When the theme, Human Element, was announced for RSA Conference 2020 (RSAC), I was gratified. It’s a topic I never tire of because not only do I believe that there is no “silver bullet” technology, I believe it’s the humans who really lead the way to greater security efficiency and effectiveness. So, while at the conference I took the opportunity to view everything through the lens of the human element. More specifically, what companies are doing to better support and enable the practitioners and leaders focused on cybersecurity. One example that stood out to me was the LEAD framework created by Adobe to help their internal security teams make better use of the vast amounts of threat intelligence they collect every day.
LEAD stands for ReLevant, Efficient, Analyst-driven and Deliverable. It’s a perfect example of the symbiosis between technology and people to strengthen security posture. The framework leverages the fact that security professionals are the ones who understand their environment and security profile and are able to define risk. They’re also the ones with the experience to determine the right action to take in their environment. With the right technology, they can apply their understanding, experience and intuition for greater security efficiency and effectiveness. Let’s take a closer look at each aspect of the framework.
Relevant – As security professionals, we need to change how we look at the threat landscape. Instead of an “us against the world” perspective, we need to focus on a very specific world, your threat landscape – which is where the threat landscape at large and your own infrastructure characteristics and configuration intersect. You need a platform that allows you to aggregate external threat data from the multiple sources you subscribe to – commercial, open source, government, industry and existing security vendors. You then need to augment and enrich it with internal threat and event data, for example from sources including your SIEM system, log management repository and case management systems. This is how you can define the intersection and ensure relevance to your specific organization.
Efficient – The next important task is to determine the right intelligence to focus on first and which can be kept as peripheral, so you can work efficiently. The ability to assign risk scores allows you to prioritize threat intelligence based on your risk profile. With parameters you set around source, type, attributes and context, as well as adversary attributes, you can filter out what’s noise for you and home in on what really matters to your organization.
Analyst-driven – The processes of identifying what’s relevant and using scoring for prioritization are ongoing and require that humans remain in the loop. With a platform that also incorporates learnings from your security team and automatically recalculates and reevaluates priorities on an ongoing basis, you can keep up with a changing threat landscape. This continuous feedback loop ensures you stay focused on what is relevant to mitigate your organization’s risk and work efficiently. What’s more, as you gain a deeper understanding of adversaries, you gain confidence in your decisions on what actions to take and the comfort-level you need to automate tasks to move faster.
Deliverable – With threat intelligence that is relevant, drives efficiencies and is analyst-driven, you can change how you communicate with your security infrastructure and to management. Applying relevant and prioritized threat data to your existing case management or SIEM solution allows these technologies to perform more efficiently and effectively – delivering fewer false positives. You can also use your curated threat intelligence to be anticipatory and prevent attacks in the future – automatically sending intelligence to your sensor grid (firewalls, IPS, EDR solutions, NetFlow, etc.) to generate and apply updated policies and rules to mitigate risk. And because you have greater insights into the threats you face, you can communicate more effectively about cybersecurity with your Board. You have the transparency you need to answer questions and provide greater detail in a clear and simple way that resonates with management and is relevant to the organization.
To derive the full value from external and internal threat intelligence, humans need to be involved at the right steps and time to effectively strengthen security posture. The LEAD framework demonstrates the necessary interplay between humans and technology. To learn more about the framework, watch the presentation Filip Stojkovski, Threat Intel Manager at Adobe, delivered at RSAC 2020.
