From Mental Models to Computational Models
It used to be that a diligent team of analysts with some programming skills could do a respectable job of protecting an enterprise on their own. They knew enough of the specific threats, the specifics of the enterprise, and the specifics of the enterprise network, that they could monitor for problems and mitigate those problems. Unfortunately, the volume and voracity of the threats has grown. The variety of business models has expanded. The complexity of enterprise network topologies has increased. These factors mandate that cybersecurity solutions evolve. Cybersecurity teams must upgrade to a better strategy.
No longer are one-off scripts and the programming of lookup tables adequate to face the criminal elements. The risks and liabilities are just too high.
Threat Intelligence cybersecurity teams must have a handle on what threats are being used. It is no longer realistic to think that you can be solely reactive to threats that hit you. You have to anticipate them, and prepare for them. It is no longer prudent to rely on only your experience, you must use the broader experience of the community of enterprises trying to protect themselves from the same threats you are. I'm saying you have to have a strategy that incorporates external as well as internal Threat Intelligence.
Enterprise Network Complexity
In todays world of mergers and acquisitions, it is not unusual to see that corporate networks are integrations of multiple legacy systems. This hampers the ability of mere mortal humans to have a clear situational awareness of the whole system. It is absolutely imperative that the cybersecurity systems have a handle on both the physical and the logical configuration of the enterprise's complete network. The bigger the network, the harder it is to maintain a mental model or even proprietary programmed model. Enterprises should embrace systems and frameworks that provide standardized methods of modeling their enterprise. To protect it with scripts and simple programs tends to be brittle. It will work only to the point of when and where your network systems change. Today, networks are constantly changing. I'm saying you have to have a strategy that incorporates and scales to our dynamic networks.
Business Model and Process Complexity
Different businesses have different business models. Duh, right? It is the intimate knowledge of the business model, the business processes, and the people in the business that allows for a security analyst to identify both normal and abnormal behavior. The systems you use to protect your enterprise must incorporate the context of your business. It must incorporate a model that includes all the things that tip off the human analyst that something is amiss. I'm saying you have to have a strategy that computationally captures, retains, and uses the contextual knowledge of your enterprise and the logic of your analysts.
The Solution is to Step Up Our Technical Skills
Addressing cybercrime with proprietary scripts and programs is like bringing a knife to a gunfight. We have to take ourselves to the next level. We have to stop working at the individual enterprise level (where the battles are) and start working at the broader level (where the war is being fought). To be smart about this, you need to take advantage of modeling languages and technologies that have been created to work at this level. Preferably, modeling languages that have the support of the community of enterprises just like yours so you can share your knowledge and resources.
This is why modeling languages like OWL are so important. This is why cybersecurity models like STIX and CybOX are so important. This is why protocols like TAXII are so important. Consider these as the next generation of the weapons of cyberwar.
Is YOUR enterprise fighting the battle or the war?