Okay, so being a retired Army Officer, I try to relate issues around technology to other former military members in Cyber Security in terms we understand.   Interestingly, I find that even those who were not in the military easily relate to the analogies, so lets give this a whirl.

Quick Reaction Force

You are moving a large segment of supplies to a forward base.  En route you are attacked.  You immediately react and protect your supplies.  Since the attack seems to be coming from all directions, you seek information that portrays the level of attacker strength, its true direction, and intent of the attack to discover feints and diversions.

You seem to be on the verge of being overrun.  You ask for the quick reaction force to come to your assistance, defeat the attackers, and assist in recovery of the scattered supplies while also reinforcing your defensive measures.

We all have seen this played out in various scenarios, whether from a first person ‘been there’ perspective, or from numerous depictions in books, TV shows, and/or movies.  But have you noticed that this is a scenario that fits within cyber space domain? Only, the quick reaction force is named an ‘incident response team’.

Both the initial defender and the incident responders fight through the attack and re-establish the ‘defensive lines’.  Normally, it is the incident responder who goes through the plethora of data sets (or, in the physical world, collected intelligence information from multitudes of sources) to ascertain the who, how and what-were-they-after questions.  Was it a feint, or was it a direct or indirect attack to achieve a strategic goal, be it intellectual property, money or data?

So the elements are essentially the same in coming to some conclusion about the attack.  The main difference is how the attack was perpetrated and the responders’ accumulation of information regarding the intrusion.

Big Data Security Analytics

In today’s networked environment, this historical analysis is brought about through big data security analytics.  The time frame of the attack starts with the attacker’s reconnaissance of your positions through your adjustment of the new and improved defenses, sometimes extending from multiple months to years.  But for security data analytics to be effective, they need to be part of our security architecture.

We need that quick reaction force to be immediate.  Not relegated to doing historical reviews long after the events have happened.  I mean, I like history and all, but the key overcoming a large-scale attack is in making it part of your quick reaction force.  This is your tactical and operationally focused response.

So when we are talking about large sets of data over an extended period, we are then focusing on the Strategic set of data. This is the long-term and intelligence focused research, focusing on the intent and the type of group attacking.

Hence, I would suggest that there are two sets of defenders for the cyber domain, just as you would see in the physical example above: one focused on current and on-going defensive operations and one investigating incident events over time for long-term campaigns.  But while these two defender sets are looking at essentially the same data, the time frame of reference and the correlation of data are by definition different due to their focus.

All organizations are concerned about the tactical/operational attacks, as they are compromising and stealing from our organizations. We must do this level of analysis and tie it into our response.

From Reactive to Proactive Defense

Some would ask, why then do I care about the past data?  Well, you are probably going to repeat the problem in a similar situation; After all, if the attacker was successful the first time, why change something that is not broken from his perspective?

You are now presented with a question of how to prevent and deter the next attack using this same ‘avenue of approach’. This historical data review allows the incident response team to correlate network events as part of a particular incident or string the events to fully understand the attack profile. It is the variety and volume of data that makes the analysis challenging, yet fruitful for future defenses, not to mention forensic analysis for the all important damage assessment.

The massive volume of data available in today’s networks presents both a challenge and opportunity. If you can tame the big data at your disposal, it can be instrumental in your quick reaction force.  Many times attackers will refrain (and in some form are deterred) from attacking due to the initial and follow-on responses of your Quick Reaction Force and its ability to counter an attack while discovering the attacker’s true intentions.

This is where we move from a reactive defense — waiting for something to happen — to a proactive defense that deters strikes from happening in the first place.

More from Government

The Biden Administration’s 2023 Cybersecurity Strategy

4 min read - The Biden Administration recently introduced a new national cybersecurity strategy, expected to aggressively address an increasingly complex and dangerous threat landscape. Improving cybersecurity may not be the top priority for the Biden Administration, but it is an issue that the White House has been focused on since the earliest days of President Biden’s tenure. For example, in May 2021, Biden issued an executive order that emphasized sharing information about threats and modernizing cybersecurity across the federal government. In 2022, President…

4 min read

What’s Going Into NIST’s New Digital Identity Guidelines?

4 min read - One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines. These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors. What is Digital Identity? To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture. In its 2017 guidelines, NIST defines…

4 min read

Who Will Be the Next National Cyber Director?

4 min read - After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

4 min read

How Much is the U.S. Investing in Cyber (And is it Enough)?

3 min read - It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going…

3 min read