.
Given today’s ultra-dangerous cyberlandscape, IT security managers can’t afford to be blindsided. There has to be a way to identify the threats that are out there, what they are capable of, and what you can do in real-time to defend your organization.
Situational awareness requires collecting, identifying, processing, and comprehending data from internal as well as external sources. Armed with that information, you can then produce actionable information for making decisions on the operation and defense of your organization.
Why Unawareness Is the Status Quo
There are well-entrenched challenges to gaining situational awareness and becoming fully proactive. To overcome them is to reduce the “time to root cause,” while improving timely decision-making based on well-rounded and complete data sets. Specific reasons why many organizations are “situationally unaware” are unique to the individual enterprise. However, there are patterns to watch for:
• Siloed IT departments. When this is the case, everyone knows what’s going on in front of their noses, but no one knows what the big picture looks like. Incidents are investigated in isolation, without collaboration.
• Untapped historical data. If enterprises are collecting logs, it is usually for compliance reasons. IT managers seldom recognize the value historical data can hold for identifying ongoing attacks and predicting future ones.
• Unavailable critical data. Data that can turn back an attack is needed during the event, not resurrected from logs after the fact. And yet, because of inadequate, disparate tools and siloed organizations, the necessary data for real-time decision-making is difficult to find, hard to interpret, lost, or drowned out by all the other data.
• Inability to make accurate predictions. Without historical data, easily accessible current data, and an efficient way to analyze them, an organization can’t predict where the next attack or security breach will occur and adjust security systems accordingly. You can’t put effective countermeasures in place if you don’t know enough about the threats you’re supposed to be countering.
• Collective myopia. Those in charge of enterprise security need to be able to see beyond the network perimeter. Sure, most organizations are diligent about probing for Microsoft vulnerabilities, but what about threats to Adobe, Apple, and Oracle applications? Far too often, nobody is tracking those threats and patching accordingly. Also, few organizations track vulnerabilities related to their specific business or vertical industry. A larger perspective or “wide-angle lens” that takes in what is happening beyond the network perimeter is a necessity today.
Seeing the Trees and the Forest
Here are some key action items that can help you maintain a broader focus.
• Centralize logs for easy, timely analysis. Gather all logs in one place, and make them accessible from a central web user interface. That way, multiple teams within IT can see the whole picture. What’s more, your staff will be able to analyze events and logs as they materialize, over longer periods, or with focus on a particular point in time. Compliance becomes easier, too, as it can become second nature to preserve event data and details according to forensic best practices.
• Track predators in the wild. Provide your IT administrators with technologies and intelligence that enable viewing new threats outside the perimeter, filtering out irrelevant noise such as vulnerabilities affecting applications you don’t use, and homing in on the threats that matter. Policies and thresholds linked to risk should trigger automated activation of countermeasures, and alert you to the highest-priority events that could damage your organization’s risk posture, reputation, and assets.
• Know what’s coming down the pike. Deploy solutions that enable quick access to pertinent information for analysis and forecasting—information that can be correlated about your infrastructure, as well as threat feeds about the latest vulnerabilities that may affect your applications, servers, endpoints, and network. This lets you know when and where threats are likely to emerge, so you can minimize their impact and limit your risks.
Going on the Offensive
In an ideal world, every security manager would be able to assess his or her organization’s security ecosystem at any give time and be able to say, “We’re covered.” But for that to happen:
1.) Risks must be known and acted upon with speed and intelligence
2.) Incoming events must be logged and scrutinized in real-time
3.) Threats must be identified and anticipated before they become full-blown attacks.
Think if it as a Triple Option offense that lets you:
1. Know Your Risks - “What am I at risk from?" "Where am I at risk?" "Which risk should I pay attention to first?" Innovative technologies exist today that can answer these questions in a way that is easily accessible to everyone on your security staff, when and where they need the information. In terms of situational awareness, these technologies can give your personnel what they need to know now so they can take effective countermeasures in a timely manner. Every security staffer can be transformed into a quarterback with extraordinary vision.
2. Respond in Real Time - Until recently, a lot of security experts shied away from Security Information and Event Management (SIEM) technologies—justifiably. That’s because they were difficult to implement and took what seemed like years to deliver information of any value. But those were yesterday’s technologies. Today’s most advanced SIEM solutions can respond to queries with astounding speed—giving you situational awareness while you still have time to act. So you can forget the days of looking in the proverbial rear-view mirror and saying, “Bummer, we really should have done something about that.” With today’s SIEM solutions, your people can be like a dominant offensive line, out-muscling attackers in real time.
3. Grasp the Big Picture - For this one, you need a vendor partner capable of providing threat intelligence 24/7 on a global scale. In this day and age, nothing less than a comprehensive, real-time, reputation-based service is required to help your team protect your organization against cyber threats across all vectors—file, web, message, and network. Stretching the football metaphor one step further, this cloud-based threat intelligence service is like the coach who’s high up in the press box getting a birds-eye view of the entire field of battle.
There are great quarterbacks known for their acute vision, and there are offensive lines notorious for keeping their opponents on their heels. But quarterbacks can be blindsided and even the best offensive lines can’t stop every threat. The coach up in the stands, on the other hand, is above the fray, with the best vantage point in the world.
My advice? For total situational awareness, make sure your organization’s IT security apparatus has a field of vision comparable to the best quarterback, the toughest offensive line, and the perfectly positioned coach. And, next thing you know, they’ll be calling you __(your name here)__ the Great.