Security Experts:

You Can't Defend What You Can't See: Why Visibility is Critical for Improving Cyber Defense

Real-time Visibility Into the Security Posture of an Enterprise is Critical for Organizations to Operate With Confidence

The proliferation of connected devices coupled with today’s vanishing perimeter and ever-changing threat landscape complicate an already complex environment for organizations to secure against today’s sophisticated adversaries.

Attacks originate both from outside and within an enterprise, and the attack surface continues to grow significantly with migration of applications to the cloud and the rapid adoption of IoT products. Furthermore, the integration of business systems, information technology, and operational technology underway is radically rethinking how we can use technology to fundamentally transform effectiveness and efficiencies of business operations.

As this digital transformation takes hold and your organization is defined increasingly by its digital capabilities, cybersecurity strategy must be given equal footing as a business priority. Why you ask? Because digital transformation is potentially creating additional opportunities for adversaries as there are more entry points to exploit and more blind spots in which to hide, making it that much more challenging for cyber security professionals to patch all vulnerabilities and keep track of all threats. 

It should not be surprising that as the cyber terrain continues to expand, the likelihood of unidentified blind spots will as well. As a result, organizations are under immense pressure to close these visibility gaps in their systems, especially in the direct aftermath of recent security incidents. This has led many organizations to execute their cyber security strategy in a much more reactive manner than they would like. They continue to add point solutions to their security stack to immediately address specific security concerns. Yet they do so without a detailed analysis and understanding of if these point solutions are capable of interacting with the rest of the security stack, or if those solutions are redundant to capabilities already in the stack.

By taking this reactive approach, organizations unintentionally introduce even more security gaps into their enterprise, making it even harder to achieve visibility across the swath of cyber tools, much less the enterprise at large. Short term fixes become part of the larger problem. This is hardest felt by organizations who are struggling to contend with a widespread cyber skills gap and do not have automated capabilities to mitigate. These problems are further compounded in organizations that do not currently have tailored threat intelligence, or the ability to execute advanced threat hunting methodologies.

Attackers are leveraging these cumulative vulnerabilities to penetrate traditional cyber defenses and lurk undetected in terrain blind spots, sometimes for weeks or months. So, how can organizations who recognize these vulnerabilities act to remedy them in a proactive and holistic manner?

First, security teams must have full visibility. The term “visibility” gets thrown around a lot, but I think we have to set the proper context. What I mean by full visibility is accounting for all devices within the enterprise and all communications flowing across the enterprise to take the prerequisite defensive actions to minimize the cyber dwell time. Enterprises must provide real-time, continuous monitoring of the their high-value assets (what the attackers most frequently want to exploit for financial or intellectual gain) critical to their success.

Because attackers will exploit the paths of least resistance and move laterally through the enterprise, visibility must include all managed and unmanaged assets (enterprise IoT, shadow IoT, legacy systems, etc.) and the associated communications paths. Blind spots must be eliminated; otherwise, attackers will continue to exploit these seams within the cyber security defenses.

Second, visibility into computer processes and network activity is critical for detecting rule and policy violations, anomalies, and suspicious behaviors. Important defensive countermeasures include automated detections, threat hunting capabilities, and the ability to provide response to investigate or automatically quarantine and remediate threats early in their life cycle – before data is stolen. Additionally, defensive countermeasures must also include techniques to prevent attacks from succeeding in real time, including signature detection to quarantine known-bad files at the endpoint; behavior analysis to kill a process at the endpoint; network session disruption upon detection of files and network behaviors; and email quarantine. Security teams should align post-breach detection and response actions to a cyber threat framework to provide full coverage of the known attack surface.

Third, the ability to understand every aspect of every communications on every port is critical. Security solutions must be placed throughout the enterprise to collect the relevant data, stream analytics to process the data in real-time, and deploy response mechanisms at critical junctions to limit losses from an attack. Machine-learning algorithms should also be deployed to anticipate the movement of an attacker. The ability to predict future movement is critical to containing lateral movement and reducing dwell time. It is only then that security teams will be in a position to anticipate the next steps of an attack and isolate it. 

Finally, as threat actors and malicious insiders continue to evolve their tactics in an attempt to defeat cyber security defenses, the best detection is not just focused on their current actions but also on the cumulative effect of their past actions. Security solutions must continuously collect and assess metadata (all communication paths) against new threat intelligence. This allows for the discovery of advanced threats that previously evaded cyber security countermeasures. Automated, retrospective analysis provides increased visibility for analysts to look back at their systems and thoroughly analyze what happened during a breach, including how the cyber security defense was penetrated, what the threat did and what needs to be done to prevent future breaches. 

Real-time visibility into the security posture of an enterprise is critical for an organization to operate with confidence. Often this information is conveyed through dashboards that are created for decision makers at all levels of the organization. C-suite dashboards need to succinctly depict the overall security compliance of the enterprise as well as the potential impact of imminent threats. Security teams need a high-level, real-time view of events and threats, plus the ability to see all those details for faster incidence response to prevent threats. 

Another important aspect of continuous, real-time visibility is it allows the enterprise to collect and profile what is considered “normal behavior” of the organization. This is critical especially when trying to identify anomalous activities such as insider threats. The ultimate goal of this effort is to help transform traditional, reactive security capabilities to be more predictive and proactive to address Advanced Persistent Threats (APTs). Ideally, the response capabilities should be automated in order to respond in cyber relevant time. In this case, the dashboard should capture the summary information about what actions have occurred based on the rules and policies applied to the security solutions distributed across the enterprise.

In summary, to gain the decisive advantage in the unending cyber battle, I believe organizations need continuous, real-time visibility of their cyber terrain as a major component of their overall defensive cyber operation strategy… because you can’t defend what you can’t see.

view counter
Craig Harber joined Fidelis Cybersecurity as Chief Technology Officer following a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC). During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR) that provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments. He transformed Active Cyber Defense concepts into capability pilots, commercial product improvements, industry standards, and operational solutions. He also directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multi-billion dollar increase in DOD IA investments.