Shifting from Reactive to Proactive Security is on the Horizon
Security leaders often tell me that their primary goal is to get ahead of threats instead of responding after something terrible has been discovered. Yet, despite that consistent target to move from a reactive to a proactive security posture, the majority of cybersecurity budgets and efforts continue to focus in the opposite direction. Let’s dig into this disconnect, examine how we can become increasingly proactive, and identify why this matters.
One of the most widely accepted and implemented sets of cybersecurity standards is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Included in it are the Five Functions of the NIST Cybersecurity Framework, which include: Identify, Protect, Detect, Respond, and Recover. To apply those principles, an organization must start by understanding all the things that need to be protected – people, data, systems, and facilities. In terms of cybersecurity, most organizations focus on protection within their established perimeter, meaning much of the cybersecurity market is focused on providing solutions that address those needs. In fact, information security consulting company Optiv published a map of hundreds of companies providing solutions across dozens of categories and subcategories.
While all of those categories matter, and many of those companies provide remarkably important solutions, they are all focused internally. By definition, any action taken as a result of something discovered within a corporate perimeter is reactive. It may be in an early stage, such as responding to a suspected phishing email or dictionary attack. It may require launching an incident response operation to combat a serious compromise that was just discovered but has long existed. Either way, that is all reactive cybersecurity.
Where reactive falls short
Some event has occurred, and now the security team needs to respond and fix the problem, determine how long it existed (if possible), and report on the estimated damages or loss. Worse yet, the volume of these events can be overwhelming. Recent reporting estimates that a security operations center (SOC) team will have to process an average of 11,000 alerts per day and that only half of the security professionals polled were confident they could address all or most of that workload.
Additional reporting indicates that an estimated 30,000 websites are attacked every day and two million malware programs are created each week. No industry is immune and few (if any) security teams have enough resources or time to address all of these concerns confidently.
The SOC cannot effectively focus on hunting internal threats, reacting and remediating known attacks retroactively or in real-time, AND simultaneously turn their gaze outward in the hopes of getting ahead of the flood of problems they’re managing. All of those internally focused efforts are non-negotiable. Where Intelligence differs from everything else in security is that, instead of looking at what is happening – or has happened – inside or at the perimeter of the network, Intelligence teams focus outside the endpoint to understand the situation beyond the horizon.
Capitalizing on the security organization’s internal knowledge of an entire enterprise – including network infrastructure, all software and hardware dependencies, policies, processes, people, facilities, and more – an Intelligence team crafts Intelligence Requirements (IRs) as a foundation for discovering and reporting on relevant threats before they become incidents. This is not something a traditional security team can accomplish for two main reasons.
First, as illustrated above, the SOC simply doesn’t have the resources. Second, and perhaps more importantly, the skills needed to analyze and report intelligence are not the same skills needed to be an excellent security analyst, threat hunter, or incident responder. While you may find some overlaps in these career fields, it’s important to know that people in these roles are not interchangeable. Those who attempt to run organizations with that mindset often learn this lesson the hard way.
Intelligence beyond the perimeter
The Intelligence team, free from fighting internal fires, must research and analyze security events across all industries and geographies, document the associated Tactics, Techniques, and Procedures (TTPs) of the corresponding threat actors and groups, and identify patterns or trends that may provide insight into the likelihood of those events being replicated elsewhere. Beyond traditional security teams that focus on the means of an attack (e.g., exploit tool), Intelligence teams expand their analysis to include an attacker’s motives in the hopes of better understanding their target selection.
Intelligence teams may also be able to determine (or hypothesize) what actions could prevent an attack so others can avoid the same fate. This type of research, analysis, and reporting depends on a mastery of Intelligence standards and tradecraft, including but not limited to estimative language, source validation, structured analytic techniques, and the ability to identify and remove a multitude of different types of biases to ensure objectivity. Additionally, a deep understanding of geopolitics and economics can be advantageous – sometimes vital – when it comes to assessing motives and likelihood. Having personnel with these skills and are capable of focusing outside the perimeter results in advanced knowledge about what has happened to organizations around the world – before that problem arrives. This empowers security teams to make proactive changes that prevent those attacks from happening. None of this can be accomplished by only looking inward from the endpoint.
Even further to the proactive side of security, insight into what a threat actor or group may be planning – particularly through direct access to get that plan from the source – enables enterprises to outpace those who may cause physical or economic harm. While rare, the goal is to be so knowledgeable about the plans of would-be attackers that the security team can entirely thwart their efforts. This can be accomplished in a couple of ways. These include the purchase of compromised materials and accesses or the manipulation of adversary opinions that results in redirection away from an intended target. These scenarios aren’t imaginary. The very best Intelligence teams, with human access to cybercriminals and the places they populate, are capable of these proactive wins. I know because I work with people who do these remarkable things regularly.
Lastly, social media, covert communications, and the Deep/Dark Web present additional external battlefields to be analyzed and reported to any security team that hopes to stay ahead of threats to their organization's brand and reputation or needs to combat the harm caused by unauthorized data leaks and financial fraud.
While proactivity is the exclusive domain of Intelligence, Intelligence also empowers security in their reactive efforts by reducing the mean time to detect (MTTD) and mean time to remediate (MTTR) when attacks occur, saving organizations time and money. This is because a large database of knowledge serves as a significant accelerator for making sense of the artifacts being collected during incident response, often attributing malicious activity to a specific actor, group, or tool while informing incident responders on where to look next or what steps to take to end the threat.
Look to the horizon
Security will always depend on a deep understanding of the internal workings of an enterprise because that is fundamental to success. But, today that is also table stakes and no amount of investment or professionalization can move an enterprise from a reactive to a proactive state of security through internal knowledge alone. Professionalized intelligence teams provide massive amounts of data and information along with the context to make detection and response increasingly effective. The best Intelligence teams go further, providing advanced knowledge of malicious activity as it’s being planned or just beginning to happen elsewhere, so security teams can prevent attacks they would otherwise never know to expect. The endpoint (and everything inside of it) will always matter, but the horizon is where proactive security starts.