Blog by William Van Vleet, III In my last post about protecting the enterprise, I talked about why it’s important for organizations to take a holistic, comprehensive view of enterprise threat management (ETM). This comprehensive perspective should account for threats in the cyber realm, the physical realm, the environmental realm and the human realm. At Haystax we’ve found the following five principles essential to truly comprehensive threat management: Data alone isn’t enough One of the most common oversights in ETM is relying too much on data. Here’s a thought pattern that’s probably familiar: “If I extract all my data and look for trends, I’ll find out where my threats are.” This works as an historical analysis, but that’s where it ends. Data is good at explaining what has already happened in the past; using data alone won’t tell you what’s likely to happen in the present or future. That’s because the past isn’t necessarily a good representation of the future. What’s more, it’s easy to be overwhelmed by data. Consider the IT manager who gets hundreds of alerts an hour from a tool designed to spot potential vulnerabilities or attacks. That’s great information, but who has time to analyze or prioritize it all and distinguish the signal from the noise? You can have lots of data but still be unable to detect a real, imminent threat. People are the strongest and weakest links in the chain You can’t disconnect the human element from threat management; it’s essential. Yet people are both the strongest and weakest links in the chain. They’re the strongest because the human being is the decision maker with the best reasoning capacity. It’s they who must decide what action to take about a potential threat. They might be awash in data, but they have to make the call using their intellect and knowledge of the organization. Yet people are also the weakest link because they can be careless or intentionally malicious custodians of ETM. A person can be responsible for initiating a threat, but at the end of the day it’s a human being who has to remediate the consequence of that threat. Context is key In order to empower people to interact with data, you need to give them two things: context and priority. First, information presented must be contextual. People need to know more than just the fact that there’s a threat against the enterprise; they have to understand the context to know why it’s important. What else is happening at that particular time that makes this threat especially significant? What other previous or subsequent events make this particular threat relevant? Analyzing threats in a broad context is a hallmark of Haystax’ ETM platform. For example, when the Baltimore riots broke out this spring, our platform flagged a tweet that read, “Baltimore Police say ‘credible threat’ shows gangs including Crips & Blood partnered-up to take out law enforcement officers.” Our platform also found another social media post advertising a violent “purge” starting at 3 p.m. that day at an area mall. Without proper context, these tweets were not useful information. But had the Baltimore school systems had both these tweets brought to their attention early on, they could have had a context for acting. Schools in the area of the threat could have let out early instead of, as happened, just as police were assembling in the streets right where students were supposed to be picked up and transported home. Prioritizing is a must People also need a way to prioritize threats. They might be receiving hundreds of alerts in a day, but which few should they investigate further and which should they ignore? Understanding risk means knowing the consequences and the enterprise’s vulnerabilities. Enterprise threat management is based on a risk-based prioritization of threats. Which consequences are likely to be more damaging than others? In a truly unified ETM system, the risks might be from the cyber, physical, environmental or human (insider threat) realm. Which realm is posing the greatest threat that day? Asking – and answering – that question helps determine where to put resources. Threats are continuously mutating Your ETM system must be able to detect threats as they happen. That means it has to be real-time and continuous. The threat environment is dynamic, so in order to manage it you have to respond in kind. Your system needs to adapt to continually changing conditions and account for everything that’s potentially important. If your system is not real-time and continuous, it’s no match for a dynamic threat landscape. The five principles I’ve described are the pillars of successful enterprise threat management. Now you need an analytic framework that allows you to integrate and accomplish all of this. You need a systematic way to apply these principles to any situation – to build them into a model. At Haystax we’ve developed patented analytics that continuously monitor threats by integrating organizational data with open-source, commercial and publicly available information. We enable organizations to achieve contextual, real-time, situational awareness and identify threats that are usually buried in too much noise or not placed in the proper context. I look forward to discussing our approach more in future posts – and in hearing any responses to the five pillars of ETM.
Five Principles of Successful Enterprise Threat Management
