{"id":12626,"date":"2016-03-09T05:00:59","date_gmt":"2016-03-09T13:00:59","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=12626"},"modified":"2016-03-08T11:53:49","modified_gmt":"2016-03-08T19:53:49","slug":"cso-four-imperatives-for-cybersecurity-success-in-the-digital-age-part-2","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2016\/03\/cso-four-imperatives-for-cybersecurity-success-in-the-digital-age-part-2\/","title":{"rendered":"Four Imperatives for Cybersecurity Success in the Digital Age: Part 2"},"content":{"rendered":"<p><em>Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader international business world.<\/em><\/p>\n<p><em>This blog post series describes what I consider to be <strong>four major imperatives for cybersecurity success in the digital age<\/strong>, regardless of whether your organization is a part of the public or private sector.<\/em><\/p>\n<p><em>In my first blog I covered Imperative #1, and here are the major themes for each imperative:<\/em><\/p>\n<ul>\n<li>Imperative #1 \u2013 We must flip the scales (<a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2016\/02\/four-imperatives-for-cybersecurity-success-in-the-digital-age-part-1\/\" target=\"_blank\">blogged on February 16, 2016<\/a>)<\/li>\n<li>Imperative #2 \u2013 We must broaden our focus to sharpen our actions<\/li>\n<li>Imperative #3 \u2013 We must change our approach<\/li>\n<li>Imperative #4 \u2013 We must work together<\/li>\n<\/ul>\n<h3>Blog #2 of 4: Imperative #2<\/h3>\n<p><!--more--><\/p>\n<h4>WE MUST BROADEN OUR FOCUS TO SHARPEN OUR ACTIONS<\/h4>\n<p>Before I get to the details, allow me to review some background and context, and then provide an executive summary of Imperative #2.<\/p>\n<h4>Background and Context<\/h4>\n<p>As a reminder from my previous two blogs, I use the four factors in Figure 1 to explain the concept behind Imperative #2 in a comprehensive way.<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/02\/Imperative1.png\"><div style=\"max-width:100%\" data-width=\"500\"><span class=\"ar-custom\" style=\"padding-bottom:58.4%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-large wp-image-12179 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/02\/Imperative1-500x292.png\" alt=\"Imperative1\" width=\"500\" height=\"292\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/02\/Imperative1-500x292.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/02\/Imperative1-230x134.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/02\/Imperative1-510x298.png 510w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/02\/Imperative1-68x40.png 68w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/02\/Imperative1.png 900w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/span><\/div><\/a><\/p>\n<p style=\"text-align: center;\">Figure 1<\/p>\n<ul>\n<li><strong>Threat:<\/strong> This factor describes how the cyber threat is evolving and how we are responding to those changes<\/li>\n<li><strong>Policy and Strategy: <\/strong>Given our assessment of the overall environment, this factor describes what we <strong><em>should<\/em><\/strong> be doing and our strategy to align <strong>means<\/strong> (resources and capabilities \u2013 or the <em>what<\/em>) and <strong>ways<\/strong> (methods, priorities and concepts of operations \u2013 or the <em>how<\/em>) to achieve <strong>ends<\/strong> (goals and objectives \u2013 or the <em>why<\/em>)<\/li>\n<li><strong>Structure:<\/strong> This factor includes both organizational (human dimension) and architectural (technical dimension) aspects<\/li>\n<li><strong>Tactics, Techniques and Procedures (TTP)<\/strong>: This factor represents the tactical aspects of how we actually implement change where the rubber meets the road<\/li>\n<\/ul>\n<p>In this second blog of the series I\u2019d like to take you through Imperative #2 using the concept model outlined above, and step through the implications.<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/imperatives2-2.png\"><div style=\"max-width:100%\" data-width=\"500\"><span class=\"ar-custom\" style=\"padding-bottom:61.4%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-large wp-image-12627 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/imperatives2-2-500x307.png\" alt=\"imperatives2 2\" width=\"500\" height=\"307\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/imperatives2-2-500x307.png 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/imperatives2-2-230x141.png 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/imperatives2-2-489x300.png 489w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/imperatives2-2-65x40.png 65w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/03\/imperatives2-2.png 899w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/span><\/div><\/a><\/p>\n<p style=\"text-align: center;\">Figure 2<\/p>\n<h4>EXECUTIVE SUMMARY<\/h4>\n<p>We need to change the way we look at today\u2019s cyber Threat because there\u2019s a <strong>smarter approach<\/strong> \u2026one that allows the cybersecurity community to broaden our focus and \u201csee the whole forest instead of getting lost in the trees.