Advice for Cyber Protectors: Focus on Outcomes
In the cyber protection industry, a common mantra of having to successfully defend networks and information technology environments all of the time misses the point, according to one cyber leader. Instead, cyber warriors should identify clear, desired outcomes in regard to cyber operations.
“I suspect most of you have seen this. It's called the ‘defenders’ dilemma,” explained Tim Crothers, senior vice president and chief security officer at Mandiant Corp, speaking yesterday at the AFCEA Rocky Mountain Chapter’s annual Cyberspace Symposium, held February 21-24 in Colorado Springs, Colorado. “It is this idea that as defenders we are doomed to fail because we have to be right 100 percent of the time, whereas the attackers only have to be right once. I don't actually prescribe to this. I don't agree. I think this is taking too simple of a view.”
And while the job of cyber defenders—especially those who have to confront attacks from nation-state entities or other nefarious cyber actors that can employ significant resources—presents “some really interesting challenges,” Crothers advised them to focus on a desired result.
Tim Crothers, SVP, CSO @Mandiant: Really successful security teams are doing the fundamentals well, including two factor authentication, ID. #RMCS22 @AFCEARMC pic.twitter.com/6B8DSJfYcP
— Kimberly Underwood (@Kunderwood_SGNL) February 23, 2022
“I would say that is the underlying pattern I see across security teams that are successfully defending [in cyberspace],” he emphasized. “They are thinking about it not in context of controls but in the context of outcomes, and ‘what are the outcomes that we need to achieve,’ and then they back into how best to achieve those outcomes.”
He offered an outcome example: how long it takes to identify and stop a breach. “My outcome type for this would be containment time,” Crothers stated. “My team’s objective is to contain within three hours or less from the point at which a prevention failure happens.”
Another key trait of successful cyber teams is adroit employment of cyber and network fundamentals. “[There are many] different approaches, but I would be remiss not to start with the importance of the fundamentals,” the chief security officer said. “Now when I say fundamentals, I'm not talking about NIST Standard 800-171—a great standard to be clear, but that's a control-based standard not an outcome. It's a huge repository of approaches that we can use to successfully defend, but that is not the same as focusing on an outcome. What the really successful security teams have in common is that they are doing the fundamentals well: identity access management, two factor processes, etc.”
Talented cyber warriors also are able to see common patterns, optimize for prevention failures, leverage home-field advantage, operationalize intelligence effectively and validate the functioning of security and skills.
When a breach happens, cybermauraders have always gained a foothold or entry into a network, something Crothers calls a prevention failure.
“The point of this is that it has nothing to do with the attack,” he suggests. “Let’s say it's Monday morning, and I clicked on that phish [phishing email or link] and now I've got a rat running in my laptop. But it is very unlikely the threat actors that deployed that phish deployed it just for my laptop. More likely, they wanted a foothold so they could complete some other objectives, whether it's to deploy ransomware or steal confidential data.”
In addition, Crothers offered that it might be useful for cyber defenders to think about a cyber battle as a person-versus-person attack, not a technology-versus-technology activity.
“When we reframe our view, all of a sudden, all sorts of interesting opportunities [occur] in terms of what sort of things we can do and how we can leverage behavioral-based activities in the environment rather than just on a signature basis,” he said.
Moreover, cyber defenders need to be able to optimize their actions. “The key here is optimization,” Crothers said “We’ve got to make sure that in this case we were mainly focused on detection and the response aspect of our mission, and that we're putting the right data in front of our cyber folks, so they can make that determination and contain appropriately.”
