Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Management & Strategy

Plans Are Worthless, But Planning is Everything

Planning for Cyber Protection and Resiliency is a Large Topic That Requires the Right Framework and a Balance of Strategic and Tactical Thinking

Planning for Cyber Protection and Resiliency is a Large Topic That Requires the Right Framework and a Balance of Strategic and Tactical Thinking

Cyber-attacks are no stranger to headlines, especially during the past few months.  In May, the WannaCry ransomware made big news, raising a lot of antennas.  Everybody waited for more shoes to drop from the leaked NSA hacking tools, and indeed, more attacks surfaced. Some required more sophisticated defense than making sure the latest patches were deployed.  Others were more than just ransomware, stealing or wiping data. 

We don’t expect these kinds of attacks to stop, so how can we reduce our risk of becoming the next victim? Planning is a critical activity in the process. 

President Dwight Eisenhower once said:

Plans are worthless, but planning is everything. There is a very great distinction because when you are planning for an emergency you must start with this one thing: the very definition of “emergency” is that it is unexpected, therefore it is not going to happen the way you are planning.  In other words, the very act of planning serves to prepare you and your team to respond, but don’t expect attackers to act in line with the patterns for which you have planned.  In cyber, we often refer to that as “unknown unknowns.”

Whether cyber threats attack known vulnerabilities, such as in the WannaCry attacks or use other methods, a key aspect of the required iterative planning process is identifying what you know, what you don’t know and connecting the dots for better situational awareness.  Without this knowledge, an organization’s planning process is severely handicapped and is operating somewhat blindly. 

Upon hearing about WannaCry, how many enterprises could quickly validate their exposure?  I would estimate that many could take stock of their most recent host vulnerability scans and identify which systems were not appropriately patched.  I would guess that far fewer could quickly validate the combination of endpoint protection present on those hosts, the business value of the applications being served and the level of indicators of attack that were present. 

What if the threat in question was not attacking a known vulnerability and required identification of anomalous behavior by people or machines?  We are headed into unknown unknown territory, and until we develop the magic bullet, it is especially critical to be able to arm human analysts with the right information and intelligence to quickly fill in the gaps that would otherwise be out of their reach.

Advertisement. Scroll to continue reading.

Planning for cyber protection and resiliency is a large topic that requires the right framework and a balance of strategic and tactical thinking. 

One important activity in the process that will serve both operational and strategic purposes is to take stock of data available across your spectrum of assets, organization, threat detection, vulnerability management, and overall activity by your people and machines. 

In addition to arming your analysts with the right information to identify and mitigate threats, your data says a lot about what you know and what you don’t know. 

Understanding specific contents and data quality is a key aspect of the effort, including documenting any changes made to raw data as it flows upstream.  Ask yourself, “How is the data being filtered and manipulated as it flows from raw logs to SIEMs to other destinations?”  For example, when capturing authentication events in your SIEM, are you leaving certain event types behind? Did you homogenize the time zone when moving data from your West Coast domain servers to your SIEM on the East Coast? 

With a solid understanding of the data available to your security and risk organization, you can align it to your risk and threat models as well as compensating controls to identify operational and analysis gaps that need to be filled. 

Identifying these gaps will not only drive your plan for change, but it will highlight those areas that require additional tactical attention until those strategic measures are put in place. 

Beyond helping drive the planning and continuous improvement process, the data inventory will enable you to connect the dots between your business, assets, threats, threat intelligence and vulnerabilities, laying the groundwork for risk based prioritization and advanced analytics like machine learning and User and Entity Behavior Analytics (UEBA).  This leads to that force multiplying effect for your valuable analyst resources, allowing them to use their efforts to validate and act on the processed information provided by the analytics, increasing your chances of stopping attacks before they get very far.

Planning is not a one and done effort.  It is an iterative process that ideally starts with a big picture view, and then improves in cycles and adjusts to get closer to the goal.  A data driven approach will allow you to understand how you are progressing, all monitored by your key metrics that track where you are at and where you are going. 

There are many approaches to the planning and execution process.  The only wrong approach is to never get started because your organ
ization is “too busy fighting fires” or “lacks the maturity.”  Not starting only guarantees that you will always be stuck in that state.  Put a process in place, keep each iteration tight on deliverables and time frames, and track the progress or lack thereof of your key metrics. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...