All one has to do is check their Twitter account to witness the constant stream of reported cyber security incidents happening globally. I explicitly say “reported” because individuals, supply chain partners, and businesses everywhere are at some point realizing they have been compromised and only a small percentage report this publicly. Often the only way through is the “hard way” so we can gain a better understanding of how to be more ready and more intelligent about this threat we all face.
Information security practitioners have always said that security is not a thing, but a process. The term Incident Response (IR) is deeply engrained in our cyber security vocabulary at this point. Unfortunately it implies that a defender is simply in a reactive and weak position to the attacker.
A new term has been adopted recently: Continuous Response. This is a different level of readiness that adapts to threats and never waits until the attacker has carried out their objective completely. Continuous Response is a pattern used in many other domains of conflict and I hope by the end of this article you will understand how Continuous Response can be applied to shape your security program to a higher level of agility and effectiveness.
There are two analogies that illustrate the value of Continuous Response. Auto racing and the healthcare industry each discovered the importance of real-time monitoring and feedback. Both leverage telemetry data throughout the entire lifecycle of the “conflict” to provide a competitive advantage over rival race teams or a given health issue as the case may be.
When Formula One racing began a race would start there was no opportunity for the driver to discuss tactics and strategy with his team until making a pit stop or the end of the race. These days, terabytes of information flow from the vehicle to be analyzed by the team in near real-time. The driver and crew chief are in constant communication throughout the race. The driver is in a continuous response loop with his/her environment and—because of this—has the intelligence required to make immediate decisions that impact his ability to win the race.
The treatment of a disease like cancer is a situation where being proactive and early with detection dictates your chances of survival. Not long ago cancer detection was so late that the odds of survival for most types of cancer were miserably low. Today with early detection and treatment, once untreatable cancers are treatable and the survival rates are on the rise. Taking a continuous response to fitness, diet, and any signals from your body makes us more resilient to what used to be a grim situation.
In Formula One racing, oncology healthcare practices, and in information security, the defender with a continuous response strategy can raise the cost of “attack” for their adversary just enough to win—or should we say not lose. Specifically in information security, the attacker must complete a series of operations without being detected while the defender only needs to detect the attack during any one of those phases so that the most appropriate action can be enacted.
Preventing all attacks is an impossible objective. Detecting the attack early and directing them away from the business is your goal. You can achieve this if you have designed a network and security architecture that can deliver continuous telemetry. If you’re always paying attention for signs of suspicious or malicious activity you leave your opponent no place to hide and advance their campaign. This is the essence of Continuous Response.
- What does 2016 hold for us in cyber security? - December 10, 2015
- Why insider threats are succeeding - May 26, 2015
- On the virtues of Continuous Response - February 16, 2015
