First and foremost: We don't lose because of vulnerabilities. We lose because we believe we are in one infosec state, and the threat realizes we are in a different, more vulnerable, state. That means that it's not whether or not the vulnerable condition exists that matters, it's whether the threat actor knows it does and we think it doesn't.
Second, if losing is about believing you are in one security state when you are in another, winning is about the threat actor believing they are in an infosec state when they are actually in another. We make this happen in the one place we control: our network.
Currently, threat actors can operate with impunity because our network is operating the way the threat actor believes it's operating. To tip the balance of power in infosec conflict, we need the network to be operating differently than the threat actor believes it's operating. To do that, we need to do a few things:
- We need to treat the SIEM like a big data warehouse. Our SIEM should be a network telemetry data warehouse. It needs to receive as much alert data as possible through integration layers capable of dealing with the specific data types being inputted. It needs to be able to pull in additional associated data. In the data marts, it needs to detect not just malice, but any activity outside of the normal network profile. (This leads to a separate question of how to profile a network which I'll leave for another post.)
- The network telemetry data warehouse needs to be able to correlate detected anomalies with other data to piece together the picture of what is happening. Understanding the relationships between observations is critical to understanding the ground truth of the conflict.
- Most important, it needs to have a feedback loop; changing how the network is operating based on what the SIEM believes is anomalous or malicious. When potential malice is detected, it needs to take a different route though the network. Malice needs to have different rules applied to it's traffic. It needs to have different tools applied to delaying the threat, gathering intelligence, and responding to the threat to prevent negative impacts. This can all be accomplished in an automated feedback loop so that the network is pitching itself against any anomalous behavior.
On the network of the future, the network is not a static battlefield, but a living, pulsating thing. The network uses the massive amount of telemetry data at it's disposal and broad flexibility provided by Software Defined Networking and virtualization to respond to perceived threats. It put threat actors at the same type of disadvantage that defenders currently face. And, ultimately, the advantage in infosec conflict will pitch in defense's favor because threat actors will be unable to trust that the network environment they believe they are operating in is the true network state.