Welcome to 2020! It’s the “Year of the Rat” according to Chinese zodiac. It’s an Olympics year, with the Summer Games to be held in Tokyo. It’s a presidential election year in the United States. And for security professionals, it’s another year of playing catch up to the bad guys. Given that 20/20 is the recognized bar for clarity of vision, I’d like to suggest we make it the year for visibility and understanding of threats.
Security professionals know that you can’t protect against what you cannot see. But it isn’t just a matter of seeing, it’s about clarity which comes from understanding. Organizations can see the threats they face through logs and alerts, but that doesn’t mean they have clarity. They need context to understand the who, what, where, when, why and how. Threat intelligence can help; however, the challenge for companies is they have multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. On top of that, each point product within their layers of defense has its own intelligence. All that data is great, but without some way to bring clarity it can look more like blurry lines on an eye chart.
Most of us don’t have 20/20 vision naturally. So, we put on our glasses or contact lenses and those blurry lines come into focus. Thankfully, as a security professional you also have several corrective measures available so you can efficiently and effectively make sense of massive volumes of data, understand what to work on next and know the right actions to take.
It starts with a way to collect and manage all that data. Having a platform that serves as a central repository – aggregating all the sources of threat intelligence, translating it into a useable format, and augmenting and enriching it with context – allows you to begin to analyze data and prioritize it for action.
But there’s another challenge. Most organizations have multiple teams responsible for various aspects of security – the Security Operations Center (SOC), Incident Response (IR), Risk Management, Vulnerability Management, Endpoint and Network teams, and more. These teams act independently and inefficiently with limited visibility into the tasks other teams or team members are performing. With different people and teams working on independent tasks, it’s incredibly difficult to look for patterns to accelerate investigations, hunts and response.
This is where visualization comes in. With a platform that also embeds visualization in a collaborative environment, analysts and teams can share intelligence, work together and see patterns more clearly. Investigations, threat hunting and incident response improve because rather than being overwhelmed by all the possible avenues to pursue, it becomes easier to see key commonalities you may have otherwise missed. Linkages between threat data and evidence, and visibility into incident, adversary and campaign timelines provide valuable insights that accelerate your work. With shared visibility, teams can discover attack patterns more quickly and coordinate next steps to remediate malicious activity.
Finally, let’s not overlook the importance of hindsight, which is 20/20. Understanding the past helps us to anticipate and be proactive about future threats. So, the platform must store investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs). Analysts can search for and compare indicators across the infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. As new data and learnings are added to the platform, new patterns and linkages are revealed that enrich ongoing investigations and response and trigger new security operations activity.
When security efficiency and effectiveness hinge on 20/20 clarity, the significance of this year isn’t lost on me. I welcome 2020 for many reasons, not the least of which is the visibility and deeper understanding of threats that security professionals can now use to accelerate security operations and better protect their organizations.