Climbing Out of the Fishbowl

Sometimes perspective is hard to get. If you're a fish that was born in a fishbowl then as far as you know, that's the world. A small circular area with rocks at the bottom, a small castle, a long piece of seaweed scraggly  waving towards the surface, and the bright colored flashes of light that move around the bowl we occasionally see. Sometimes as a cyber defender we live inside a single environment for so long that we see the same thing as that fish born in a fishbowl and lose outside perspective. Inside our network, here are our assets that we need to defend. Here are the security tools that we have to identify attacks. When your Intrusion Prevention System alarms, identify which machine was potentially compromised, alert the incident response team to check that machine, and block the IP at the firewall. Each time an alert comes in from a host or the IPS, swim this way, swim that way, it's the way we always do things inside the fish bowl and we’re swimming so fast and furiously with alerts coming in that we don’t have time to think about other ways to look at the problems we’re trying to solve.

Obviously this is a very simplified version of what happens inside most government organizations when an alarm sounds on our cyber security tools; however, the point is that most of us do live inside a fishbowl when it comes to cyber security. Our perspective is always from inside the enterprise we're trying to defend. This could be more problematic for government organizations that are attempting to cobble together multiple networks into an enterprise. Those disparate tools are quite often not part of a longterm strategic plan, further enhancing the fishbowl perspective. This further exacerbates the problem for government cyber defenders that try to live in a world where their organizations, networks and enterprises are always evolving.  One of the first things you can do to get outside the fishbowl is look at the tools you have, their value and look for a strategy to integrate those tools for incident response thorough security orchestration. This can allow you to get more value out of your tools by building courses of action from all the daily mundane security tasks that must be accomplished and get in the way of real work where you focus on the attacks that matter. This type of tool can allow you to be more flexible as that enterprise continues to evolve through stitching together new capabilities on a frequent basis. FireEye’s acquisition of the Invotas' new security orchestration tool provides that capability. Now they have time to step outside the busy alert cycle, get some perspective and look at the more critical and possibly impactful alerts.

We all know cyber attacks are going to happen, we live them every day. Yet we don't prepare for that fight by looking at, and watching the attacker, to understand their capabilities and motivations. Why not? No military around the globe goes into a fight without knowing everything about the opposing forces.  This is something we understand, but that we don’t do near as well in the cyber realm. How do we live inside the enemies’ camp, understand their capabilities, their tools, their targets, and their motivations? iSight Partners built their company with hundreds of analysts around the globe living inside with the attackers camp which is why they're now part of FireEye. They give our customers a new perspective outside the fishbowl from the attackers viewpoint. Suddenly we know before an attack what tools have been created to possibly use against us, why we're a target, and how they think they're going to successfully break into our systems. Now we have valuable information we can use to stop an attack that hasn't even been launched yet. A new perspective.

Now combine that attackers perspective with our machine led intelligence from real-time breach alert detection via our FireEye MVX driven platform perspective and now we have extremely useful and actionable data all before a system is compromised. It’s important to note though that breaches will happen since behind the attacks, we have a determined and well-resouced adversary. That’s where our Mandiant IR Services team comes into play and can come in and help quickly mitigate the damage from an attack. This gives us yet another source of threat intelligence, post breach that we can tie in to our threat actor threat intelligence and our machine led threat intelligence giving us a perspective now from three different angles. Suddenly we have a completely new game. Now we can also combine all of this information via our new security orchestration tool from our Invotas acquisition and tie it together with information from existing legacy security tools and automate the courses of action for response.

Cyber defenders can have a whole new game to play by understanding attacks before they happen through pre-breach threat intelligence, tie that in with machine led threat intelligence and post breach threat intelligence and integrate that with courses of action that automate response. We can have a whole new game to play by stopping many attacks dead in their tracks by understanding them before they happen, and instead focus on the stealthy ones that might get through.

We can win this game, we just need to evolve to do it. If you’re in the fishbowl, step out and take a look.