By Charles Herring, CTO, WitFoo
Crafts Built on Crafts
Modern crafts are built on the foundations of more established crafts. IT is built on the craft of manufacturing, for example. Data is a widget created, shipped, warehoused, and used to create new data. To assist in IT engineering, the craft of maintenance is utilized to develop philosophies and tactics for troubleshooting, scaling, and repairing systems. Utilizing the craft wisdom from manufacturing and maintenance, IT has become a sustainable and transformative component of human history.
Success in IT
Over the last few decades, IT innovations have reduced business costs, improved throughput, and enhanced nearly every facet of life. Innovation has also created several new areas of vulnerability to criminals and international adversaries. As these threats have developed over the last twenty years, it has become clear that the craft knowledge of IT is not applicable to sustainable security operations (SECOPS).
Availability vs. Prosecution
The goals of IT are centered on availability. As a result of this association, the craft of SECOPS inherited that erroneous goal. Successful SECOPS is the detection, investigation, and prosecution of criminals, not the availability of data and services. Applying punitive consequences on criminals and other adversaries is the only sustainable approach to reducing the impact of cybercrime.
Impact of Cybercrime
U.S. foreign policy has been shaken by cybersecurity breaches carried out by nation-state adversaries. Accenture estimates that the total risk of loss from cybercrime over the next 5 years is $5.2 trillion, and the FBI reports cybercrime cost U.S. citizens more than $3.5 billion in 2019. Decades of using cybersecurity to deliver service availability instead of enforcing law and national sovereignty has left two generations of criminals to hone their skills with impunity.
SECOPS analysts and executives must become as versed in criminal justice as they are in computer science. While understanding information technology is critical to sustainable SECOPS, coordination with law enforcement must be a higher priority.
The digital evidence that detectives and prosecutors require to successfully incarcerate criminals is most often not reported to them. Between concerns of corporate risk, lack of evidentiary training, and security architectures not configured to assist, many organizations never report critical evidence to law enforcement. These dark shadows create unchecked opportunity for nefarious actors to execute crimes against individuals, organizations, and nations.
As practitioners of cybersecurity operations learn the importance of collecting, analyzing, and storing digital evidence using tactics and philosophies shared by their peers in physical law enforcement, the opportunity for sustainable exchange between corporate citizens and law enforcement expands. The vanguard of crushing cybercrime will not be artificial intelligence or machine learning – it will be SOC analysts having open dialogue with law enforcement officers in a manner that minimizes risk to organizations while maximizing risk to criminals.
Law Enforcement Knowledge Accelerates SECOPS
In addition to the macro impacts of shifting the goals and operations of SECOPS to law enforcement, the efficiencies of SECOPS are improved by treating each cybersecurity investigation as a law enforcement investigation.
Efficient Evidence Processing
Law enforcement craft knowledge breaks investigative work into a few phases. The first is collection and inventory of evidence. In physical law enforcement, this can include fingerprints, ballistics, accounting, video surveillance, witness testimony, cell phone pings, among many other types of evidence. One major benefit SECOPS has over its physical partner is that digital evidence is much easier to collect and inventory if the architecture is established. Evidence for every network communication and user session can be established from existing telemetry. Utilizing hashes, the evidence can be inventoried to prevent tampering, as it is collected without human labor.
Linkboard of Relationships
The second stage of investigation is contextualizing the evidence. Establishing relationships between computers, users, files, and emails is extremely easy in modern computer science via graph theory. The corkboard and yarn link boards of cop movie lore can be established and analyzed in near real-time in digital investigations.
Detective Processing Analysis
Before handing evidence off to prosecutors, physical investigators create subjective observation concerning the evidence and its context to a crime. Corroboration from multiple data sources, several detected behaviors in a modus operandi, and indicators of compromise from other investigations are all observations that assist prosecutors in explaining the crime to a judge and jury. This type of analysis also serves cyber investigators well in explaining business problems to the broader business.
Sustainable SECOPS Conversations
Because SECOPS has been forced to speak in IT terms, the ability to communicate well with businesses is degraded. Every CEO understands when someone says criminals have attempted to steal their company’s data, extort their money, degrade their services, etc. The natural language of SECOPS is criminal justice. Every effective business executive and business manager understands the impact of crime on their business. Devolving SECOPS to the realm of packets, computers, and policy hinders business decision makers in understanding how to prepare for a malevolent event.
To execute a ground-up transformation inside of an organization, the first critical step is rethinking the unit of work in SECOPS. The unit must be comprehensible to the investigators, law enforcement, and the broader business. An investigation of “failed login attempts” or “firewall blocks” does not rise to that bar. Aligning units of work to potential crimes such as data theft, extortion (via ransomware), human resources violation, and property damage enables conversations across the business. The U.S. Department of Justice outlines terms that every SOC should be using in defining the unit of work.
With a valid unit of work established, the focus is no longer on a computer (as in IT), but rather, it is on the criminal and their crime. With detailed tracking, these units of work can be analyzed to determine what technologies can reduce risk and SECOPS labor costs. This allows cybersecurity executives to have the same type of conversations that their peers are having at business meetings when explaining why investments in products and personnel are required. Every CEO and CFO can comprehend a CISO requesting funding because they only have the resources to fully investigate 50 percent of the data theft crimes per month. Total Cost of Ownership (TCO) and Return on Investment (ROI) metrics become the staple of SECOPS investments and forever table the need for fear, uncertainty, and doubt.
Profiting from Law Enforcement Knowledge
As businesses build SECOPS plans around concrete business metrics and cybersecurity investigators coordinate with law enforcement, the cost of doing good in the world drops as the cost of doing evil increases. Aligning the craft of SECOPS to physical law enforcement is not only the right thing to do; it is the profitable decision.
Charles Herring is Chairman of Board, CTO, Project Lead, and Co-Founder of WitFoo. Charles’ dedication to maturing the craft of InfoSec is built on a diverse career path across the industry. He started his career in InfoSec in the US Navy in 2002 serving as the Network Security Officer at the US Naval Postgraduate School. After leaving active duty, he was a contributing product reviewer for InfoWorld magazine focusing on network security products. Charles spent 7 years running Herring Consulting, a company dedicated to process orchestration, data sharing, and marketing. In 2012, Charles joined the Lancope team as a pre-sales engineer, promoted to Consulting Security Architect and later as Strategic Account Manager.