As a long-time Dallas Cowboys fan, I was thrilled to see this recent ESPN headline: “How did the Eagles, Cowboys, Giants improve so much in 2022?” (minus the Eagles and Giants parts, of course). Here is how ESPN’s Bill Barnwell sums up the Cowboys’ transformation this season: “The biggest difference between the 2020 Cowboys and the 2022 edition is on the defensive side of the ball.” Although Barnwell may have jinxed the Cowboys given Sunday’s loss against the Eagles, he still is fundamentally right that Dallas has leveled up its defensive game considerably this year.
Let me repeat that: “the biggest difference … is on the defensive side of the ball.” For sure, a strong defense can transform the game.
In cybersecurity, we must apply this same approach — that is, we must build up our collective defense with the best defensive players. Right now, SOC teams are getting dog-piled all over every “division” — from state governments to the transportation sector as Killnet wreaks its ransomware havoc to healthcare (which must ward off the offense going after lucrative PHI records) to the financial sector dealing with Robin Banks.
So how do we block and tackle the adversaries to keep SOC analysts from getting crushed, week after week? Pleading like many a vocal Cowboys fan from the bleachers, I personally know who to put in defensively.
Here’s my fantasy cyber defensive lineup … and the playbooks:
1. Threat correlation engine (aka “Triple Threat”)
In cybersecurity, getting sprayed by the alert cannon is never fun. Neither is getting burned by missing that one malicious alert that could make for a very bad day. That one alert that really does need all eyes on it. At IronNet, our “Triple Threat” correlation engine levels up defense by correlating detections and alerts to create an event that has been automatically linked to other events generated in our system. That way, one alert now stands out from all those other alerts lobbed from the cannon. IronNet’s own threat correlation engine essentially is infused with the “CODE-ified” expertise of our elite, Tier 3 analysts and threat hunters. So, when our network detection and response (NDR) tool, IronDefense, creates an event, it’s not just generating an alert based on a single analytic (or “one-off analytics”), it’s an event pre-packaged with context and an investigative playbook.
Take an activity that looks like command and control (C2) communications, for instance. Fundamentally, the activity could be benign such as a system update. If the alert links up with another suspicious activity, however, like an unusual email with a strange link or attachment and perhaps a beacon, then the story told by these three alerts together is a major problem. The correlation engine automatically decodes the offensive playbook — giving SOC analysts invaluable time to spring into action.
2. C2 threat intelligence (aka “IronRadar”)
I just wrote about our new recruit IronRadar in my last blog. IronRadar is an important part of the radar-like cyber view of the threat landscape. It’s IronNet’s unique attack intelligence feed related to adversarial infrastructure. It can identify threats as new C2 servers appear and before they are used in sophisticated cyber attacks.
IronRadar uses an innovative process that fingerprints a server and determines whether it is adversary infrastructure while those servers are being stood up, even before a cyber attack is initiated. If the offensive line pushes forward, IronRadar lets SOC analysts put up the best defensive playbook to proactively block adversarial infrastructure. It’s easy to see why this threat intel feed rounds out my fantasy team, as it can intercept ransomware campaigns at the early stages so your organization doesn’t have to save face for your loyal fans.
3. Attack intelligence (aka “Collective Defense”)
Attack intelligence delivers the power of a proactive collective defense thanks to real-time visibility of what’s happening across the entire cyber field — well before a cyber attack does its damage. Attack intelligence gives you the visibility to see the offensive linebackers coming well before they even flinch. With attack intelligence, foresight is 20/20.
Attack intelligence delivers real-time insights built on what’s happening not just in one game but across all the games, all the team playbooks. It gives SOC analysts the ability to read Matt LaFleur’s lips through the clipboard or de-code Tom Brady’s signals at the line of scrimmage to prepare the defensive line accordingly to come out on top. It’s the difference between speculating what could happen on the cyber field to knowing what’s actually happening with situational context — and where they’re coming after you — with plenty of time to stop the offensive line’s play. In short, attack intelligence is the foundation of a powerful collective defense.
Stronger defense through Collective Defense
That’s my fantasy cyber defensive lineup. My players are all part of the IronNet Collective Defense platform. These defensive tools level up all SOC teams by empowering analysts to work together in real time and crowdsource their expertise. Together, they make up the best Collective Defense in the cyber league — hands down.