As I reflect on my career over the past 12+ years, starting as a traditional forensic analyst, then moving to incident response, intelligence fusion, strategic consulting, and so on, I can’t help but see similarities between my own journey and that of many cybersecurity organizations we support at Leidos Cyber. Prior to 2005, when cyberattacks against the government and defense contractor world were being waged, we didn’t have time to stop and ask ourselves what we were seeing or doing. Once we got our bearings and operations became more stable, we began to ask and answer questions as a CND community: What just happened? How can we fix it and secure ourselves? Why does this keep occurring?
Today, 12 years later, I think we’re in a better position. Cybersecurity has grown, matured, and evolved, however, I still hear questions like these from organizations I’m working with: How do I know what’s happening? Why aren’t we secure yet? Why is this still so hard?
The reason we’re unable to answer many of these reoccurring questions is because, as a community, we’re still approaching cybersecurity as if it’s a destination and there’s a finish line to reach –as if there is a single solution to our challenges.
Cybersecurity is a Journey, Not a Destination
When we ask a question, like “Why are we not secure yet?” it presupposes there is an end state, a final place at which we can arrive and then move on the next objective. That may be possible in a world where threats are static, tactics remain unchanged, and our enterprises do not evolve and transform over time. Unfortunately, we know that is not the world in which we operate. The factors that make up our equation are constantly changing, which makes cyber a forever challenge.
This is why we need to think of cyber security as a journey, rather than a destination. While this expedition may not have a finite endpoint, there are still things you can do to make it a more successful, effective trip.
- You Have to Start Somewhere There is a quote widely attributed to Lao Tzu, “Do the difficult things while they are easy and do the great things while they are small. A journey of a thousand miles must begin with a single step.” Even if you don’t know where your journey may take you, you still need to know which direction to begin. You must start from your base, and build from the foundation up. You cannot create a world-class network defense overnight no matter how much money you’re willing to invest. Rather, you begin by creating roadmaps to identify what people, process, and technology you need to progress; what are the points of dependency; what areas are complimentary; what will work within your organization’s culture; and what are the possible paths to get there. Without a plan to evolve your organization, your team will always be reacting, chasing, and cycling – never truly advancing.
- You Need the Right Equipment Would you use the same gear for hiking the Himalayas and navigating the Amazon? Never. Similarly, for network defense you have to tackle each challenge separately and with a complete toolset – there is no single “silver bullet.” Pinning your success to a particular technology or capability leads to tunnel vision and creates a single point of failure. When (not if) the adversary shifts tactics, or succeeds in circumventing that technology, then there’s nothing else to keep them at bay – no other way to detect and respond to the activity. The answer is not logs, or SIEMs, or perimeter, or endpoint, or A/V, or dynamic analysis, or threat intelligence, or automation, or uber-analysts…it’s all of the above, operating in parallel. Giving your network defense analysts the right toolset to meet whatever challenges and obstacles they face (now and in the future) is the key to victory.
- You Need the Best “Travel Companions” To quote the famous author Robert Louis Stevenson, “We are all travelers in the wilderness of this world, and the best we can find in our travels is an honest friend.” You can’t and shouldn’t attempt to make any challenging and difficult journey alone. Whether it’s having someone as a sounding board for major decisions, to help with obstacles, or to watch your network while you sleep, you need an “honest friend” on your cyber security journey. Engage the right partners and trusted advisors, hire skilled analysts and technologists, utilize the right services, and leverage expertise within your organization to make your journey a success.
- You Need Accurate “Guide Books” When travelling to places unknown, it helps to have references for languages, culture, local resources, and the like from someone who has already been there. Similarly, to make your cyber security journey as effective and efficient as possible, you need to understand how to leverage all of the resources at your disposal. In the realm of network defense, adopting and operationalizing an analytical framework, employing tailored training programs, performing and ingesting 3rd party assessments, and integrating specialized technologies are all areas where expert guidance and industry best practices and standards are readily available to you.
- You Need “Operational Intelligence” Knowing a winter storm is approaching the mountain you’re climbing or that traffic on your highway comes to a screeching halt during rush hour is valuable information you can use to make adjustments to your trip. Similarly, there is no better operational intelligence on what an enterprise will face tomorrow than what it faced yesterday, what it faces today, and what your peers are simultaneously facing.
I like to explain “operational intelligence” as:
1. The collection of information of value
2. The ability to acquire and apply knowledge
Collecting information that has no value is a waste of resources and time. Successful intelligence operations enables your analysts to understand how a particular threat evolves over the course of weeks, months, or years. It allows you to understand what your posture is against those threats, and what controls, detections, and mitigations you have to counter them. And finally, successful operations enable you to look forward, to understand gaps, see the next challenge and obstacle, and start taking steps to meet it head on. It enables you to become an active defender rather than a passive observer.
When I started my career, I knew only a small part of the puzzle. I had to continue advancing my skillsets, capabilities, and methods to meet new challenges—something I continue to do today. I maintain my journey with confidence knowing I have the maps, gear, companions, and resources to succeed. Your organization may have some, all, or none of these elements for your own voyage—rest assured, you’re not alone. Take comfort knowing there are cyber security professionals, like Leidos, that can help you along your journey, no matter where you are on that path.