Cybersecurity operators scramble daily with uncertainty, seeking to determine if their feet are on the ground or standing on a false floor that gives way to the unknown. Operators fall into rabbit holes and can’t pop a “red pill” to better understand their reality or quickly recall past events. The SolarWinds hack highlights (again) the challenge of grappling to understand the actual state of an organization’s cybersecurity. The attacks surfacing within the technology supply chain create a hall of mirrors, distorting the truth. Perhaps security operators in government and the private sector feel a little like a mix of Alice, Neo, and Quaid, all in one.
The scale of cyber attacks and the complexity of networks exacerbate the situation. Operators face three significant challenges: an IT security ecosystem that is fragmented and in flux, users that are both human and machine, and multiple threats with varying levels of severity and sophistication.
So, Where Do We Go From Here?
The Cloud Security Alliance released a research paper in early December focused on building Cloud-based, Intelligent Ecosystems. In essence, it calls for creating “cyber memory” within and between organizations to help address cybersecurity challenges. Drawing on Michael Kanaan’s insightful book T-Minus AI, in the absence of creating and absorbing a record of past events, “intelligence is not possible”. Ongoing analysis and disclosures associated with SolarWinds drive home this point as we learn that the adversary leveraged previously used code in addition to more novel, sophisticated tactics. In the wake of initial disclosures associated with SolarWinds, companies and government agencies are popping the red pill to see if they unknowingly descended into the rabbit hole. Yet, total recall is challenged, given fractured or incomplete memory.
For over twenty years, the government and private sector alike have promoted information sharing within and between organizations to create “collective” intelligence. Sharing remains critical, but it turns out we missed a step — the creation of memory to recall past events with perspective and context. In other words, we share current events on an ad hoc basis as we battle current threats without recording history. In contrast, humans can quickly relate events against time and place. For example, if you walk down a street with a friend and smell a funnel cake, our memory can immediately take you back decades to a particular time and place, such as a boardwalk on the Jersey shore. With one indicator, you recall when and where we were. You can easily relate the memory — with context — to others. The same is required for cybersecurity. Operators need to quickly recall details associated with events and place them in context, which is critical to reduce mean time to detection and response.
The good news is that today companies and sharing organizations are becoming intelligent and building cloud-based ecosystems. For example, TruSTAR allows LogMeIn to combine intel sources into one centralized, cloud-native platform, addressing the gap in point to point intel. Historical events and external intel sources are automatically ingested, normalized, and correlated, prioritizing investigations for faster triage. Operators can see all of their data sources in one place, which helps to capitalize hours spent on past investigations and save dozens of hours each week by cutting down redundant workflows as tools and teams can easily “recall” what they already know from their cloud-based Enclaves.
LogMeIn Internal Enclave
Managed security solution providers can leverage the same system to provide support to their clients. For example, the MSSP can seamlessly build cyber memory for a client in an Enclave by fusing data from the customer’s internal security tools and threat feeds. In time, memory and learnings from one MSSP customer can be applied to the broader MSSP customer base.
Similarly, sharing organizations like the Retail and Hospitality’s Information Sharing and Analysis Center (RH-ISAC) are becoming “intelligent” by integrating and automating the fusion of data from their members’ security application tools, ranging from suspicious emails, SIEM alerts, EDR alerts, and incidents managed in case management systems. TruSTAR’s cloud-based Enclaves seamlessly integrate and store this valuable event data, creating long-term memory across the sharing communities’ membership. Enriched data can flow from Enclaves directly into designated security applications. The RH-ISAC’s member companies regularly tap Enclaves by API with over three years of event data. The data grows in value over time, much like a member-based credit union returning value to all of the members.
In each of these scenarios, companies and vendors alike “win.” Security vendors and threat intel providers are confident security applications or threat feeds are fully leveraged. Senior leadership within organizations can begin to measure the effectiveness of their defense and investment by measuring meantime to detection and response.
TruSTAR is committed to helping the community pop the “red pill,” and avoid tumbling down a rabbit hole to better understand current cyber reality through building a global, persistent memory of suspect or nefarious events. Learn more about how TruSTAR can automate and augment your security stack through data-centric security automation.