This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
It seems like every week we hear about another serious breach affecting this merchant or that healthcare provider or some other major business. Successful cyber attacks of the private sector have become all too common.
In comparison, we rarely hear about a U.S. military branch or a national intelligence agency like the National Security Agency (NSA) getting hacked. Why is that? It's not because they aren't getting attacked; these entities are probably bigger targets than any commercial business.
Large scale attacks on the military and the NSA are mostly repelled because these groups take a different approach to cyber security than a typical business. Some argue that their methods are so effective that it's time for civilian businesses to adopt a military-style approach to defending their cyber assets.
Mike Walls is the managing director of Security, Operations and Analysis at EdgeWave. He recently retired from the U.S. Navy where he served as Commander Task Force 1030 reporting directly to the Navy's Fleet Cyber Command. Walls was responsible for the cyber readiness of more than 400,000 people, 300 ships and 4,000 aircraft. He had a key role in Operation Rolling Tide, a vigorous effort to secure government databases and improve the overall security protocols for Navy computer networks.
In his new job at EdgeWave, Walls is tasked with bringing military-style cyber security to enterprise organizations through a service called EdgeWave EPIC. Using military-grade operations, EdgeWave EPIC is designed to precisely identify cyber attacks and provide integrated real-time defense.
"In my most recent role with the Navy where I was responsible for making sure that ship and shore personnel were ready, I had two or three ways of doing that," says Wall. "I had a red team -- a cyber adversary team -- that did non-cooperative assessments on Navy organizations and ships. What that means is from their lab in Virginia, they would try to penetrate a battle group's networks or a shore installation's networks, and most of the time they were successful. They did this to help train the network operators to understand how to recognize adversary assaults, and for the warfighters, how to continue operating the network in an adversarial environment."
Walls also had a blue team that did more cooperative assessments. According to Walls, "They would go out to organizations and plug into the network alongside the IT folks to bring data back to our labs for extensive analysis. We'd get reports back and identify if there is actually any issue on the network – and unfortunately we found quite a bit of this – and where they had vulnerabilities. This is the vulnerability assessment piece of our methodology. This team would also educate the IT folks on how to protect the network a little better."
And finally, Walls had a penetration testing team who worked with the Navy acquisition units—"the people who buy all of the equipment for the Navy." This team did penetration tests on submarines, on black boxes and on other equipment.
It is this 360 degree view of threats, attack vectors, vulnerabilities, defensive tactics and human education and training that constitutes the military-style approach to cyber security. "We need to monitor, we need to assess, we need to get data and analyze the data and feed the results of that analysis back into our systems and our processes as soon as possible," according to Walls. "It is more of a military warfighting process."
He also stresses the human aspect of the process. "Human interaction is absolutely critical in my opinion," says Walls. "Automation is important – you can't do this stuff without automation, there is no question about that – but my personal experience with a cyber warfighting context is that if you don't have analysts with the right skillsets really looking at those 2% of events that are anomalous behavior, you are going to miss something. And when I say a warfighting context, I'm talking about fighting very worthy adversaries, not just a bunch of criminal hackers."
Walls cites the Target Corporation breach of 2013. He says the company had some of the best technology watching the network, and it actually found signs of suspicious behavior. However, the people charged with monitoring the systems didn't pay sufficient attention to the alerts. "They weren't watching things properly," laments Walls. "You can have the best technology in the world and you can have the best automated analytics, but if you don't have the people watching your networks, you are going to miss something. The key is to see it as soon as you can to reduce the time between compromise and detection so you can take action on it. Until security monitoring and looking for anomalous behavior are commonplace, we will continue to see breaches."
Filly Intelligence is a security firm that utilizes an NSA-inspired methodology its people honed serving in the military or civilian intelligence agencies. Managing director Summer Worden came out of the National Security Operations Center. Her company's approach to security is "different from the get-go."
"We use a fully comprehensive approach to the client and apply our intelligence based methodology. From the start we are different, and continue to deliver differently through completion of the security solution," says Worden.
For Filly Intelligence, using an intelligence methodology means applying the same methods and systematic approaches their professionals have used at the NSA and other intelligence collections programs, including military branches. According to Worden, "It is a scientific method and approach, and our people worked very hard to develop those skills in their agency or military careers. We look at the problem through a different lens—a trained and skilled intelligence operational lens that has changed the way we understand the threats and address security."
Worden and her colleagues are used to studying and scrutinizing with a critical eye the threats that organizations face. They customize a security layer for a client by understanding, first and foremost, what the threats and those true capabilities are. "If you don't understand that, you are already at a disadvantage," says Worden. "I can't emphasize enough that threats are becoming more sophisticated and capable today through the development of technology and the tools and also with the impassioned motivations that attackers have. The fact that my team truly understands and invasively studies these threats, what motivates a threat, how to curtail and dynamically address the threat, what indicators to look for, and what to anticipate, this sets us up to create a sound security posture for our clients."
Whether contracting for federal agencies or working with private sector enterprises and SMBs, Filly Intelligence uses the same approach. The consultants start by understanding what is important to the client, what the three to five most important assets are, what has the highest impact on the business, and what their critical information is. Filly then begins to reverse engineer a solution.
Worden says, "We don't just look at a client's vulnerabilities. We put ourselves in the mindset of a terrorist, the bad actor or hacktivist, and consider what is the likelihood that I am going to be able to penetrate this company? What is the tactic I am going to use? How hardened are their systems and how invasive do I need to be to get in?"
The next step is to look at the likelihood of an attack versus the impact. Then Filly Intelligence gives the client solution options. Worden says, "We don't just have a one-size-fits-all off-the-shelf package because our solutions are all built on a needs basis. We look at the client and how they do business and what their critical information is that we are looking to protect. Then we strive to provide a niche and suitable solution that is affordable and cost-effective and creates a resilient security program for them. My personal motivation is to make it very affordable because that benefits all of us."
I asked Worden for some things that business could be doing differently today to improve their cyber security posture. "Change your culture!" she replied emphatically.
Companies need to have a security mindset, says Worden. "I'm not talking about technical stuff or software or configurations. I'm talking about protocols and behaviors within your business and among your employees. There are a lot of things in today's environment that people need to be mindful of. I am impassioned about education and training and awareness. In the military we call that OpSec or operational security. It is about creating a vigilant and aware employee on what the threats are and what is going on, bringing to light what the actual threats are, who is looking to gain data and what tactics they are using. If we can do this and create a more knowledgeable and aware workforce, then we have just mitigated the vulnerability and potential for an incident in a huge way because 80% of the breaches happen when the bad actor exploits the person at the keyboard."
Worden says that building a defensive security posture starts with people. The reason that federal agencies and the military are more robust and secure is due in part to the culture that exists and the people that help to set and adhere to that standard of a highly resilient security posture.
"Solutions don't have to be built on high dollar bells and whistles of fancy technology," says Worden. "Money doesn't necessarily buy you a true state of security. It is the method by which you approach it and the culture you create. From that you can build a strong security program."