This guest column from Rohan Amin of Lockheed Martin explores strategies for cybersecurity professional collaboration and sharing knowledge. This is the final column in a three-part cybersecurity series from Lockheed Martin.
By Rohan Amin
Editor's Note: Parts One and Two of Lockheed Martin's three-part post for Cybersecurity Awareness Month explained the need for an analyst-based approach to computer network defense and how to attract and develop talented cyber professionals. Part Three addresses the importance of managing data and sharing knowledge.
Intelligence-based cybersecurity is centered around skilled analysts using robust tools in a collaborative environment. Two elements of this formula are relatively straightforward. Commercial technology tools are readily available, and we know how to cultivate and train cyber analysts when we have the organizational will to do so.
Creating a collaborative environment, however, can be a more complex challenge. It requires a well-designed knowledge management architecture — consisting of best practices for collecting, distributing and analyzing information — as well as an organizational culture that emphasizes access and communication. A mature cybersecurity group uses the knowledge gained from every attempted intrusion to help identify future threats and design better responses.
Each organization must create a cybersecurity architecture and toolset to fit its size, mission and capabilities, but the solution generally must cover three areas: analyst collaboration, partner coordination, and data management.
Analyst collaboration is essential for situational awareness. The decisions that analysts make independently become part of the collective wisdom of the team, which benefits from viewing the status of the network at any given moment from many vantage points. The faster the observations and conclusions flow from one analyst to another, the more accurate and decisive intrusion responses become. Collaboration tools such as heads-up displays, virtual whiteboards, wikis, and live video and audio feeds from remote locations support situational awareness and create a "think tank" atmosphere in security-intelligence centers.
Coordination between partner organizations is also imperative. When trust is created through personal relationships, knowledge can be shared with software vendors, government partners and industry teammates. At Lockheed Martin, we co-founded the Defense Security Information Exchange — a real-time analyst-to-analyst information-sharing forum of industry partners — and we share information with our government customers through the Defense Industrial Base Cyber Security / Information Assurance program.
We have taken the concept a step further by establishing a Cybersecurity Alliance that shares expertise and domain knowledge among market-leading cybersecurity companies,and by creating a NexGen Cyber Innovation and Technology Center, which provides an agile environment for Alliance companies and customers to rapidly and virtually collaborate and develop new capabilities.
Data management — both automated and analyst-generated — is another major element of intelligence-based cyber security. The full context of all detected hostile activities — from e-mails and malware to forensic images and network traces — should be saved and analyzed to find additional indicators and correlations. New search and correlation criteria can then be automated and linked to related attacks in the past.
To further ensure data visibility and knowledge sharing, we use a variety of intelligence products; "heat maps," which are visual displays of campaign-type threat activity; threat intelligence reports for key organizations and trusted partners; and metrics to identify trends and effectively manage resources.
From law enforcement and emergency response to military and national security, professionals know that situational awareness and information sharing are imperative to success. The same is true for cybersecurity, where knowledge and collaboration are the keys to defeating a determined adversary.
What do you think? Tell us in the comment box below.
Lockheed Martin IS&GS-Defense's Rohan Amin is the program director of the Department of Defense Cyber Crime Center (DC3) located in Linthicum, Maryland. The company thwarts the efforts of cyber criminals by delivering a full range of technical, functional, and managerial support to the DC3, which provides vital assistance in the investigation of criminal, counterintelligence and counterterrorism matters, as well as cyber security support to Defense Industrial Base partners.