Given current headlines, one might think that every organization must be in a continual state of cyberwarfare. Everywhere we look, we are under siege. On one side are ransomware attacks, and on the other are state-sponsored supply-chain compromises.
A crucial factor on any battlefield is what’s called the ‘fog of war.’ Sir Lonsdale Augustus Hale described this as, “The state of ignorance in which commanders frequently find themselves as regards the real strength and position, not only of their foes, but also of their friends” (emphasis mine). That’s right — knowing what your allies are doing can be just as important as knowing what your enemies are up to. Applying this to the Information Security battlefield, a lack of visibility into what’s normal in your own network can hamper your efforts in the same way that a lack of threat intelligence can.
Indeed, visibility is a crucial element of great security. I think of visibility as data that can tell me:
- What happened in the past
- What is happening now
- What could happen in the future
In May of this year, organizations across the globe were checking their network, server, and Exchange logs to see if they had fallen victim to the HAFNIUM crew or to the dozens of secondary actors. Based on what those logs contained, each organization could ideally determine the level of incursion, if any, and the appropriate next steps. Having visibility into what the attackers did in the past provided victims with the knowledge to make informed business decisions about the present. Knowledge is power, as they say.
Visibility can come from network logs, packet captures, application telemetry, or anything else that can send data about what’s in the environment or what’s going on within it. Great visibility comes from tying all those data sources together in a way that puts what and when in the context of who and why.
Moving from historical visibility to real-time visibility is a logical step, which can help security teams create triggers, rules, and alerts to automatically take action based on what’s happening right now. But there’s a third type of visibility that can help in a totally different way.
Ever hear someone say, “I’m concerned about making that security change because I don’t know if it might break something”? Uncertainty about changes can kill a security initiative faster than you can say ‘Patch Tuesday.’ But what if you knew it would be safe and could prove it?
Here’s one example: I’m a proponent of blocking server traffic to the Internet, allowing for specific, required destinations. This is a great way to make life difficult for attackers, but I’ve received my share of pushback from stakeholders when suggesting this, based on — to put it bluntly — fear of the unknown. But by leveraging network visibility, both historical and real-time, I can show that it’s really no big deal.
We spend a lot of time and effort so we can spot attackers — and for a good reason! But without visibility into our own organizations, we’re left with too much uncertainty. So how can you use more visibility to counter the fog of war?