Security Experts:

Plans Are Worthless, But Planning is Everything

Planning for Cyber Protection and Resiliency is a Large Topic That Requires the Right Framework and a Balance of Strategic and Tactical Thinking

Cyber-attacks are no stranger to headlines, especially during the past few months.  In May, the WannaCry ransomware made big news, raising a lot of antennas.  Everybody waited for more shoes to drop from the leaked NSA hacking tools, and indeed, more attacks surfaced. Some required more sophisticated defense than making sure the latest patches were deployed.  Others were more than just ransomware, stealing or wiping data. 

We don’t expect these kinds of attacks to stop, so how can we reduce our risk of becoming the next victim? Planning is a critical activity in the process. 

President Dwight Eisenhower once said:

Plans are worthless, but planning is everything. There is a very great distinction because when you are planning for an emergency you must start with this one thing: the very definition of "emergency" is that it is unexpected, therefore it is not going to happen the way you are planning.  In other words, the very act of planning serves to prepare you and your team to respond, but don’t expect attackers to act in line with the patterns for which you have planned.  In cyber, we often refer to that as “unknown unknowns.”

Whether cyber threats attack known vulnerabilities, such as in the WannaCry attacks or use other methods, a key aspect of the required iterative planning process is identifying what you know, what you don’t know and connecting the dots for better situational awareness.  Without this knowledge, an organization’s planning process is severely handicapped and is operating somewhat blindly. 

Upon hearing about WannaCry, how many enterprises could quickly validate their exposure?  I would estimate that many could take stock of their most recent host vulnerability scans and identify which systems were not appropriately patched.  I would guess that far fewer could quickly validate the combination of endpoint protection present on those hosts, the business value of the applications being served and the level of indicators of attack that were present. 

What if the threat in question was not attacking a known vulnerability and required identification of anomalous behavior by people or machines?  We are headed into unknown unknown territory, and until we develop the magic bullet, it is especially critical to be able to arm human analysts with the right information and intelligence to quickly fill in the gaps that would otherwise be out of their reach.

Planning for cyber protection and resiliency is a large topic that requires the right framework and a balance of strategic and tactical thinking. 

One important activity in the process that will serve both operational and strategic purposes is to take stock of data available across your spectrum of assets, organization, threat detection, vulnerability management, and overall activity by your people and machines. 

In addition to arming your analysts with the right information to identify and mitigate threats, your data says a lot about what you know and what you don’t know. 

Understanding specific contents and data quality is a key aspect of the effort, including documenting any changes made to raw data as it flows upstream.  Ask yourself, “How is the data being filtered and manipulated as it flows from raw logs to SIEMs to other destinations?”  For example, when capturing authentication events in your SIEM, are you leaving certain event types behind? Did you homogenize the time zone when moving data from your West Coast domain servers to your SIEM on the East Coast? 

With a solid understanding of the data available to your security and risk organization, you can align it to your risk and threat models as well as compensating controls to identify operational and analysis gaps that need to be filled. 

Identifying these gaps will not only drive your plan for change, but it will highlight those areas that require additional tactical attention until those strategic measures are put in place. 

Beyond helping drive the planning and continuous improvement process, the data inventory will enable you to connect the dots between your business, assets, threats, threat intelligence and vulnerabilities, laying the groundwork for risk based prioritization and advanced analytics like machine learning and User and Entity Behavior Analytics (UEBA).  This leads to that force multiplying effect for your valuable analyst resources, allowing them to use their efforts to validate and act on the processed information provided by the analytics, increasing your chances of stopping attacks before they get very far.

Planning is not a one and done effort.  It is an iterative process that ideally starts with a big picture view, and then improves in cycles and adjusts to get closer to the goal.  A data driven approach will allow you to understand how you are progressing, all monitored by your key metrics that track where you are at and where you are going. 

There are many approaches to the planning and execution process.  The only wrong approach is to never get started because your organization is “too busy fighting fires” or “lacks the maturity.”  Not starting only guarantees that you will always be stuck in that state.  Put a process in place, keep each iteration tight on deliverables and time frames, and track the progress or lack thereof of your key metrics. 

view counter
Steven Grossman is VP of Strategy and Enablement at Bay Dynamics, where he is responsible for ensuring our clients are successful in achieving their security and risk management goals. Prior to Bay Dynamics, he held senior positions at consultancies such as PriceWaterhouseCoopers and EMC, where he architected and managed programs focused on security, risk, business intelligence, big data analytics, enterprise program management offices, corporate legal operations, data privacy, cloud architecture and business continuity planning for global clients in the financial services and health care industries. Steven holds a BA in Economics and Computer Science from Queens College and has achieved his CISSP certification.