A cursory glance at any MSSP listing shows that the focus of most mainstream network and security operations centers (SOCs) is generally health monitoring, configuration, accounting, performance, security (FCAPS), mean time to repair (MTTR), and the security events as they arise.
It’s not a focus that is enjoying enormous success. According to Gartner, breach activity in 2017 was up by 43.8% year-over-year and the scale and severity of attacks as well as reporting requirements are increasing.
Speed of response is at the heart of the issue. Some of the recent largest-scale breaches, such as OPM, Equifax, Target, etc., may have had a slow decision cycle. And this is where the idea of ‘fusion’ provides an interesting answer. Fusion seeks to make better decisions based on the best available information possible and gain the advantage of having a faster decision cycle than your enemy or threat.
Clearly, the decision maker who has the fastest process to gather the best, most up-to-date information possible is going to have the advantage. This is not a new concept. As retired general Stan McChrystal said “The answer is for leaders to have a process in place that helps them gather relevant information, adequately consider dissenting views from a mix of trusted sources, make a decision, communicate the decision, and act on it. Such a system does not eliminate risk entirely, as real decisions always involve uncertainty and risks, but it does help to ensure that the decision made is well-informed, timely, and the best course of action in an evolving and complex environment.”
The military has evolved in some part due to Gen. McChrystal’s vision for fusion. Put simply, fusing who has the information with who needs the information is critical for timely decision making and action.
In cyber, this is even faster and more important than in any other domain. Before the Internet, the telephone, the telegraph, radio, and carrier pigeon, information traveled at the speed of humans. Think Paul Revere or Pheidippides. Now information travels at the speed of light, so decision cycles are faster. The need for fusion is even more important because of technology, not less important because we have technology. Traditional fusion is intelligence with operations. The critical piece to figure out in any “fusioning” is what needs to be fused. In some organizations fusing Cyber Intelligence and threat activity has led to an evolution on cyber defense, but this still falls short for two reasons.
First, using contextual information not only from IT operations but from business operations adds huge value to the speed of understanding cyber events. The old false positive problem is significantly reduced by knowing up front or in real time the cause of an event in context to operations. Think PowerShell – PowerShell may be legit if done by an Admin yet may be bad if being done by an external RDP connection.
Knowing if SCCM is being used at the same time PowerShell launches is a huge win for fusing IT operations information with security event information. With understanding IT and Business context, event fatigue then becomes minimal and the one event which is almost the same but is missing the business contextual information does not get missed because your only analyst is drowning in useless events.
Second, get rid of the notion that intelligence feeds will solve all problems in real time. “If I could only automate those feeds I’d catch the crook in the act!” If you don’t know and understand your threat through intelligence way before they break the window, you won’t see them or catch them until it’s too late. CrowdStrike estimates the average attacker takes 1 hour and 58 minutes to move laterally in your network. This means you need to have a decision cycle faster than two hours to stop that initial compromise from becoming much worse. Cyber intelligence is knowing the threat, building detection for those threats, and then spending your time hunting for those threats not relying on some automated detection with real-time cyber intelligence.
For cyber decision making, attackers fuse the latest vulnerabilities with techniques and capabilities to exploit those vulnerabilities. For the defender, the fusion comes from having the intelligence information, the network contextual information and the activities that are occurring in real time on the infrastructure. Only then can the defender reduce the decision cycle to an actionable timeframe, block the attacker decisively, contain the damage to critical assets – and hopefully – avoid becoming the next big cyber attack headline.
Mark is a retired U.S. Army Lieutenant Colonel, where he previously, held positions as the Deputy Director of the US Central Command (USCENTCOM) Joint Cyber Center, the Deputy Director for the National Security Agency/Central Security Service Threat Operations Center’s (NTOC) Counter Cyber Operations Office, and the Chief of Current Operations and Chief of Enterprise Services for what is now the Army’s Cyber Center. Mark has a MS from the University of Colorado in Telecommunications Engineering and a BS from Worcester Polytechnic Institute.