Jake Margolis, CISSP, Metropolitan Water District of Southern California
Prior to becoming a CISO, I was a soldier. Many of the lessons I learned during my time in the service, I continue to apply today in the realm of cybersecurity. I developed this mindset over time because I found that it works due to the analogous relationship between cyber and a modern-day battle field. Over a decade ago, in 2007, was my first deployment to Afghanistan in support of Operation Enduring Freedom. The experiences garnered from this deployment later proved to be foundational to the development of my cyber-world view. The battlefield in a place like Afghanistan is not straight forward. There are no front lines. The enemy is unpredictable and is able to conduct offensive operations from nearly any place at any time. One might ask, how does this apply to cybersecurity? In the cyberspace, there are no front lines. The adversary is unpredictable and is able to conduct offensive operations against nearly any target from anywhere at any time. The key to proactively defending the enterprise is to prepare for cyber incidents by understanding relevant threats and developing plans to counter these threats.
During that 2007 tour of Afghanistan, my role had me leading convoy missions almost daily. In preparing for these missions, I quickly came to realize the bad guy had a huge vote in how my day was going to go. This realization led me to accept I could not control the bad guys’ part of the equation. This allowed me to focus on what I could control which was being prepared for the fight, should it occur. We had a number of defensive and offensive technologies, and support services available to balance the terms of an engagement. To best determine the best defensive posture for each mission, historical data was used with current intelligence to plan for worst and best-case scenarios. The team would then rehearse actions that would likely be taken to counter the adversary’s known tactics, techniques, and procedures (TTPs). This was the mind-set: accept what we could not control and control how ready we were to respond. It may not seem to be a proactive approach, but it was, and it led to mission “success” time and again. How we responded was confined to rules of engagement, our own TTPs, and command policy.
The key to proactively defending the enterprise is to prepare for cyber incidents by understanding relevant threats and developing plans to counter these threats
Understanding what the enemy was capable of coupled with managing what we had control over provided the thought vehicle to choose what defensive, offensive, and support services we would need on a given mission; based on what we knew about the threats on our route and by knowing what we could actually use to counter the threat.
CIOs and or CISOs also have a number of technologies, likely, already on hand to balance the terms of a cyber incident. Like my time as a soldier, as a CISO, I know the bad guy still gets a huge vote in how my day is going to go. Accepting the unpredictable nature of cyber-threats is a given, but it is important to take the time to learn bad actors’ TTPs and understand which ones are relevant to analyzing risks to the organization. Most cybersecurity teams are dialed into the various Information Sharing and Analysis Centers (ISACs) that are applicable to their sector of the economy. It is the burden of the CISO to ensure the information gathered from these sources is clearly communicated in terms of risk—ask “Does a threat align to a vulnerability or business activity within my organization?” Overtime, correlating relevant threat with risk will lead to a pervasiveness in the overall awareness of cybersecurity throughout the organization. The gained shared understanding of threat in turn eases the process of developing and refining cyber incident response plans.
As I stated before, we rehearsed plans to react to various enemy TTPs as part of our standard convoy preparation. But we could only rehearse a counter to a given TTP if the counter action was derived from a plan. Planning is the key and is actually a proactive step in protecting the organization from cyber-threats. The cyber incident response and threat intelligence are book ends to development of a cybersecurity program and defense in depth architecture. Well-developed incident response plans establish roles and responsibilities, clear lines of communications and standardized sets of actions to address the most likely or common attack vectors. They may also dictate how technology is leveraged for standardized responses to known TTPs. For an incident response plan to be effective, however, it needs to be rehearsed. Rehearsals are conducted by doing table top exercises and discussing lessons learned from these exercises and lessons learned when incidents actually occur. The Incident Response plan is a general response built on a general understanding of cyber-threats, organizational policy, support services available, and the technical capabilities of the organizations’ cybersecurity team.
Planning to react seems counter intuitive to proactively addressing emerging cyber-threats, but it is actually a very proactive stance that is a more fiscally responsible and methodical approach to protecting the organization. Planning and preparing are by their very nature, proactive activities. Taking the soldier’s approach, CIOs/CISOs can look at emerging threats through a lens that measures new threats against existing threat TTPs and the organizations cyber incident response plan. Doing so will provide a framework to determine if a new technology is needed or if the organization just needs to adopt a new process or policy that leverages existing people and technology in a manner that mitigates the risks posed by said emerging threat. I will leave you with this quote with regards to the proactive nature of planning to prepare for cyber incidents: “If you fail to plan, then you are planning to fail” – Benjamin Franklin.