Head on a Swivel from "SWAT Team Skills for Cybersecurity"

An abbreviated excerpt from my upcoming short book titled: "SWAT Team Skills for Cybersecurity." Please share your thoughts in the comments.

Head on a Swivel

The Officers were walking toward the residence in a "stick", a single file line, one behind the other.? Each had a responsible task yet they all were looking out for each other.? The first Officer was looking forward since his view was unobstructed in that direction.? The second Officer in the stick would bring her gaze to the left of the stick by rotating her head that way.? The third Officer, watching the second Officer, looked to the right assuring that both directions were covered by eyes.? If the second Officer looked right, the third would look left. And so on down the stick. This Head on a Swivel routine is what helped catch the burn [covered in an earlier chapter].

The Premise

The premise is simple: keep your head and eyes moving at all times.? Hence, Head on a Swivel.? Take the name literally.? Be a controlled bobblehead. Head on a Swivel is not just right/left movement. It is up and down as well. Malicious actors can hide or be anywhere. They are crafty!

The benefits of looking around are that you catch more information to process.? If you were to target lock on one location, you’d miss what was on your left and your right.? That is called tunnel vision and can result in some very bad mistakes by missing dangerous threats on your flank.

As humans, we can only look in detail at about a 5% focus area.? There are plenty of studies to showcase this concept.? Given that you can only look at 5% of what is in front of you but your entire field of vision is about 200 degrees, you must keep your head and eyes moving over that 200-degree field of view.

Cyber World

In the Cyber World, what is your field of view?? How much can one person look at during a given time?? How many servers can one analyst review during an incident event?? You can see where this is going.? Our ability to absorb information is limited by our sight whether it is physical or virtual.? With the growing number of systems within an organization, how many personnel will it take to examine them during a cyber event?? Only you can answer that based on your environments complexity but it is an answer you must have before the event.

Security Operations Center are a good example of this concept.? Large screens on a wall and multiple monitors on the desk showcasing various status screens and alerts.? The analyst can only focus on one display at a time so which one do they give all their attention?? All of them!? They use the Head on a Swivel concept to glance at each monitor getting a quick impression before moving to the next.? In the time it takes to adjust their focus, their brain is processing what they just saw and seeking anomalies from the previous state.??[Pilots do the same thing by scanning the air in front and to the sides of them and then scanning their six pack, aka instrument panel.]

We can extend this concept to numerous areas within Cyber Security.? Our eyes can be virtual with an IDS/IPS scanning our network and traffic.? This results in a workforce multiplier.? We can also have our teams working together and scanning each other’s monitors.

Another avenue to consider involves what systems you are reviewing/protecting.? If the attack appears to focus on the mail server, how sure are you that it is limited to just that vector?? Head on a Swivel dictates that you are checking other systems in parallel.?

This snippet of text sums up the greater chapter Head on a Swivel. The book "SWAT Team Skills for Cybersecurity" comes from my personal experience as a SWAT Team Leader for several multiagency SWAT Teams. The lessons I learned changed my law enforcement career and I continue to bring them into use today as a cybersecurity professional.

The short book will be released later this year. I hope you'll pick up a copy and add it's lessons to your own playbook.

Chris