Most of us are afraid of the unknown. The biggest unknown? Falling victim to a cyberattack and not being prepared for it.
Plain and simple. We all (as humans) want to understand about things we do not know. Ferdinand Magellan, Lewis and Clark, even Neil Armstrong getting to the moon.
In security—especially cyber or data security—we have that same desire.
In security, we see all of the threats that either originate from discussions on the Dark Web or aftermath (the loot from breaches and attacks) end up on sites within the Dark Web. But what we do not understand is what threats are coming.
Threat hunting—the term we use for figuring out business security threats—is not really triggered by any event, but by not knowing if something will happen. Essentially we are diving into the dark and strategically coming up with proactive solutions to future security problems that could threaten your network.
Proactive threat evaluation has become so important that we are routinely combing security literature and prioritizing new issues to be addressed or discussed with clients as a means to keep business networks (and the people within them) secure.
How do we prioritize threats that come in?
It’s not as simple as deciding one day to sail around the world into uncharged territory or a flight to the moon. What we need is a well-defined plan to seek the right resources, discover what new problems are out there in cyberspace (including discussions on the Dark Web) and then determine which perceived threats are actually aligning with weaknesses in process, technology or people issues within your network.
How do we evaluate and mitigate threats on your network?
Essentially we take a 2-pronged approach to ensuring your network is secure. First, we learn of threats from external reports that produce indicators of problems within a network. We call this an outside-in perspective. One very real example of a threat that experts have been warning for nearly a year at this point is the risk of keeping Windows 7 machines on your network.
Second, we look for suspicious behaviors within your network and identify any external sources that may be triggering or associated with the indicators we find while monitoring your network, then hunt for and find areas within your network environment that may be at risk of a breach or attack.
Overall, our security team uses three main principles in addressing security on your network once something suspicious is found.
Putting it in context—the first thing engrained within everyone on our security team is to put problems into context. Is the issue going to affect one machine or the entire network? Could the issue lead to sensitive data being leaked or not?
Once we know the context to a problem, we’re able to prioritize how and when to address the issue. Some high priority items may need a tactical solution, which ensures short term mitigation of a risk before a long-term solution is conceived. Without context, you may be chasing ghosts and wasting time on issues that really are tied to other bigger problems.
Collaboration—we have a security team for a reason. When one security analyst or engineer discovers a problem, they might not see the entire problem. Teams with a variety of expertise in security are able to better explore every corner of the issue on the network and pinpoint tactics, techniques and procedures that more holistically lead to a comprehensive solution.
Keep learning—this is probably the biggest principle of all, in fact it is part of one of our core values. If we stop learning—especially from our mistakes—we’re not going to keep up with evolving threats hitting our businesses.
Our desire to understand the unknown, as our communal interest in exploring and discovering, helps our team figure out complex security problems and predict and prevent threats, creating a safer future for us all.