Does something like this sound familiar? "We need to find, fix, finish, exploit, analyze, & disseminate this intrusion set along the kill chain via force multipliers so we can observe, orient, decide, and act according to tactical, operational, and strategic priority intelligence requirements." I bet that part of it does.
I think that it is important to keep in mind that we aren't the military and don't have the resources of the military. While military concepts can be useful, buzzwords won't secure your environment; you could become distracted and utilize your limited resources in the wrong manner. As I was sorting out my Black Hat calendar tonight, I fortuitously saw a talk that is very applicable to this topic: "The Library of Sparta," with David Raymond, Greg Conti, and Tom Cross. Here is part of their abstract:
During the past 18 months or so, we have seen the emergence of innovative endpoint security solutions. The list is long; it is hard to keep track of all the solutions in the space. In no particular order, here is a sampling: Bromium, Invincea, IBM Trusteer, Cylance, Palo Alto Networks Next-Gen Endpoint Protection (Cyvera), Microsoft Enhanced Mitigation Experience Toolkit (EMET), Bit9 + Carbon Black, Confer, CounterTack Sentinel, Cybereason, CrowdStrike Falcon Host, Guidance Software Cybersecurity, Hexis HawkEye G, FireEye HX, Triumfant, Tanium, and Verdasys Digital Guardian.
I take many briefings from these types of vendors (primarily the ones I cover in Forrester’s Endpoint Visibility and Control category) and within the first 5 minutes of the conversation, the vendor mentions that their solution has a “small footprint.” The use of this phrase is the equivalent of nails scratching their way across a chalkboard for me. When was the last time you heard anyone say that they have a “large footprint?” Please provide more information: Do you run in user or kernel land? What are the impacts to utilization? Even if a vendor truly has a “small footprint,” when that new agent is deployed to a host that already has four or five agents running, the collective footprint is far from small.
The sharing of threat intelligence is a hot topic these days. When I do conference speeches, I typically ask how many organizations see value in sharing, and most in the room will raise their hand. Next, I ask how many organizations are actually sharing threat intelligence, and roughly 25% to 30% in the room raises their hand. When our 2014 Security Survey data comes in, I will have some empirical data to quote, but anecdotally, there seems to be more interest than action when it comes to sharing. I wrote about some of the challenges around sharing in “Four Best Practices To Maximize The Value Of Using And Sharing Threat Intelligence.” Trust is at the epicenter of sharing and just like in "Meet the Parents," you have to be in the circle of trust. You can enable sharing, but automating trust does take time.
Critical infrastructure is frequently on my mind, especially the ICS/SCADA within the energy sector. I live in Texas; oil and natural gas are big here ya'll. I'm just a short distance away from multiple natural gas drilling sites. I cannot help but think about the risks during the extraction and transport of this natural gas. North Texas has seen an attempt to bomb the natural gas infrastructure. In 2012, Anson Chi attempted to destroy an Atmos Energy pipeline in Plano, Texas. As a security and risk professional, I wonder about the potential cyber impacts an adversary with Chi's motivations could have.