Albert Einstein once said, “If I were given one hour to save the planet, I would spend 59 minutes defining the problem and one minute resolving it.”
Similarly, Abraham Lincoln famously quipped, “give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
Those were wise words from wise leaders and visionaries, but from what I have observed, most organizations don’t really consider that when they think in terms of how to better defend their business and their cyber security infrastructure.
Part I: Focus First
Data tells us that most companies aren’t sufficiently rigorous in defining the reality of the problems they think they must solve, and those that they MUST solve. Often because of a variety of different factors, including everything from business issues, budgeting, threat proliferation, user issues, and a hundred other things, the focus that is required to solve the key problems becomes intertwined with the problems and not much effective problem solving occurs.
Without rigor, organizations miss opportunities, waste resources, and end up pursuing security initiatives that aren’t aligned with their strategies, or any strategy to be perfectly frank.
How many times have you seen a security project go down one path only to realize mid flight that it should have gone down another? How often have you seen a cybersecurity program initiative deliver a “breakthrough” only to find that it actually addressed the wrong problem, and failure ensues?
Many organizations need to become better at asking the right questions so that they tackle the right problems, and they need to leverage technology correctly to enable this constant axe sharpening to happen at the speed and scale of today’s digital business.
In this blog and in some of our future writings we will offer a process for technically addressing and remediating the “MUST” problems that are necessary for cyber security optimization for any organization, and we think we can help you prioritize how to focus the efforts within your cyber security program and strategy to hone that axe to a razor’s edge.
Our company, GYTPOL has hundreds of customers already using our solution and approach to help improve the quality and efficiency of their cyber security efforts and, as a result, their overall business security posture and performance.
What we want ultimately in cyber security is to not have a compromise happen in the first place, to keep the enemy at bay in other words. Typically this happens as someone in the security group of the organization is often assigned to fix a very specific, near-term problem.
But because the organization doesn’t employ a rigorous process for understanding the dimensions and realities of the problem, they miss an opportunity to address the underlying strategic issues. The things that will really help with the realities that the organization MUST face, not the ones that it “might” have to face.
What is technically required for a successful exploit?
The purpose of this step is to articulate the problem in the simplest terms possible. At this point organizations should be thinking about where they are vulnerable, technically to be specific and then of those vulnerabilities which ones equal a successful compromise for a threat actor? This point in the process should activate a mapping of the technical assets, and an analysis of which of those assets is technically vulnerable to an exploitation? Using technology that can help here should act as a call to arms that clarifies the importane and first “MUST” point of focus of the issue and helps secure and vector the resources that are needed to address it. This first effort will help in answering two questions:
What is the basic need?
What is the essential problem, clearly defined and concisely focused? It is important at this stage to focus on the need that’s at the heart of the problem rather than trying to jump to a solution. Defining the scope and scale of the potential compromise space in its totality is of absolute importance. .
What are the connections?
Answering this question requires understanding the intricacies of the digital infrastructure to be sure you have a real, fact based, technical analysis of what talks to what within your organizations infrastructure. At this step you should avoid the temptation to favor a technical solution to “fix” these intricate connections. Instead here you should work to make sure you again know the totality of what is connected and where an attack could go from a singular exploit to a network level compromise.
Part II: Concretize, Contextualize, and Quantify the Problem
Why is there a need to act? The answer to this question should not be abstract, it should be specific. And it should not be discussed as an idea, but as something that can be both demonstrated and measured.
Is the technical effort aligned with the outcomes that sync with your strategy?
In other words, will acting on the technical requirement serve the organization’s strategic goals and better the business outcomes? It is not unusual in cyberspace for an organization to focus on solving a variety of technical problems that are not necessarily in sync with its overall strategy and is not truly in line with the expected business outcomes.
If that is occurring then the question becomes, is the effort justified (the expense, effort, and technical capabilities, or should the entire effort be reconsidered? If there is no true veracity to the current complete technical state of the infrastructure, how much quantifiable good will come from the investments that are being made?
A point of consideration here is to “know where you are, so you know where you are headed.” For technology this means that your organization has a very clear and concise visual inventory of the configurations that are present across the totality of your infrastructure. Most often, and there are hundreds of examples of this, an organization’s “inventory” does not look across the total infrastructure picture.
This must include cloud, on premises, off premises, end points, and other potential points of compromise. But having that overall picture becomes problematic if it is attempted manually and the capabilities that are required to solve that problem can negatively impact the operational efficacy of the business as resources are pulled from one problem to try and deal with the total inventory and configuration issue.
In addition, you should consider whether the problem fits with the true technical priorities; the items that actually increase the risk for the enterprise infrastructure. Not “everything” that is a potential point of compromise increases the risk with enough impact to merit the investment to remediate that issue.
Having a focused and vectored technical configuration analysis and inventory of all applicable assets is what must guide that risk based decision making process.
What are the desired benefits for the company, and how will they be measured?
