Seeing is Believing
Companies often need to see that a risk exists in their infrastructure to believe it's worth investing in mitigating. They need to see that the bad actors can reach them in their cozy corporate homes. More importantly, they need to see that problems get fixed and risks are mitigated and reduced.
At the RSA Conference this year, it was touted 'seeing' as one of the latest ways of ensuring your value in security is being realized.
The Cybersecurity/information technology word for this used to be what we call 'line of sight', or simply - being networked.
Nothing unconventional about it: if we want to know if some user, or device or app is safe (or not) as well as keep an eye on the places they are being used; we need to somehow be able to scan it, monitor it, audit and collect logs from it.
In 2024, this is assumed to be fully taken care of...being able to 'see' even the most isolated, unique, barely connected device is usually just as simple as deploying some sort of local agent to handle the visibility 'stuff'. Sometimes we put that on a piece of infrastructure next to the one we want to monitor...but it results in all the same data. And those agents come in 10,000 flavors from 50,000 companies...you've got options.
No, this year the 'Seeing' is represented by 'Intelligence'.
And no - I'm not going to make a pile of jokes about how smarter people do better work...I'm not sure that's entirely true anyway.
What we are talking about is how to identify what we are looking for in the first place.
In practicality; what we require is the knowledge of how malicious applications and people behave...their patterns, their methods, their goals. We can search for these patterns and behaviors. That's easy...the hard part is how often that data needs to update. In functionality, what we're getting is script language or context specific data feeds that must be validated and sometimes even transformed to appropriately apply to a given infrastructure.
20+ years ago, security Intel feeds were 'soft' news that had to be converted into a technical statement. We'd hear something like: so and so from such and such country was actively using a SPECIFIC exploit in something like Adobe Acrobat (WHY WAS IT ALWAYS ACROBAT?!) to steal or install something. We would then be required to create a 'hard' response, like a policy change or modify a rule somewhere, or apply a mitigation or fix (Patch, patch, NON CUMMULATIVE BLOODY PATCH!!!). By 2010, there were a few options for orchestration, which would be the middle man between the soft feeds and actually implementing something...but you needed a whole specialist just to care and feed that appliance.
领英推荐
Intel feeds now are WAY more sophisticated. If you're plugged into the right feeds with the right scripting in place, you're more or less signing up for 'hard' responses to be dropped in to your security solutions, externally, and from crowd sourced data.
If that sounds both awesome and also like an incredibly bad idea; good...you're in the right place.
There is a lot more work required (unless you're completely mad and are letting internet jesus take the wheel). At NCC, our own team of analysts spend a pile of time taking the output of these feeds; reviewing, confirming, testing and correlating that data before releasing it to the wild to help secure our client's infrastructure as well as our own. At NCC, a whopping 40% of confirmed security events within our client environments, have been detected using that custom set of data feeds. Our proprietary special blend of intel...the NCC Breakfast Blend (which could be coffee or tea based on longitude, but either way it's ROBUST!).
There was still a need for more: The data doesn't update fast enough when it's a limited number of sources providing the majority of the data. Those few sources can't possibly maintain an up to the minute status on all GLOBAL cybersecurity concerns.
This next evolution, that Microsoft has been investing into for several years with the Microsoft Security Intelligence Association (MISA) and that Google just announced this week in it's new Threat Intelligence , is to create a method of cross sharing and correlating intelligence. Faster results owing to patterns with more recent confirmation and more correlation for accuracy. The result is greater intelligence integrity and a quicker, more accurate response to active threats.
Knowing who the monsters are makes them less scary, and in some cases - makes them zero threat at all.
Message me or reach out to NCC Group if you're interested in learning more about how you can position you're company/organization to take advantage of this evolution in security.
You bring the landscape, we'll bring the tools and intel.
Director Of Information Technology at City of Parkland
9 个月The hardest part about out security is monitoring the incoming wave of logs and events. In the past security meant throwing the logs into one location so some magical elf will eventually comb through them which never happens. The. We created systems with limited capability’s called intrusion prevention systems to match algorithm and provide a response but then we were forced to weed out thousands of false positives. Next we created SOC which is a group of people staring at screens to try and respond to the title wave of information. In the near future Microsoft will use its copilot AI system to comb through the data for us and then we will finally be able to get ahead in the security game. As everyone knows hackers are often in your back yard for months unnoticed. This isn’t always because of bad practices but limited resources to comb through endless data. I for one am extremely excited for what AI will bring to cyber security.