\u201d Instead of looking at the problem as an ever-increasing volume of discrete events we must leverage the step-by-step process that almost all cyber actors use to accomplish their intentions. This process refers to the Threat <strong>\u201clifecycle,\u201d<\/strong> and by using the lifecycle as a lens to broaden our focus we can sharpen our actions in dealing more effectively with a limited number of cyber Threat playbooks instead of an endless number of individual cyber events.<\/p>\n<p>A critical aspect of doing so requires that we achieve <strong>full visibility<\/strong> over what\u2019s happening in our network enterprise environment on a continuous basis and in near real time. The increase in visibility can result in a lot more information for the Defenders to deal with, so they have to <strong>prioritize <\/strong>according to their most vital functions, where those functions map to their enterprise network architecture, <u>and<\/u> where the resulting key portions of the architecture are both vulnerable and there is an assessed threat (cyber or otherwise) to them. Defenders must also <strong>apply technology and automation to discover the threats using a lifecycle approach<\/strong> (looking Threat playbooks instead of millions of discrete events), and <strong>save their people to take active business action in a sustainable way<\/strong>.<\/p>\n<p>By broadening our focus on the Threat lifecycle and gaining greater visibility over what\u2019s happening in our network environment, then we can sharpen our actions by <strong>adjusting our security architecture to<\/strong> <strong>be where it matters<\/strong> instead of a legacy view that it has to be everywhere in the hopes of stopping a breach. <strong>Smart security architecture placement<\/strong> allows for not only <strong>greater effectiveness<\/strong> against a more holistic (and manageable) view of the Threat, but is also a significantly <strong>more efficient<\/strong> way to apply technology, save money, and employ human expertise where it is most required.<\/p>\n<p>We must also sharpen our actions by evolving from the legacy thinking based on <strong>signatures<\/strong> toward more effective TTP that focus on <strong>indicators of compromise<\/strong>. There is simply no way to keep up with the exponential explosion in both the number of vulnerabilities in our network environment as well as the number of Threat signatures over time. The Internet of Things phenomenon will only exacerbate the problem by increasing the overall attack surface. However, by tracking a relatively small number of defined techniques across the cyber threat life cycle categories (or broadening our focus) we can sharpen our actions to prioritize important events, put understandable context around them, and then rapidly make these indicators consumable so that we can automate the adjustment our cybersecurity posture.<\/p>\n<h4>DETAILED DESCRIPTION OF IMPERATIVE #2<\/h4>\n<p><strong>THREAT<\/strong>: We have traditionally viewed threat cyber attacks, breaches and other events as<strong> discrete events.<\/strong>\u00a0 When I was working at United States Cyber Command as the Director of Current Operations, I used to tell my leadership that we were experiencing literally millions of events (mostly probes, but many times other, more serious, events) per day.\u00a0 Millions!<\/p>\n<p>We set up a system to triage the most serious events, assigned teams to chase them down, logged the status of each event, followed through with isolation and remediation, and then processed all this through an incident management tracking system that, over time, just ended up looking like a mountain of exponentially growing, endless work needing more and more people to keep up with.<\/p>\n<p>This type of approach was only putting us further and further behind, and it began to distract our workforce from what was really important.\u00a0 This gets back to the \u201cmath problem\u201d that I covered in my first blog on Imperative #1. It\u2019s impossible to get ahead of the problem if you address the Threat using that kind of model.