In most companies, the desired benefit from remediation in cyber space is expected to be an ability to better respond to potential threats and reduce the overall risk to the business. The reduction of time to effectively respond is honestly more important than the immediacy of a reduction of risk, as risk is inherent in the nature of conducting business in a digitally enabled world.
Effective response comes from an accurate picture of what is and is not under attack or an avenue of attack. Knowing that your organization can more effectively respond to an issue based on an accurate picture of the threat space means less investment in chasing technical indications that aren’t necessarily useful and an optimization of resources.
How can we ensure technology addresses the issues and align our resources for a future problem?
Assume that an indication of a compromise is found just by dumb luck. Someone in the organization must be responsible for carrying out the following remediation—whether that means installing new patches, updating technology, fixing accounts, adding firewall rules, or rebuilding an entire infection section of the infrastructure. Someone in the team is going to have to fix those issues and must respond to that need.
There is no other option. The real question here now is how does one remedy this issue at the speed and scale of business while also making sure that there are no additional issues. The more connectivity that an enterprise has, the more potential compromise there is as a result of any singular exploit.
It is important at this stage to be positive of the technical and human resources that are now required. This can seem premature—after all, you’re actually still likely discovering the scope of the total problem, and the field of possible issues there could be very large, but it’s actually not too early in the process to begin exploring what technical resources you need to be better prepared in the future.
In other words now that you are acting and addressing the issue, it is the time to plan for what is to come and to use the lessons learned during this response to employ technology that will empower the organization to be proactive in the future rather than reactive.
Now that you have laid out the need for a technical fix, and you have a line on the actual resources that are required you can plot out what fixes what. Having the most correct and accurate understanding of the complete technical picture and the concrete knowledge of what technologically allowed the issue to occur places the power in your hands to better maneuver in the next stage.
Part III: Be Precise While Taking a Broad Perspective
In a complex operation and interdependent data ecosystem, it is often helpful to ask yourself how many fundamental problems are present. Things are naturally entangled and the directionality of causation is not always obvious. Take some some time to consider and attempt to isolate all the covariates.
Interdependencies
Is the problem you're looking at really just the symptom of another problem?
How many other domains and functionalities does the problem touch?
It would be a mistake to try and tackle one problem when you have several. Of course, it would also be a mistake to try and tackle several problems separately when they share one root cause. There are many potential pitfalls in trying to make sense of complex interactions, but the most insidious is the magician's deception — looking here when you should be looking there. This is why it's important to get as granular as possible while still maintaining a big picture perspective.
Having a full, clear mapping and visual understanding of what the totality of the problem is and understanding what technologies are in play that are actually enabling the spread of the problem is a key point of success. This understanding also helps people that are non technical that are both inside and outside the organization quickly grasp the issue.
In cybersecurity this means knowing what fundamental threat vectors are in place and what might help further move the threat lifecycle forward. Often once the problem is truly understood and seen the realization is that there is a more complex compilation of problems than we thought. The interconnected nature of these systems is where we suddenly realize one problem is actually many.
In the realm of cybersecurity, a problem is rarely isolated. Between users, accesses, networks, files, and a variety of other aspects nothing stands alone. When an issue is identified, therefore, it means that one problem may masquerade as another — or more likely betray the presence of several issues. It doesn’t mean that problems aren't solvable of course, but it does mean that we need to be careful and conscientious in our approach — summoning as much precision and intelligence as we can.
If we don't focus on the actual “physics” of the problem and know what the interconnected nature of those systems imposes for our solution then we basically guarantee failure before we ever put a solution in place. We must know that what we are doing is removing the proliferation of the threat action piece by piece and we must continually apply our tools to further reduce the spread of malicious actions and connections.
Identify your key success criteria and how they can be measured
It's important to be explicit about how you evaluate not only the problem, but potential solutions as well. Clarity and transparency and technical efficacy that shows visually how a solution is enabling success are crucial to arriving at a more optimal end state while also ensuring that the evaluation process is accurate and the metrics used produce rigorous results. In some cases a “we’ll know it when we see it” approach is reasonable— but when we are solving cyber related issues and risk however, it is a sign that earlier steps in the process have not been approached with sufficient rigor.
Don't allow wishful thinking to enter your strategic calculus
The point here is to ensure that the right people are motivated to address the problem and that the right technologies are in place to deal with the needed technical fixes, not the desires we usually conflate with a want for a future capability. In other words we should be able to “see” that our technology is handling the technical need for the adversary to succeed, not enabling a “want” for us to do more interesting technical things.
That comes later, after we have fixed the weak points and eliminated the adversaries continued access.
Wasted time, effort, budget, and hours are spent trying to empower “wants” when what is actually truly necessary is to focus first on the “needs” that must be addressed. You know what a “need” is when you approach it from the adversary perspective, not the defender view.
Know what the adversary “needs” to continue or launch an attack and deal with that first and foremost.
Comments