The new year, and a new US president are just starting to take shape, as is RSA Conference 2021. The RSAC Program Committee is looking forward to seeing first drafts of the presentations in various tracks. In the Analytics, Intelligence & Response track, we had more than 100 proposals to evaluate and pare down for just 12 speaking slots. This task is always a challenge as there’s both so much to cover and a variety of approaches to the work covered by teams operating on these activities in organizations.
Several trends have emerged in reviewing proposals for the Analytics, Intelligence & Response track. Submitters have worked hard to find solutions to common problems and want to share lessons they have learned, activities that provide value, and ideas that need a broader audience. There are clearly challenges that are widely shared, so, in no particular order, here are the Top 5 trends for our track:
The Struggle Is Real: Organizations struggle with limited resources, even as the number of detected (and undetected) attacks grows exponentially. Managing and operating AIR activities in this environment is a common challenge that often means triaging alerts and prioritizing which items to investigate. Organizations also struggle with the right balance of internal and outsourced resources to gain efficiencies while retaining the needed understanding of how specific systems impact business operations. Practical ideas to manage in constrained resource environments will advance everyone’s security.
Need for a Comprehensive SOC: Working within a constrained environment still requires a Cybersecurity Operations Center to be comprehensive in covering the right activities with a common terminology and the right tools and processes. Building the right stack of tools and processes means we need a broader industry agreement on what terms mean. I could start with “risk” and “threat,” but proposals focused on how to build a “next-generation SOC” and mapping activities to frameworks like NIST, CSF and MITRE ATT&CK. Using frameworks to ensure your operations are comprehensive is the clear foundation for next-generation SOCs, especially planning for the necessary analytic and response capabilities.
The Benefits of Threat Hunting: Threat hunting and adversary simulation are two perspectives on understanding whether your organization has been or could be attacked, and whether those attacks could be detected to enable a response. While threat hunting could be a rigorous and artful exploration of how an adversary might attack your organization while evading common detection, it too often becomes a glorified penetration test or Red Team attack. Actually, simulating specific adversaries, or thinking through how an intelligent, knowledgeable adversary might explore your systems and network based on their specific goals requires more thought—more people over automation. At the same time, more adversary activity than ever before can be automated for repeatable results and continuous “Red Teaming” exercises.
Share and Share Alike: Intelligence-sharing proposals showed more intelligence sharing is needed, and that the ways we do it now frequently fail. Several organizations have learned lessons that work in specific sectors (like the Cyber Threat Alliance for the cybersecurity industry) and plan to share lessons on how to make sharing work better, and make it more valuable. Perhaps the most intriguing thesis is that aligning intelligence sharing to business needs can drive more valuable sharing of insights.
When First We Practice to Deceive: The role of deception capabilities is the last trend I’ll call out here. Finding new attacks, confirming expectations, being able to identify attacker methodologies and map them to frameworks requires practitioners to find adversary activities. As programs gain maturity in prevention, know what assets they are protecting, and automate detection and response to known threats, finding the unknown becomes harder. This is especially true as adversaries build in defenses. The malware in the SolarWinds hack apparently waits two weeks after installation before phoning home. Malware routinely tries to avoid executing in sandboxes, and away from common forensic and detection tools. Finding new attacks and attackers will mean it becomes more important to get them to show us their cards while keeping ours hidden away.
We also noted that proposals missed a key concern: The Role of Misinformation: Whether the topic is vaccinations, genetically modified organisms, or election results, we’re seeing the growing influence of misinformation across the globe. We are just beginning to understand the exponential effects of repeating and propagating misinformation. Intelligence and analysis can be easily confused, so expect to hear more on this topic.
While the December news and details of the SolarWind hack and related damages continue to emerge, it’s already clear that analytics played, and will continue to play, a significant role in 2021 cybersecurity news. Kevin Mandia noted in an Aspen Digital teleconference that finding the hack required people. Someone noticed a simple alert and called to ask if a new device had been registered, and the answer led to analysis that kept pointing to a specific server with key software. That led to decompiling the software and finding malware where it wasn’t expected. The challenges addressed by Analytics, Intelligence & Response won’t be solved with AI and automation. Human insight, supporting and supported by tools, will play a critical role in managing risks for the foreseeable future.