The Insight From Red Teams That Revolutionized Cyber Defense

Bob Gourley October 10, 2014

The testing of enterprise security conducted by red teams, groups of talented professionals skilled in evaluating security, has long been an important verification of security compliance and a way to prioritize what area security teams should focus on. But insights from this community have given rise to a concept that is now transforming the security industry: Red teams have taught us that to thwart threats we must at times think like our adversaries. Offense must inform defense.

This insight is now informing technical approaches to defense, concepts of operation and strategies for collaboration across industries. Consider, for example, these lessons learned from the attack side of the security community:

When a motivated adversary wants to get in they will keep trying till they find a way. Assume you will be breached. Plan to detect, respond, restore while containing damage.
When an adversary gets it they will seek to remain undetected, but in a well instrumented enterprise no adversary can remain invisible. All leave traces and well-instrumented systems will find them.
Adversaries leave tools, including malware and rootkits to make their continued exploitation easier.
Integration of all defense related information gives insights that leads better actions.
Adversaries are automating and operating in-line. Defenses must automate and operate in-line.
Smart defenders can target defense the way smart attackers target attack. With automation there is no need for a sledgehammer approach. Progressive mitigation approaches allow users to still do their work while only the needed countermeasure is deployed and it does not need to interrupt IT functionality or the workforce use of their tools.

If you agree with these insights here are some considerations that can help you put them into practice in your enterprise:

Establish a goal of continuous monitoring of all available, instrumentable components of enterprise IT.
Architect for the closely related but different goal of automation of in-line response and containment. When the system detects a problem, it should automatically provides a response to contain and limit the impact without requiring human intervention.
Remember to extend your monitoring and automated response into RAM. Adversaries are moving to any reachable part of the IT system, including storing code in volatile memory. So RAM must also be searched and monitored, continuously.
Architect in ways that enhance integration of data. Architecting smartly and choosing systems designed with integration in mind are key.
Build your solution to scale. Old RDBMS approaches do not work on this class of computer science problems.

Are these thoughts consistent with your modernization plans? We would love to know what you are thinking.

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

Give Your Career A Boost By Learning From Experienced Decision Makers

Our video and audio podcast, the OODAcast, provides content that can help accelerate your career and improve your decision making. The series is based on interviews of some of the greatest most accomplished enterprise technologists we can find. We ask questions designed to pull out lessons applicable to accelerating the career of any professional. We […]

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human […]

Please help spread the word: USNI and NIP Essay Contest: This year’s challenge area a key one for the nation

Please help share the content at this link to any thinker/writer you know: 2020 Information Warfare Essay Contest This contest is open to all contributors, active-duty, military, reservists, veterans, and civilians. Generally the winners have had a solid understanding of the nature of modern conflict, but really any thinkers/writers should look over the contest and […]

Centripetal wins historic $2.6-$3.2 Bil vs. Cisco Systems; largest US patent infringement award to date

Editor’s note: I am proud to say I have a history with Centripetal Networks serving on their board and then later as an advisor. It was horrible to learn that a Tech Titan like Cisco was infringing on their patents. It is good now to see when the facts were reviewed justice was done. -bg […]

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

All Enterprise Techies Should Watch HBO’s SciFi Epic Westworld: It will help us dialog over shared experiences on what we will not be creating

Westworld season one was a great mix of science fiction and drama and action and it was done in a way that should help people think through many tech ethics questions, like how do we want to treat our robots? Does treating robots with violence change our nature? Can robots become sentient? HBO has a […]

Related