<\/p>\n<p>What\u2019s changed over the past few years is that we\u2019ve collectively figured out a way to work smarter rather than harder.\u00a0Adversaries, like we in the national security cyber community, use a common process and it involves a set series of steps \u2013 or a<strong> lifecycle <\/strong>- that just about any cyber adversary must step through to be successful.<\/p>\n<p>The lifecycle involves <u>information gathering and reconnaissance or probing<\/u>, then the <u>initial foothold<\/u> into a network, then the <u>initial compromise<\/u> and <u>deployment of an exploit or other tool<\/u>, then the <u>establishment of control<\/u> of the access established, then <u>privileged movement through the network<\/u> to get to the place where they can accomplish what they came to do, and finally, the <u>exfiltration of information or other more disruptive, deceptive or destructive results<\/u>.<\/p>\n<p>In most cases this takes time (at least hours, if not days\/weeks\/months), and when you view the adversary activity in this manner, you can see that if you put in place mechanisms to monitor your network enterprise for these various stages of the lifecycle it can be possible to watch an adversary walk through it \u2026 and on top of that, the end result is that you realize that <strong>instead of dealing with an avalanche of millions of discrete events, you are now talking about a reasonably manageable number of Threat playbooks<\/strong> \u2026 some estimates are that there are only thousands of these playbooks.\u00a0 As our company CSO Rick Howard likes to say, \u201cYou can put that on a spreadsheet!\u201d<\/p>\n<p><strong>STRATEGY<\/strong>: From a strategy perspective, this requires that we <strong>look at the entire lifecycle, and not just simply at bits and pieces<\/strong>.\u00a0 I list the term <strong>limited visibility<\/strong> in Figure 2, but in many cases it\u2019s more accurately defined as <strong>no visibility<\/strong> into what\u2019s happening within an organization\u2019s network.<\/p>\n<p>When an organization\u2019s IT staff <strong>does<\/strong> have visibility, it\u2019s usually the result of being informed by an external entity (like the FBI or some other law enforcement of domestic security agency) that something\u2019s amiss. That forces the staff to go find out what happened (past tense) and dig into the forensics after the fact.\u00a0 Nobody in the cybersecurity community wants to spend their life cleaning up the mess in aisle 9!<\/p>\n<p>We need to <strong>shift the dynamic from limited or no visibility over what\u2019s happening within our networks to seeing everything that\u2019s happening on our networks in near real time<\/strong>.\u00a0 Some in the US government, such as the Department of Homeland Security, call this \u201cCONTINUOUS DIAGNOSTICS AND MITIGATION\u201d or CDM.<\/p>\n<p>But, this raises an interesting point about making sense of all this new, near real time data.\u00a0 It can be overwhelming unless you have a way to <strong>prioritize what\u2019s most important<\/strong>.\u00a0 How do you do that?\u00a0 How do you manage it without having to hire more and more people as your alerts go through the roof?<\/p>\n<p>One way that I\u2019ve seen work is to first look at the most critical functions of the organization.\u00a0 In the military, we called these <strong>mission critical functions<\/strong> \u2013 functions without which the organization would fail to achieve its mission.\u00a0 It would be the same for any business.\u00a0 Then, you have to translate those mission critical functions into where they reside on the network, and which segments of the network, systems and endpoint devices are then \u201cmission critical\u201d (or \u201ccyber key terrain\u201d as it is known in the military).<\/p>\n<p>These key points within the organization\u2019s architecture would then be assessed against two other factors (mission criticality being the first factor) \u2026 are there vulnerabilities (both cyber and non-cyber), and what is the threat (both cyber and non-cyber)?<\/p>\n<p>It is at the <strong>intersection of all three factors \u2026 1) critical to the mission, 2) vulnerable and 3) there\u2019s an assessed threat (either general or specific) to them \u2026 that the organization should then focus its ability to continuously monitor for full visibility<\/strong>.\u00a0 Is your network security provider providing you with the capabilities to prioritize the mountains of data to make it relevant to your needs?\u00a0 You should be asking.