Suffering from cyber déjà vu? 3 ways to use history to your advantage

By Greg Boison, Lockheed Martin Director of Cyber and Homeland Security


As a leader of computer network defense efforts, I sometimes can’t shake that feeling of déjà vu. It may be the persistent nature of the threats we encounter, or the subtle similarities that take me back to a previous attack. But if history is destined to repeat itself, let’s use it to our advantage.


Here’s how: 



Look for patterns to strengthen your defense


External feeds are not inherently more valuable than your own data.  Attempted intrusions are laced with clues that can provide insight into an attacker’s motivation and approach, we just need to take the time following a successful defense to dissect and capture what took place. In the future, we may see a similar event unfold but maybe one or two phenomena have changed. After reviewing the history, we are armed with a more proactive defense because we have an idea of what the attacker is trying to achieve, and how we’ve been successful or challenged by them in the past. And we can automate our defenses to free up precious analyst time.



Improve your organizational structure and response


Loose organizational structures and handoff procedures can create roadblocks for sharing information.  Sometimes security operations centers are located in different time zones across the globe. If one center is working on a threat, but isn’t sharing the information with the other centers, there could be duplication of effort even within the same day.


Likewise, some security operations centers use a tiered staffing approach for problem solving. A major flaw with a tiered approach is when a problem escalates to a particular level, the analyst hands it off to the next tier, with little follow-on interaction to learn more about attack patterns or how proactive measures were put into place.  By eliminating a tiered structure, you can empower analysts and teams to share information and collectively solve problems. Historical data can also be useful for establishing employee schedules. If you notice a trend in the time of day, or even the times of year your attacks are occurring, you can arrange for surge support in advance.  Robust knowledge management enables this internal information sharing and makes the analyst on “day one” as seasoned as if he or she had been with you since the beginning.


Know your potential threat surfaces, even the old ones


Remember that test server that you stood up a year ago with just “test” data?  It’s still connected to your network even though it’s rarely used these days. We often forget about these assets, but we can’t. It’s important to know where our assets are, what’s connected to the network and what vulnerabilities they may have associated with them so you can proactively defend against them. 


The tables needn’t be tilted in the attacker’s favor. Enterprises need to focus on the rich data they always have, ensure processes and organizations serve the fundamental network defense goal, and know what they are defending.

February 18, 2015