ECS Cyber Pros Discuss Intelligence-driven Security and Share Insights and Best Practices
Recently, members of our massive corps of ECS cybersecurity pros gathered to discuss intelligence-driven security. As these cyber leaders are working to protect some of the biggest and most critical government and commercial networks in the world, the conversation was lively and jam-packed with information and insights.
Here are some conversation highlights:
MARK MAGLIN
Vice President, DoD Cyber Security
As a former naval aviator and intelligence officer, I know how critical actionable and trusted intelligence is in driving decisions and action across any battlefield — virtual or physical. Over 2,500 years ago, Sun Tzu wrote ‘If you know the enemy and know yourself, you need not fear the result of a hundred battles.’ In cybersecurity, self-knowledge is as important as knowledge of the adversary, which is how intelligence drives security.
READ MORE
Having led the development and fielding of the SharkSeer cyber defense tool and the Enhanced Shared Situational Awareness (ESSA) initiative, I know it’s critically important to have visibility of all your assets and users and to know your risk posture.
Too often, we spend precious resources on low probability events. You need to know your critical cyber terrain, mission or business impact, and your vulnerabilities. Even though the NIST Common Vulnerability Scoring System (CVSS) may be high, it may not apply to your mission.
You must know your enemy. What do they want? There are numerous threat intelligence feeds that should be tailored to your environment and mission. We can dramatically improve the ways we share the threat intelligence we gather on our own networks, to protect the collective society. The technology is there, but policy is often not aligned. We are stronger together, using our crowd sourced intelligence to drive security.”
To navigate on land, you guide yourself with a compass. To traverse the complex terrain of cybersecurity, your teams need a precision instrument akin to a compass. Intelligence-driven security is that instrument.
By driving security with intelligence, your teams can chart the most efficient and secure course through their daily tasks and remain focused on the most critical threats. This strategic tool is essential for maintaining a resilient and proactive security posture.
READ MORE
I have seen firsthand at a national level and across federal, state, and commercial organizations the challenges of focusing on the right things at the right time. There’s no easy way for defenders to detect every tactic or technique that actors use in the wild.
However, by leveraging a proven threat intelligence framework, like the MITRE ATT@CK Framework, we can focus on the threat actors and their associated tactics, techniques, and procedures (TTPs) that present the greatest risk to ECS and our customers.
MITRE ATT&CK enables defenders to understand and counteract adversaries. Security teams can also leverage the framework to develop more robust defensive measures, driving an adaptive and proactive security posture.”
DAVE HOWARD
Executive Director, Cyber Operations and Delivery, Enterprise Managed Services
GREG SCHEIDEL
Chief Cybersecurity Officer, Cyber Division
A good working definition of intelligence-driven security is: Proactive security that’s informed by up-to-date information on our environment and relevant threats, so that we can prioritize the highest-risk issues.
This prioritization is important because we always have more to do than we can accomplish. Even if we have an unlimited budget (which none of us do), we’re always constrained by time.
READ MORE
Examples of intelligence data that we can use include:
- Critical asset inventory
- Current operating state of the environment
- Abnormalities or unusual activity
- Attacker attributes most relevant to our business and data
- Status of commonly exploited vulnerabilities (e.g., Cybersecurity and Infrastructure Agency Known Exploited Vulnerabilities (CISA KEV) and ECS Pathfinder)
We should constantly adjust our security based on the latest information. And I deliberately frame this topic as ‘intelligence-driven security,’ not ‘threat intelligence-driven security,’ because I think it is bigger than just threat intelligence. Threats are a big part of it, but so is knowledge of our environments.”
As threat analysts, we focus on analyzing relevant data and the current state of the environment by pinpointing abnormalities and unusual activity. I always ask ‘what can this information do for us?’ This question is fundamental because it’s about recognizing the value of the intelligence we gather and determining the most effective ways to apply it.
READ MORE
Valuable intelligence sources don’t have to be external. A wealth of valuable information can often be found internally, so we’re always looking within our own environments for actionable intelligence. This can be especially beneficial from a dependency standpoint where resources can be limited.”
RYAN FURR
Director, Cyber Threat Analysis Center, Enterprise Managed Services
HECTOR CRUZ-REYES
Deputy Operations Chief and CSOC & MSOC Lead, Centers for Medicare and Medicaid Services Information Security Support Services, Cybersecurity Integration Center, Cyber Division
I see intelligence-driven security as a way to set priorities and identify the next step you should take. One of the items you need to focus on up front is the threat landscape — who’s knocking at your door? Who’s targeting your specific industry or sector?
Once you understand the threat landscape, you can build out threat profiles using the MITRE ATT@CK Framework. As you gain an understanding of threat actor behaviors, you can start layering the different assessments on top of one another to produce a heat map that shows the areas you really need to focus on ― your gaps.”
I’ll circle back to the idea of intelligence being more than just threat intelligence, which brings up a challenge we often face: gaining a good understanding of the customer’s environment.
READ MORE
We can build threat actor profiles and analyze the actor till the cows come home. But trying to translate that intelligence into the risk level for the customer can be difficult if network diagrams or information about critical assets aren’t available.
To get value from threat intelligence, you often need to study the customer’s attack surface, map out high-value assets, and so forth — to build that intelligence yourself.”
JASON HARPER
Cyber Threat Intelligence Lead, MSP
HERMAN COWART
Penetration Testing Team Lead, Centers for Medicare and Medicaid Services Information Security Support Services, Cybersecurity Integration Center, Cyber Division
Intelligence-driven security makes me think of Darwin and evolution. It’s not the strongest that survive, but those who adapt the best. Intelligence-driven security helps us adapt. If I’m launching exploits from the 1990s and not staying up to date with the most current languages, frameworks, technologies, and methodologies, I’ll quickly become extinct.
Everyone in the cyber community should always be up to date on all the latest news and intelligence, so they can adapt to what’s currently happening and better protect the customer. The threat landscape is always changing. The industry is always changing. We have to stay up to date to adapt and survive, and intelligence is how we do it.”