<\/p>\n<p>Another way to use greater visibility over what\u2019s happening on your networks without adding to the complexity of your environment or adding tons of people (actually, what I\u2019m about to suggest here will <u>REDUCE<\/u> the need for people, not add to it) is to <strong>apply technology and automation to discover the threats using a lifecycle approach<\/strong> (looking at the whole threat picture instead of millions of discrete events), and <strong>save the people you hire to use their skills to take active business action in a sustainable way<\/strong>.<\/p>\n<p>Instead of detecting suspicious parts of a possible attack, you consider <u>ALL<\/u> of the characteristics and automatically detect one of those playbooks that I mentioned in the initial discussion about the Threat. Even if your attacker changed one characteristic, you can recognize, for example, the command and control protocols. Then, even though another part might have been changed you can block the whole attack \u2013 this particular Threat playbook. The overall playbook would be detected and blocked. Now, what if your automation was so extensive that it self learned in real time from hundreds of thousands of attacks that happen all the time in the world every day?<\/p>\n<p>I\u2019ll describe more about how this can be done using automation and an integrated platform approach in my next blog about Imperative #3.<\/p>\n<p><strong>ARCHITECTURE<\/strong>: <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2016\/02\/four-imperatives-for-cybersecurity-success-in-the-digital-age-part-1\/\" target=\"_blank\">In my last blog<\/a> I focused on the human, organizational structure implications of the imperative for change, describing the need for organizations to move the decision making forum from the \u201cserver room into the boardroom and C-Suite.\u201d\u00a0This time I\u2019m going to focus on the <strong>architectural structure implications of the imperative to move from being everywhere in the network, to being in the right architectural places to be effective<\/strong>.<\/p>\n<p>Traditionally, many organizations (including several in the military of which I was a part) thought that to provide an effective defense you had to be literally everywhere, and we liked to call this concept a <strong>\u201clayered defense.\u201d<\/strong><\/p>\n<p>We learned the \u201c<strong>m&amp;m<\/strong> <strong>lesson\u201d<\/strong> long ago about the insufficiency of having a strong outer shell, but being soft and gooey in the middle \u2026 which meant that once inside a cyber adversary pretty much had the run of the place.<\/p>\n<p>But in our best attempts to be strong everywhere by putting point solutions all over the layers of our networks and hoping that one would catch something, we found that we were <strong>strong nowhere<\/strong> \u2026 and worse yet, we created so much <strong>complexity<\/strong> by bolting on and jury rigging multiple point solutions that weren\u2019t natively designed to communicate with each other that we actually made the situation worse.<\/p>\n<p><strong>Smart architecture <\/strong>is about precision placement of the right network and endpoint device security in the<strong> architecturally relevant places <\/strong>based on the<strong> cyber threat life cycle.<\/strong>\u00a0Instead of being everywhere and strong nowhere, it\u2019s smarter to be in the<strong> right <\/strong>places and <strong>strong where it matters<\/strong>.<\/p>\n<p>If we apply the \u201cbroadening our focus\u201d aspects I just described for the threat lifecycle and greater visibility above, then we can \u201csharpen our actions\u201d by adjusting your security architecture to be where it matters.<\/p>\n<p>Finally, this kind of approach is not only more effective; it\u2019s significantly more <strong>efficient<\/strong> because you can save resources in terms of both technology and the humans to run it.\u00a0 In fact, I should have put a dollar sign on the left and a cents sign on the right of that bottom left quadrant in Figure 3!<\/p>\n<p><strong>TTP<\/strong>: Finally, as we look at the TTP side of Imperative #2 we see something very, very powerful happening.<\/p>\n<p>If you look at the number of <strong>vulnerabilities<\/strong> in our networks, systems, apps, etc., over time you can see it\u2019s an <strong>exponential growth<\/strong>.\u00a0 It\u2019s the same with malicious software <strong>signatures<\/strong> for anti-virus and anti-spyware, etc.\u00a0 Over time it is clearly exponential as well.\u00a0 How do you possibly keep up with that?