Contextual intelligence in the cyber battlefield

Cybersecurity executives have an enormous responsibility. We have moved from the conventional data center model to a cloud environment with data spread across the world.

It used to be enough to protect an organization with some basic tools like local antiviruses and a perimeter firewall. Today, that has exploded into an arrangement of solutions like intrusion detection systems, intrusion prevention systems, network and host firewalls, security incident and event management tools, spam filtering, encryption in many of the solutions that need to be installed, integrated and managed.

The adoption of cloud technologies has also added a new level of complexity to the challenges faced by cybersecurity executives. Cloud and mobile technologies have them developing new ways to tackle these issues. Organizations need cybersecurity that provides complete visibility, intelligence, and the ability to scale to create a comprehensive view of the threat landscape. In this episode of Cyberchat, we discussed how an organization matures, uses threat intelligence, creates a comprehensive view of its cybersecurity posture and employs contextual intelligence in the cyber battlefield.

Our guests were Shane Barney, chief information security officer for U.S. Citizenship and Immigration Services; Matt Smith, senior adviser to the CISO at the Department of Homeland Security; Greg Willshusen, director of Information Technology and Cybersecurity at the Government Accountability Office; and Alan Thompson, chief technology officer at Looking Glass.

When asked if it is harder to secure data today, all agreed. All admitted that the threat landscape is changing, so a defense can’t really be aimed at one threat or vulnerability, but needs to create a comprehensive view. Smith added that though the threat landscape is changing and becoming more advanced, “the [defense] capabilities are also advanc[ing] in defending the data.” Barney added that “[USCIS was] a heavily paper-based agency for a long, long, long time. Now we’ve made this huge leap into the electronic world and we’re still sort of adjusting to that.”

Willshusen stated that “the cloud is certainly an opportunity to help secure data that’s out there, but it’s also does not allow agencies to say, well, it’s a cloud service provider’s responsibility for securing information. It’s still up to the agency to make sure that the cloud service provider is adequately protecting that information.”

He also said that, “With respect to security we have found that the security over data at most of the agencies we go to needs to be dramatically improved … and it’s not just [the Government Accountability Office], it’s also the inspectors general at the various agencies, at least 18 out of the 24th CFO Act agencies, which are the major federal departments and agencies, um, site that their agencies’ information security program is not effective.”

The panel agreed that any modern program must take a holistic approach, but also felt that the staff was a huge part of any cybersecurity posture. Barney stated that “involves getting the right people in the right places with the right knowledge and the right skills because that’s what’s gonna drive that [holistic approach].”

Thomson stated, “I would say finding experienced people in security is actually probably always going to be a challenge. So, making those individuals that you do have a more effective, a more efficient, to enable the achievement of the objectives of a security organization.” He discussed how we get to threat intelligence. “There’s a lot of things that can go into threat intelligence. Ultimately, it’s about data that can be used to help protect the organization. So, there’s no shortage of data. I think the key challenges is what data is relevant to securing your organization. So, for example, how can intelligence make that data more effective and more useful in your organization? So, it could be as simple as what type of actors are performing, certain types of campaigns, certain behaviors that ultimately can help inform or instruct your response to those aspects.”

Thomson also stated that “intelligence can be considered a much broader aspect in that informs you about your organization as a whole … There’s many different aspects of intelligence, but fundamentally it’s about focusing your defensive efforts based on what that intelligence tells you.”

Smith brought a great point to the conversation — that he valued threat intelligence but wanted to discuss risk scores and a need for a better understanding of what data was used to create that risk score. When discussing a risk score of eight, for example, he said, “What does the eight mean? Depends wildly on who your provider is, but the challenge that we have with that in operationalizing it is that what we really need?”

He also said there was plenty of data.

“But in order for me to contextualize that eight in my environment, I really need the bit of data that went into calculating that eight. And there’s some trade secret challenges in exposing that that we haven’t figured out how to overcome,” he said. “But if I had those data elements and could put that in context of my own data and my own analysis, then I can start identifying whether there’s a threat to systems at the southern border, or whether there’s a threat to a particular executive that I have, or whether there’s a threat to a location at a time that I might know that we’ve got either a particularly sensitive event going to be happening, or you know, particularly impactful travel that’s going to be happening.”