The inevitability of cyberattacks does not need to be an inevitable disaster to a business, but it does call for precision in data collection and structuring. Precise data enables precise outcomes—and gives security teams a chance to beat the bad guys.
Precision in security requires the data to be integrated in order to produce context, correlation and causation. We call it the "Three C’s of Security."
What do we mean by precision?
Consider the effectiveness of “intelligence” telling you that there’s a malicious green car in your area. All of a sudden your radar is up and on the lookout for a green car. Now when a green car drives by you think—there’s the criminal! However, it turns out it’s just a friend dropping off food at the neighbor’s house. You see another green car and your radar is back up. Green car! But actually it’s the babysitter at the house across the street.
Precision would provide us additional details, such as “green Ford sedan, bumper sticker on rear passenger side, horizontal dent in the driver’s side door, and Texas license plate.” With this information we aren’t thrown off by a bunch of benign data points coinciding with the intelligence—the equivalent of false positive alerts.
And realistically, by the time that “green car” alert gets out, the criminal has most likely changed vehicles, but they still exist. What we need to be looking for is something that simply shouldn’t be there—for example, any car that appears a few too many times without stopping. Heck, it may even be a bike or pedestrian. We search until we are assured the threat no longer lingers in our space (i.e., defense controls have proven effective).A view into an effective model for that can be found in thePyramid of Pain.
Let's talk about the three C's of security:
1. Context:In setting context to uncover an attack, an analyst would want visibility into attributes such as:
- Location and time of the suspicious activity
- What was accessed
- Who isallowedaccess
- How, if at all, the behavior in question differs from normal behavior
Detection tools and policy drive most of this. Ideally, all of this information is available in acentralized operations toolto enhance the speed of response.
2. Correlationserves to narrow the focus of the investigation; to utilize all information to form a hypothesis to test. “For a given input, a certain output issometimesobserved.”
In testing many variables of car color and shape, it appears that when“green cars”are introduced to the neighborhood, there is a crime.
But this is notalwaystrue—there are innocent green cars on the roads. That is ok, because correlation doesn’t provide the same output foreachinput. Therefore, with sufficient data available we cannarrow the hypothesis further until we find pay dirt.
Correlation is constructed through intelligence created by well-integrated tools, vendors, controls and the experts managing them.
3. Causationis about having all the details from every vector to grant a high degree of certainty—it knows not only the green car, the criminals in the green car, and what they stole, but would also know why they stole it, where their base of operations is most likely at, how they were able to bypass your security.
It's good to know whether you were astrategic or opportunistic targetbefore responding. Causationis what allows us to know if we have successfully mitigated the threat and then have the information to put in controls to remediate the threat moving forward.
We can respect the capabilities and determination of attackers without lionizing them, after all, they have the same tendencies towards routine and observable “tells” as anyone else with a pulse. They want the most bounty for the least investment.
A system that is able to produce context, correlation and causation around activity on infrastructure serves as a strong benchmark for defense. It may require more tooling and investment, but will help provide assurance that all risk isknownand capable of beingaddressed.
As an expert in cybersecurity with a deep understanding of data collection, structuring, and the intricacies of security operations, I can attest to the critical nature of precision in dealing with cyber threats. The article emphasizes the inevitability of cyberattacks but underscores the importance of approaching them with a strategic and precise mindset. Let's delve into the concepts presented in the article and break down the "Three C’s of Security."
1. Context:
- Definition: In the context of cybersecurity, "context" refers to the relevant details surrounding a suspicious activity or potential security breach.
- Importance: Understanding the location, time, accessed resources, permitted access, and deviations from normal behavior provides a comprehensive view for analysts to assess the situation.
- Tools and Sources: Detection tools and security policies are instrumental in providing context. Centralized operations tools enhance the speed of response by consolidating this information.
2. Correlation:
- Definition: "Correlation" involves analyzing various data points to form hypotheses and identify patterns that may indicate a security threat.
- Importance: It helps narrow down the focus of an investigation by connecting seemingly disparate pieces of information.
- Data Integration: Correlation relies on well-integrated tools, vendors, and controls managed by experts. Sufficient data allows for refining hypotheses until actionable insights are gained.
3. Causation:
- Definition: "Causation" involves having a comprehensive understanding of the details from every vector, providing a high degree of certainty about a security incident.
- Importance: It goes beyond identifying the who, what, and when, delving into the why and how of a security event. This knowledge is crucial for effective threat mitigation and future risk management.
- Strategic Insight: Causation helps distinguish between strategic and opportunistic threats, enabling organizations to tailor their response accordingly.
The Pyramid of Pain:
- Reference: The article mentions the "Pyramid of Pain" as a model for effective threat detection. This model likely involves a hierarchy of indicators, ranging from easily changed and less valuable indicators at the base to more persistent and insightful indicators at the top.
Conclusion:
- Effective Defense Model: The article concludes by highlighting that a system capable of producing context, correlation, and causation serves as a robust benchmark for defense. Although it may require additional tooling and investment, such a system provides assurance that all risks are known and can be addressed.
In essence, the Three C’s of Security—Context, Correlation, and Causation—form a framework that enables security teams to navigate the complex landscape of cyber threats with precision and effectiveness. This approach is not just about responding to alerts but about understanding the full scope of an incident and implementing measures to mitigate future risks.
