Have you ever met anyone working cyber security that said
they were bored? Me either. Cyber security is an often unthanking and
underappreciated grind. Problem is we
only have ourselves to blame, including me. There’s a difference between taking
action and productivity.
As humans, our lives cannot scale to meet the demands the
threat actors throw at us on a daily basis. Throw in a few meetings with
vendors, the folks in the C-Suite, sprinkled with one or two HR matters, the week
dries up pretty fast. More importantly,
it doesn’t allow much time for doing what we’re supposed to be doing – fighting
the good fight!
Italian economist Vilfredo Pareto observed that roughly 80%
of the effects came from 20% of the causes.
This principle is known as the “80-20 rule” or the “law of the vital few”. This law can be observed in many ways,
business for example – typically 80% of profits come from 20% of your
customers. Or in our realm, take the
SANS “Top 20 Critical Controls” - the top four controls (20%) can mitigate much
of the threat. O.K. not perfect, but you
get the point. So think a minute, if
only 20% of your work produces 80% of your results are your focusing on the
correct 20%? Would the last four
controls of the Top 20, give you 80% protection? Probably not!
Each of us works with a unique set of circumstances and
constraints. Despite the near-daily
reporting of high profile attacks, budget shortfalls, inadequate staffing levels, and
mission creep, are still ubiquitous in cyber security. It is incumbent upon us, as cyber security
experts, to make sure we get 80% of at least 20% of our investments. The Pareto principle needs to be welded into
our decision making process. This is an
absolute requirement if you’re an SMB!
At the end of each week, take time to review the actions you
or your staff made and what the results of those actions were. What could you have done better to make the
result more productive? Furthermore, did
you take actions that produced low results or not “Pareto efficient”? For example, did you spend 20% of your
budget hiring a penetration tester when you could have used the money to
replace your packet filtering firewall with an application layer firewall? Which decision would give you an 80% return?
For those of us working with APT in an incident response
capacity, not applying Pareto’s principle can be dangerous! Incident response teams need precise, timely
and detailed information like now, not tomorrow. If an incident response team has to sift
through mountains of indicators to get at the ones that are actionable, you
quickly become Pareto inefficient!
We often hear that indicator feeds produce about 10%-15% of
real actionable indicators yet it costs an analyst, or analysts, a lot of
cycles to examine 100% of the data.
So in the best case scenario, you’re investing about 85% of your time
for a 15% result – that’s important to note!
I’m not suggesting that feeds are not worth it, I’m simply suggesting
they’re not enough in of themselves. If
you’re spending $10,000 for a feed, which is a bargain by any stretch, and
you’re only getting 15% results, it would tend to make one rethink the value
proposition of the feed. Then add the
human time required for scrutinizing the indicators, the value
drops off precipitously.
This is why when we at Red Sky are talking to potential
members or simply educating people about the APT problem we stress threat
intelligence has to be timely, contextual, and most importantly – accurate. Every analyst in the Red Sky membership has
to show their work. Each puts into context their findings that are then peer
reviewed for accuracy. We do this to
ensure when a new member joins Red Sky, they have an abundance of rich and
contextual indicators, Snort signatures, and Yara rules they can apply to their
defense strategies on day one. Add in
the ability to work alongside and ask questions of some of the most experienced
and intelligent incident responders from some of the world’s leading
organizations fighting APT – it’s clear a membership in Red Sky would be a Pareto
efficient decision!
BT BT
This week Red Sky released Fusion report 13-013, which was
released on the 13th! No, that wasn't intentional! This report described a new targeted malware
variant which leveraged a previously unobserved TTP. Included were several new
rules and indicators for proactive mitigation. Fusion report 13-014 should be
published by this weekend and will provide analysis on yet another new variant
observed in recent watering hole activity.
My last blog, “Time for some good news in Cyber Security”,
was met with a lot of positive emails. I
was very pleased by those that took the time to email me to thank me for being
uplifting. And why shouldn’t we be? We’re all doing really good things tackling a
very hard and real problem. Keep up the
good work!
I encourage you to share your thoughts with me. If you haven’t requested our whitepaper “How Great Companies Fight Targeted
Attacks and APT”, please shoot me an email or visit our website www.redskyalliance.org
Keep fighting the good fight!
