I really do not want to do this. I really do not want to use this quote, as it has been referenced hundreds of times too many already. But alas, I feel compelled to use it, as it is the best way to make my point…sigh.
“If you know the enemy and know yourself, you need not fear the results of a hundred battles.” – Sun Tzu, The Art of War
In the field of cybersecurity, this quote is now a cliché. When someone mentions it, everyone smiles and nods, and some murmur “of course.” But here is the dirty little secret … NO ONE IS DOING IT. We do not have the tools in place and make the effort to understand our adversaries and we do not have the tools or make time to know ourselves. No wonder we are losing the battle! We need to get back to fundamentals and understand what we are protecting and who we are defending against.
The new 2018 Cost of a Data Breach study by Ponemon Institute finds that the average cost of a data breach globally is $3.86 million, a 6.4 percent increase from the 2017 report, with “mega breaches” (breaches of more than 1 million records) costing $40 million and more. It certainly doesn’t appear like we’re winning many battles. That’s because we’re spending all our time and effort buying more point products and building processes to address the latest threats.
So, let’s get back to basics, starting with the need to know your adversaries. This requires threat intelligence. But this doesn’t necessarily mean you need more threat feeds. Most organizations typically have more threat feeds than they know what to do with from commercial sources, open source, government, industry and existing security vendors. In fact, much of this data is ignored because it’s difficult to discern what’s noise and what’s important. Some intelligence feed vendors provide “global” scores but, in fact, these can contribute to the noise since the score is not within the context of your company’s specific environment. To start to gain a deeper understanding of your adversaries, you need a way to aggregate these millions of global threat data points and translate them into a uniform format to achieve a single source of truth.
You also need to know yourself. This requires situational understanding, which you begin to build by gathering and analyzing the internal intelligence, context and event data spread across your organization and housed within various systems and tools. Sources like security information and event management (SIEM) systems, log management repositories and case management systems contain events and associated indicators from inside your environment. Unfortunately, these systems aren’t being fully utilized for situational understanding. They can be difficult to access because they are usually “owned” by different security teams that exist in silos – the Security Operations Center, incident response, risk management, vulnerability management, malware, network and more. But the information these systems contain is essential to knowing yourself.
Now bring these two elements together. Through a platform that allows you to correlate all your internal threat and event data with external data on indicators, adversaries and their methods, you gain context to understand the who, what, where, when, why and how of an attack.
Know your adversaries and yourself are the fundamentals – the first steps of many in the “art of war” with respect to cybersecurity. With an understanding of what you are protecting and what you are protecting it from, you can prepare a winning battle plan. You can change risk scores and prioritize threat intelligence based on parameters you set to filter out what’s noise for you. And when you can focus your resources on what really matters, you can make better decisions that, ultimately, lead to more victories. Sun Tzu’s quote is overused, but its fundamental lessons definitely are not. We’re in a state of war and must get back to basics.