In recent years, the realization that the dynamics of the cybersecurity scene are becoming much more similar to those of a military command scene than to those of a private security scene is becoming increasingly widespread. While advanced armed forces around the world are investing considerable resources in the adoption of innovative technologies that would help them apply the strategic concepts and combat doctrines according to which they conduct themselves more effectively and more correctly, the challenge cybersecurity layouts face focuses, of all things, on the adoption of the strategic perspective and on the development of combat doctrines that would complement the cutting-edge technologies they already possess.
In the following paragraphs, we will embark on a journey that begins with the recognition and adoption of strategic concepts and moves taken from the military command scene, continues with the evolution of the cybersecurity world, through the four milestones that form its basis, and ends with the ultimate cybersecurity model – Integrative Cyber Defense. This model simulates a modern operations center for the cybersecurity scene, as it is currently implemented by vulnerable giant corporations. This model should permeate into and become the standard practice for all business organizations – as it is expected to do.
Getting to Know the Enemy
The reality we face is simple: from the moment the switch that connects the organizational network to the Internet is lifted, the organization steps onto the battlefield, where it might become, at any given moment, the secondary target of a widespread attack or the primary target of a focused attack. As anyone with a military background knows, the first stage in preparing for battle is getting to know the enemy. On the cybersecurity scene, the enemy may be manifested in five primary forms: cyber warriors driven by ideological, political or economic motivations; business intelligence organizations; business entities specializing in collecting information and packaging it as a product readily-available to everyone; outlaws who exploit the cyber scene for generating profits and finally – vandals whose sole purpose is to damage other parties.
The enemy has all of the time in the world to plan the attack while as far as we are concerned, with every second that passes from the moment the attack was launched, we sustain damage that in some cases might be irreversible. The enemy will plan and execute his attack using technological resources and sophisticated methods prepared in advance, which no human operator can resist owing to the pace, scope and data processing parameters involved.
As the second stage of preparing for battle, we should specify our missions, and in the cybersecurity world there are five primary missions we can list: spotting, identifying and preventing preplanned malicious attacks; identifying the source of the threat and providing a prompt, comprehensive and effective response; consolidating the required defense at a pace that is faster than the pace at which the threat is spreading; implementing the required defense at a pace that is faster than the pace at which the threat is progressing; achieving full control over all of the tiers of the organizational network and decontaminating the scene after the attack.
The organization's ability to perform the defensive missions assigned to it largely depends on the defensive layout available to it. This defensive layout includes all of the systems and tools using which the organization can repel the attack with minimum damage. We will review the defenses currently available in the cybersecurity world through the four milestones of this world, which are implemented as defensive tiers one on top of the other.
Firewall & antivirus: this is the most basic defensive layout, intended to block enemy intrusions. This layout cannot cope with a failure of the blocking function that resulted in a successful intrusion into the organization's systems. It is common mainly among small businesses and an intrusion through this layout might inflict substantial damage on the computer system of the organization and on its on-going business activity.
Incident response: this is a more advanced defensive layout, intended to deal with breaches in the organization's defensive wall and with enemy intrusions into the computer layout. It is common mainly among intermediate-size and large organizations and the damage expected from implementing it as an exclusive defensive layout could be fairly extensive. This layout is based on a set of response methodologies prepared in advance (preparation, identification, containment, elimination, recovery and drawing of lessons), implemented in a computerized manner by IR software systems, partly automatically and partly at the initiative of the human security personnel.
Security Operations Center (SOC): this defensive layout imports the format of a military command & control/operations center into the business organization for the first time. The SOC is a command center of sorts, manned by security personnel. It monitors the organization's computer systems 24/7 and implements an incident response procedure at the moment of truth, when required. The activity of the SOC is carried out using a SIEM (Security Information & Event Management) system that correlates information and data, information and damage monitoring analyses, generates emergency alerts (SMS/E-Mail) and warns of intrusions into the system. In effect, the SOC functions mainly as a monitoring platform possessing limited response capabilities vis-à-vis the constantly growing number of incidents, in a manner that possibly highlights, more than anything else, the vulnerability of the human security personnel opposite the pace and scope of modern-day cyberattacks.
Intelligence: an intelligence layout is another important step in the process of importing the military model, defense, into the cybersecurity world. It represents an ancient military axiom: the ability to identify threats long before they materialize is the most important key in dealing with those threats at the moment of truth. Cyber intelligence systems are intended to collect intelligence from the external environment for the purpose of spotting "cyber rustles" around the planning of lateral attacks or dedicated attacks against a specific organization. The intelligence systems are implemented in the context of the SOC and provide the security personnel with a valuable information tier that would help them take preventive steps, identify the threats and their characteristics in real time and cope with them more effectively.
Integrative Cyber Defense (ICD)
The integrative model is, in effect, the fifth and last (at the present time) stage in the evolution of the cybersecurity world. It represents a quantum leap in the security concept of organizations with regard to cyberspace. The Integrative Cyber Defense model, which is expected to permeate into small, intermediate and large organizations in the coming years, is a broad model that implements a systemic thinking process, from the stage of getting to know the enemy and his capabilities, through the stage of specifying the defensive missions to the stage of developing and implementing intelligence and defensive layouts in accordance with extensive, comprehensive combat doctrines.
This model is based on integration between internal information and external intelligence and on integrative, automatic management of all organizational cybersecurity systems, in a manner similar to that of an operations center being managed opposite each sector separately and opposite all sectors simultaneously.
Monitoring & identifying potential threats on the Internet (intelligence): unlike previous models used in the cybersecurity world, the ICD model is based on the creation of a complete threat map, which includes on-going information about potential threats emerging outside of the organizational computer network, on the Internet. Using advanced intelligence systems which monitor the Internet and listen to cyber rustles on the open Internet, the Darknet and the social media, the organization can become aware of lateral or dedicated cyberattacks as early as during the planning stages, and consolidate effective preventive measures and responses well in advance.
Endpoint Detection & Response (EDR): the ICD model implements a comprehensive defensive layout, deployed to all of the end units in the organizational network. It provides each end unit with the ability to spot, identify and respond to cyber threats in real time. The EDR system, which complements existing systems designed to identify and expose behavioral anomalies at the end units, includes a complete set of advanced tools and solutions that focus on spotting and neutralizing suspicious activities and advanced threats, minimizing the loss of sensitive data and reducing the risk of destructive data loopholes at the end units.
Advanced Cyber Scene Management (Modern SOC)
The on-going management of the cyber scene and evolving incidents is accomplished by a modern operations center that implements computerized and automatic systems capable of effectively coping with threats while minimizing the dependence on the human element. The modern SOC includes a series of systems that interface with one another and enable the security personnel to promptly and effectively cope with modern cyber threats: Data Loss Prevention (DLP) solutions, modern SIEM (Security Information & Event Management) systems that feature cutting-edge data analysis and monitoring capabilities, Network Forensic Tools (NFT) systems, Advanced Threat Defense (ATD) systems and Endpoint Detection & Response (EDR) systems.
Menachem Tauman is the co-founder and CEO of the Qmasters Company that promotes the Integrative Cyber Defense (ICD) model in business organizations