Please note we have recently updated our Privacy Policy, effective May 24, 2018. You may view the updated Privacy Policy here.
By using this website, you consent to the use of information that you provide us in accordance with the Privacy Policy.


The Importance of Collecting Historical Data: A Q&A with Chief Security Strategist Ben Johnson

Ben Johnson Q&A
October 8, 2014 / Editorial Staff

On Tuesday, Bit9 + Carbon Black issued a joint news release with General Dynamics Fidelis Cybersecurity Solutions announcing the expansion of our partnership.

Using Carbon Black will enable the Fidelis Network Defense and Forensics team to supplement its network visibility and reveal the entire “kill chain” of the attack.

Ben Johnson, chief security strategist for Bit9 + Carbon Black recently shared his thoughts on the partnership expansion and the importance of collecting historical data for fast and effective incident response:

Q: Given the high-profile nature of recent data breaches, how do you see the cybersecurity landscape changing? And, what is the most important thing for IT security staff to understand as we move forward in the ever-advancing world of advanced and targeted attacks?

A: The landscape is changing in that huge volumes of information are being stolen at a faster and faster rate. It used to be that if there were two men and a bear, you didn’t have to outrun the bear, you just had to outrun the other man. Or, in other words, you just needed someone else to be less secure so that the opportunistic criminals would go after them and not you. But these attacks are so targeted, and the cyber-crime business is so lucrative, that once you have that bull’s-eye on you, your adversaries are going to be diligent, focused and sophisticated in coming after you. The team needs to be resilient so a single instance of unauthorized access does not lead to long-term persistence and exfiltration of valuable information. And finally, teams need to hunt. They need to be looking for the bad guys who are most likely already inside the ecosystem, and not just waiting months until the FBI, credit card companies or audits find problems.

Q: Obviously preventing a network breach is always the top priority of any IT security staff. How does the integration of historical data improve the proactive defense against today’s advanced threats?

A: Historical data is key to any security program. Our companies, our security teams must learn from each incident, they must be able to quickly scope and analyze what happened, and they must have the insight to be able to start spending cycles to fix the root causes of their issues. The bad guys learn, so why don’t we? Historical data also helps when you’re looking for anomalies and strange behavior to detect the adversaries who “live off the land,” that is, those who use built-in tools, accounts, and more and don’t really install a lot of seemingly malicious software. Comparing activity to what has historically been normal is one way to start spotting these adversaries (as well as insider threats and even regular malware).

Q: Most organizations understand that preventing network breaches must be a top priority. However, many don’t plan sufficiently for what happens after a breach is detected. What is your most important piece of advice for IT security staff when developing incident response plans?

A: Similar to any non-cyber response, you want your team to be ready to go and not be freaking out when a real situation happens. These days incident response is pretty much an hourly occurrence, so teams should know who is responsible for what, what causes an alert or event to be escalated, where to pull more information and context, and when to involve IT, legal, HR, and other non-security teams. The measurement of how the team is doing is key, however, as it is the continual improvement, evolution and retrospection of the team that is really critical today. Measuring things such as mean time to detect, mean time to respond, dwell time, human time spent on false positives, scope of each incident, etc., are crucial. Remember, if you don’t measure it, you can’t optimize it, and this applies very well to incident response.

Q: General Dynamics Fidelis are experts in collecting historical data across the network. Bit9 and Carbon Black are leaders in endpoint security. How does the collection of historical data at the endpoint complement data collected from the network?

A: A lot of times when we talk to prospects, they get nervous at the amount of endpoint activity data we provide. “Not another fire hose!” they say. The thing many of them fail to recognize is that it is all about understanding data, or really, it is about converting data to intelligence. If you don’t know what’s running, and what’s modifying your systems, and what’s making those communications, you’re missing a lot of context. Similarly, network traffic can tell you a lot about exfiltration of sensitive information, about patterns of communication, of inbound payloads, and help when the device on the network is not being monitored with an endpoint solution. It is really the blending of endpoint and network visibility with data analytics and threat intelligence that we need in order to combat these aggressive, resilient attackers.

Q: Some organizations may believe that if they are protected at either the endpoint or the network level, any threat won’t be able to do much damage because they have done their due diligence and installed a cybersecurity solution. Why is it so important to have a layered defense and seamless integration between the endpoint and network when dealing with advanced threats?

A: Defense in depth is more than just a good idea. You don’t put your entire team in the outfield or entire team in the infield and think you’re going to win the game. Attackers, threats and other malicious behavior occurs in different ways. Multiple protection, detection and response mechanisms are an essential part of the security team’s arsenal. It’s important to remember that security operations is about technology supporting humans not the other way around. One example of this is when you get a network-based alert, would you rather it told you if the malicious payload ran or would you rather have to figure that out on your own? Integration is really key to being able to keep up with our adversaries, especially when no one has enough security analysts.

Q: Is there any last piece of advice you want to add?

A: When I talk to teams, my personal stance is that the top two things for security at any company are 1) cultural buy-in and 2) security engineering. We need teams who have tools and systems that enable them to observe and act faster than their cyber adversaries. They need to pull in their own custom context, they need to automate various aspects of comparison, retrieval and correlation. And we need more entry-level individuals to be effective in fighting trained, foreign military cyber groups. Sounds simple, eh?