In June, I had the opportunity to attend the 27th annual FIRST Conference in Berlin. For those not familiar with it, FIRST is the Forum of Incident Response and Security Teams. It brings together a variety of computer security incident response teams from government, commercial, and educational organisations. As such, the conference was a gathering of approximately 800 security people who’d come straight from ‘working in the trenches’.
From the presentations (and from conversations during breaks) three related topics emerged that, for me, are well worth sharing:
- We need to improve our situational awareness of our environments. As security threats continue to evolve at an increasing pace, it’s more important than ever to achieve situational awareness. That means knowing and understanding what happens in the environment you’re responsible for. Only then can you make the right decisions to protect your organisation before an incident and, more importantly, contain and stop a breach in a timely fashion.
Enhancing visibility means capturing as much information from as many systems as possible. You need to go beyond the traditional approach and only collect logs from networking devices such as routers, firewalls and IPS systems. DNS logs, for example, reveal a lot of interesting things you might not notice otherwise. Logs of endpoints and servers can help to define a baseline of normal behaviour.
- We need to automate threat response and improve our handling of large amounts of data. Merely collecting data won’t suffice. You need to make sense of all the data. The more you collect, the less a human can digest it all. So we need to improve our ability to automate both the collection and the processing of the huge amounts of data that we’re interested in.
On top of all this big data, forward-looking security organisations investigate data science techniques and tools. These will improve the value you get out of data and let you better use that precious and scarce resource: analysts.
- Intelligence within a single organisation is not enough. We need to use reliable external threat intelligence and share threat intelligence between different organisations. Within a single organisation, even the best analysts with the best tools won’t be able to understand every threat there is. Yet there’s still a great need for organisations to stay ahead of the threats. So what’s the solution?
It’s simple; organisations need to find reliable external sources of threat intelligence and open up ways to share that information. But many organisations are still reluctant to share sensitive information about incidents or perceived threats among their peers. To handle the threat we need to build trust.
How do you address these issues? Here are my three ways to get on top of cyber threats:
- Investigate which logs would provide insight into the areas where you currently have limited visibility.
- Increase the level of automation for collecting, processing and visualising that data.
- Incorporate reliable, external threat intelligence feeds into the picture and look at the different options for information sharing with your peers or cross-sector.
These actions complement one another, so for the best results and the strongest security, you need to implement all three.