Knowing your unknowns
On a daily basis, the news is filled with stories about things that "should never have happened". Last weekend’s headline, "Improvised Explosive Device Explodes in New York City’s Chelsea Neighborhood", is one tragic example. No one could have anticipated the attack, but through the use of cameras placed throughout the area, law enforcement was able to identify a suspect and track his movements within hours.
In the real world, no one can know every single threat that could exist in the future, or when it might happen. You can make educated guesses with the right intelligence and data, but you can’t predict with certainty. This is why New York, London, and other metropolitan areas have installed surveillance cameras. They’ve done this so that if a situation does unfold, they can quickly triage and provide authorities with immediate and accurate information to inform response and investigation.
I’m reminded of the movie Minority Report. The premise is that a trio of psychics have premonitions of a "pre-crime". They anticipate murders before they happen and law enforcement arrests suspects before they commit the crime. Unfortunately, none of us in the real world, even experts in cybersecurity, have the ability to predict attacks with absolute certainty. There’s no magical box that you can install onto your network that will accurately alert you to threats before they happen … but that’s where knowing your unknowns comes into play.
Knowing your unknowns isn't about predicting the future, it’s about understanding your weaknesses, identifying your blind spots, and putting mitigation strategies in place so you can react to possible unknowns. Remember Donald Rumsfeld’s famous quote during a press conference in February 2002?
Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know. We also know there are known unknowns; that is to say we know there are some things we do not know.
The same holds true for today’s cyberattacks that come in so many different forms. While many attacks come from outsiders, don’t discount the fact that your employees, customers and vendors could also be suspects. Some attacks target your network infrastructure; others are in the cloud, or on your endpoints and mobile devices. There have even been instances where exploits targeting routers (and developed by a nation-state) were stolen and used against companies.
The fact is that nation-states conduct espionage operations, rival companies steal intellectual property from each other, criminals nab millions of dollars, and political operatives leak embarrassing information on an opponent. Having worked in cybersecurity for over two decades, nothing surprises me. All of these types of potential threats should fall into your "known unknown" category: You know that people, devices, and infrastructure can be sources of weakness, exploited inadvertently or intentionally.
Possibly the most critical principle we’re taught in cybersecurity is to know where our critical assets are located. The first step in building out a successful cyberdefense strategy entails gaining insight into every aspect of your critical data, including critical data in motion across your networks, endpoints and cloud infrastructures.
The reality is that servers move, people make mistakes, and attacks can happen from many different vectors. The constant in your defense strategy should be ensuring that you have the ability to trace every transaction as data travels through your enterprise. Seeing what happens as data traverses your extended network infrastructure is a prerequisite if you’re going to protect against the unknown.
While you may not know where the next attack is coming from -- or when it’s going to happen -- you CAN prepare so that you detect it as fast as possible. It’s all about knowing your unknowns and having a complete picture of what happened before, during, and after an attack. The faster you can see and respond, the more you reduce risk and damage.
Justin Harvey is Head of Security Strategy at Gigamon. He has more than 20 years of information security experience and technical knowledge, establishing him as a trusted cyberdefense security advisor to executives and government leaders at some of the world’s largest commercial and government organizations. His work with major global entities has taken him across Asia to lead large-scale incident response efforts in the wake of targeted attacks, as well as to Europe and the Middle East to advise enterprises and ministries of defense on threat intelligence and nation-state espionage actors.