Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

What The Tempest Can Teach Us About Security Operations

“What’s past is prologue.” This famous line from The Tempest by William Shakespeare is engraved at the entrance of the National Archives Building in Washington, D.C. It sets the stage for the collection of historical documents held within, reinforcing the importance of being able to go back and refer to history for context to understand what is happening today. The same holds true for cybersecurity. Context helps you understand the who, what, where, when, why and how of an attack.

“What’s past is prologue.” This famous line from The Tempest by William Shakespeare is engraved at the entrance of the National Archives Building in Washington, D.C. It sets the stage for the collection of historical documents held within, reinforcing the importance of being able to go back and refer to history for context to understand what is happening today. The same holds true for cybersecurity. Context helps you understand the who, what, where, when, why and how of an attack. But are we prioritizing the value of learning from the past and experience to combat the latest cyberattack?

When an attack happens, a defense-in-depth architecture compels us to throw another security tool into the mix to address that specific problem. In fact, the 2018 Hiscox Cyber Readiness Report (PDF) shows that new technology continues to top the list for security investments for a majority of the 4,100 respondents, leading researchers to conclude that many see cyber threats as primarily a technology problem. Yet research from Cisco finds that using technology alone to remediate security vulnerabilities only solves 26 percent of issues, leaving the majority of issues unresolved. While some of these technology investments can help us gain context, the biggest untapped resource to a greater understanding of the past is people and their past experience. 

Clearly, we’re all very aware of the ever-widening shortage of cybersecurity talent and many organizations are feeling the pain. Loading up on more people isn’t a viable option. What I’m referring to is making the most of the talent we already have. For example, our threat intel analysts are closely following the challenges and details surrounding emerging threats that may target us. They’re looking forward, to be proactive. Meanwhile, incident responders possess a deep understanding of attacks against an organization. They’re looking at the past and what happened to react. But what if they could share their respective vantage points to better mitigate risk? What if threat intel analysts could use learnings from the past to help them be more proactive? And what if incident responders could get data from those looking forward that may help to surface something in their efforts? They’re each a great source for additional context; imagine the impact if they could work together and learn from each other. But they don’t because it isn’t part of their normal workflow and, therefore, isn’t easy.

In most security operations, teams and even individual analysts work in their own respective silos. They use specific tools and different data points to analyze and bring their part of the picture into focus. Under pressure to assess a situation, make a recommendation and act, security experts often operate without context of the entire issue at hand. Without knowledge of how an attack played out in the past – who patient zero was, how the adversary moved laterally and how the data breach occurred – threat intel analysts can’t accurately assess and prioritize a threat and thus accelerate mean time to detection (MTTD). Likewise, when an attack happens, incident responders don’t know that this is a threat that analysts have been tracking for some time and have documented information about the adversary and mode of operation – their tactics, techniques and procedures (TTPs). Access to this information can facilitate investigations and help to accelerate mean time to remediation (MTTR). 

So, what can we do to tap into that knowledge about the past to understand more fully what is happening today and even anticipate what may happen in the future? The tools and data points security teams use often aren’t integrated, so sharing and collaboration is incredibly difficult and time consuming. And simply having a conference call during a crisis won’t suffice. What’s needed is a way for team members to document, store and share the same pool of threat data and evidence on an ongoing basis. Using visualization, they can see the work of others and identify key commonalities they would have otherwise missed. Commonalities that provide valuable context to a current investigation. 

In a virtual cybersecurity situation room, team members can collaborate on investigations to detect threats faster, accelerate response and even anticipate what the future may hold. With a way to document, share and learn from history they can move from a reactive approach to proactively detecting and responding faster than ever before. The information already exists within your current systems and your teams’ brains. Like the National Archives, you need a place to store it centrally, share it broadly, update it continuously and facilitate ongoing dialogue and collaborative discovery.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.