<\/p>\n<p>According to Cisco, by 2019 there will be 25 billion devices connected to the Internet. There are 16 billion today. That\u2019s a 55% increase in your attack surface to protect.<\/p>\n<p>However, there is some good news. If you look at the process or basic techniques that cyber adversaries use to do what they do, there are only a finite (less than three dozen, we believe) number of these techniques.<\/p>\n<p>Everybody uses them \u2026 and I can tell you from my previous life in the military, even we used these same techniques for national security purposes.<\/p>\n<p>The exciting news for the cybersecurity community is that by tracking these small, defined techniques across the cyber threat life cycle categories (or broadening our focus) we can sharpen our actions to prioritize important events, put understandable context around the<strong> indicators of compromise <\/strong>(like specific adversary groups or people, related indicators and targets of their activities), and then rapidly make these indicators consumable to adjust our cybersecurity posture.<\/p>\n<p>This really excites me, because for the first time this offers the chance to see some daylight and it helps to rebalance the Attacker\/Defender scale that I covered in Imperative #1.\u00a0 Dealing with three-dozen things is something we can keep up with, rather trying to sort out and deal with millions of things daily.<\/p>\n<p>The faster organizations consider a model that isn\u2019t dependent on hiring more and more people the sooner they will have a defense model that they can sustain in our changing world.<\/p>\n<p>This would mean organizations wouldn\u2019t have to keep on hiring more and more people. It would mean the people they do have could use their skills to take active business action. They would be able to keep their business secure and keep their best people engaged and employed in a model that is sustainable.<\/p>\n<h4>CONCLUSION<\/h4>\n<p>We\u2019ve learned a <strong>smarter approach<\/strong> to deal effectively with a limited number of Cyber Threat playbooks instead of an endless number of discrete cyber events.<\/p>\n<p>By achieving <strong>full visibility<\/strong> over what\u2019s happening in our network enterprise environment on a continuous basis we can <strong>apply technology and automation to discover the threats using a lifecycle approach<\/strong> and <strong>save their people to take active business action in a sustainable way<\/strong>. But, we should <strong>prioritize <\/strong>that approach using the intersection of these three factors: Business\/mission criticality; Vulnerabilities; and Threats.<\/p>\n<p>We can sharpen our actions by <strong>adjusting our security architecture to<\/strong> <strong>be where it matters most<\/strong> instead of a legacy view that it has to be everywhere in the hopes of stopping a breach. <strong>Smart security architecture placement<\/strong> is not only more effective. It\u2019s much more efficient.<\/p>\n<p>Finally, we should evolve from a <strong>signature approach<\/strong> toward more effective TTP that focus on <strong>indicators of compromise<\/strong> so that we can sharpen our actions to prioritize important events, put understandable context around them, and then automate the adjustment our cybersecurity posture.<\/p>\n<p>In my next blog of this series I\u2019ll be discussing <strong>Imperative #3 \u2013 We Must Change our Approach.<\/strong><\/p>\n<p><em>Written by John A. Davis, Major General (Retired) United States Army,\u00a0and Vice President and Federal Chief Security Officer (CSO) for Palo Alto Networks<\/em><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, &hellip;<\/p>\n","protected":false},"author":152,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[89,1766,155],"tags":[1771],"coauthors":[1503],"class_list":["post-12626","post","type-post","status-publish","format-standard","hentry","category-ciociso","category-cso-perspective","category-cybersecurity-2","tag-imperatives-for-cybersecurity-success"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/12626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/152"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=12626"}],"version-history":[{"count":1,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/12626\/revisions"}],"predecessor-version":[{"id":12629,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/12626\/revisions\/12629"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=12626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=12626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=12626"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=12626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}