Last month I wrote about "the problem with a legacy mindset"within the cybersecurity community. I mentioned that IronNet has been sounding the alarm for Collective Defense since General (Ret.) Keith Alexander founded the company in 2014. So you can imagine how pleased I was to hear that the mind shift toward a Collective Defense approach is taking deeper root at the White House.
Specifically, at the recent National Security C.L.A.S.S. (Cyber, Land, Air, Sea and Space) Symposium, the National Cyber Director Chris Inglis said, "I think Collective Defense is the transformative moment for us." (video embedded below)
Although it's certainly music to my ears to hear others talk about Collective Defense, there is a crucial detail in Inglis's explanationthat I'd like to highlight above all else: simply sharing information isn't the answer to building a collaborative cybersecurity posture. He notes, "We share information assuming that information collaborates; it does not." Instead, we must huddle together in real time around correlated detections and crowdsourced insights to tackle the same threat hitting dozens (if not thousands as in the case of SolarWinds) by pooling human resources and expertise to defend as a unified front.
While traditional threat sharing remains an essential aspect of securing sectors such as energy and finance, there are two reasons we fundamentally need to push threat sharing to a new level in order to go head to head with today's adversaries. Clearly they have upped their game to platform-based attacks and supply chain intrusions, so we must innovate as defenders to overcome these limitations:
Traditional threat sharing groups focus efforts primarily on signature-based threats, which can easily slip past firewalls and endpoint security tools. As IronNet's threat analysis team explains in a recent blog, "It is broadly accepted in the analyst community that a cyber attacker can easily change hash values, IPs, and domains."
If threat sharing does not happen in real time - and with immediate situational context across the broader threat landscape- it simply happens way too late and the information exchanged is often rendered irrelevant to the organization under attack. Traditional threat intelligence often is not specific enough or delivered fast enough for the recipient to take meaningful action. As Inglis puts it, "What we need to do … is to stand on common floor plates (virtually or physically) … to discover things together we could not have discovered alone."
How to make cyber threat information actionable
It's one thing for SOC analysts to have threat intelligence at their own fingertips. It's another thing entirely to see the same threat multiplied across enterprises - without having to rely on dozens of open tabs to sort through the noise. This clear, extended visibility, brought on by behavioral analytics and our ability to break down defense silos, is what we call a cyber radar view of attack campaigns as they are happening - instead of long after the threat has withered on the ones-and-zeros vine.
IronNet's Collective Defense platformallows collaborators from across the private and public sectors to see the same threats, with the same context, at the same time.
We focus our detections on adversarial tactics, techniques, and procedures (TTPs), which are much harder than hash values, IPs, and domains for adversaries to overhaul in order to remain undetected on enterprise networks. Only behavioral analytics can spot these unknown threats by looking for network indicators such as credential phishing and lateral movement, and we build a real-time picture of the threat landscape based on these detections.
In this way, IronNet is transforming cybersecurity. We are the only cybersecurity company that has the technology to create a cyber radar picture - one enterprises and organizations that participate in a Collective Defense community can see concurrently. The outcome? Actionable attack intelligence emerges, providing an early warning system for all who adopt the Collective Defense model.
This transformative security model involves banding together around actionable attack intelligence in real time. It's the virtual "common floor plates" Inglis mentions. As my colleague Major General USAF (Ret) Brett Williams, Co-Founder IronNet, Inc., explains in his "Cybersecurity Market Insights Report: What is attack intelligence and why do you need it?", attack intelligence delivers threat information that is three things at once:
Timely: you need speed when it comes to both detection and triage
Relevant: you need meaningful threats to emerge from information overload
Actionable: you need situational context around detected anomalies
Actionable attack intelligence spotlights what is happening in your network vs. what could happen. It combines correlated threat detections uncovered by behavioral analytics and a Collective Defense posture brought on by real-time visibility and crowdsourced collaboration among organizations. As Major General Williams points out, "actionable attack intelligence closes the air gap of traditional threat intelligence platforms, tools, and feeds."
When private and public sectors come together to create a cyber radar view of the threat landscape, share attack intelligence in real time, and cluster response efforts around the same threat, we achieve powerful Collective Defense that strengthens the security of all. Only in this way can we weaken the adversaries and, in turn, take back our power in cyberspace. As Inglis calls out to the bad actors, with a truly collaborative defense at play, "You have to beat all of us to beat one of us."
To read more about actionable attack intelligence, see our Cybersecurity Market Insights report.