Knowing the enemy is one thing...
April 17, 2020
From watchtowers and scouts on horseback to modern-day satellites, the ability to know the enemy has always been an advantage. The same holds true in today’s cyber realm. The only difference now? Our methods for obtaining and leveraging this knowledge.
Now we focus on threat intelligence, indicators of compromise (IoCs), and deploying tools/technologies that help us ‘see’ attackers as quickly as possible. These well-established methods comprise a large percentage of the security vendor booths seen on conference floors, and for good reason. What you know about can be prevented, detected, or, at minimum, contained. But with so much emphasis on looking outward, it’s easy to neglect an equally important area of knowledge: yourself.
“If you know yourself and know your enemy, you will not be imperiled in a hundred battles.” – Sun Tzu, The Art of War.
It may seem cliché to quote the renowned Chinese general, but did you know that he was repeating an old proverb? For thousands of years, people have been sharing this insight for one simple reason: It’s valuable.
And what of businesses? How does an organization ‘know itself’” in the cybersecurity sense? It would be nice if it were easy, but it’s not. This self-knowledge involves a mature security program with unified and relatively transparent coordination and communication, plus the commitment to consistently challenge the status quo by asking questions like, “What are we missing? How do we prioritize improvement? What are the best investments we can make?”
These reflections are a good start, but they’re also usually ad hoc and tactical rather than built into strategic planning. And that’s assuming an organization’s security leadership team sees the program clearly, objectively and in relation to its peers/sector, which is all difficult.
Every organization can benefit from an objective, customized examination of its security posture. To that end, Accenture has designed several services that turn attention inward – thus helping organizations raise the questions that will lead to reasonable and realistic recommendations. They include:
This is different from red teaming and other more technically focused testing because it enables top to bottom testing, from initial alert and investigation to executive business decisions and public relations. It can also provide a specific focus for each exercise (for example, crisis communications). By simultaneously involving stakeholders from different functions and levels , a TTX makes it easier to engage in valuable, real-time discussions.
It’s not always fun to have honest discussions about security capabilities and priorities. Often, cybersecurity leadership inherits a mélange of initiatives from previous decisions or has been in ‘firefighting mode’ so long that self-examination/systemic changes have been indefinitely deferred. That’s exactly why asking the right questions — as soon as possible — is critical.
It never fails: Whether during a TTX or some other assessment, someone from one part of an organization will describe a security control or process and someone else will contradict them, saying, “I was under the impression that . . . .” This kind of misunderstanding seems to happen when people assume how security operates in their environment, which is often large and difficult to manage. Just having people who don’t normally see each other in the same room can start important discussions and help an organization know itself.
For example, I facilitated a TTX at a company that had host-based security on some business-critical servers. During the meeting, when the security team said the system was in ‘alert’ mode for certain threats (due to a policy), the CIO expressed surprise. He’d thought it was in ‘block’ mode. They hadn’t even realized they needed to have this conversation until someone was standing in front of them asking the right questions, and they all agreed to change it to block that day.
It may sound too simple, but it’s true: Knowing yourself is as important as knowing the enemy.
For additional information on our CRD and tabletop services or to reach a member of our incident response consulting practice, please call 888-RISK-411 or email CIFR.firstname.lastname@example.org.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture protects helps organizations' protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative. The opinions, statements, and assessments in this article are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.