Cyber Defense Review

Four Imperatives for Cybersecurity Success in the Digital Age: Part 2

By MG (Ret) John Davis | April 27, 2017


Having joined Palo Alto Networks following a 35-year career in the U.S. military, the last decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader global business environment.

This blog post series describes what I consider to be four major imperatives for cybersecurity success in the digital age, regardless of whether your organization is a part of the public or private sector.

I covered Imperative #1 in the Fall 2016 CDR and here are the major themes for each imperative:


  • Imperative #1 We must flip the scales

  • Imperative #2 We must broaden our focus to sharpen our actions

  • Imperative #3 We must change our approach

  • Imperative #4 We must work together

Blog #2 of 4: Imperative #2


Before I get to the details, allow me to review some background and context, and then provide an executive summary of Imperative #2.

Background and Context

As a reminder from my previous CDR entry, I use the four factors in Figure 1 to explain the concept behind Imperative #2 in a comprehensive way.

Figure 1


  • Threat: This factor describes how the cyber threat is evolving and how we are responding to those changes.

  • Policy and Strategy: Given our assessment of the overall environment, this factor describes what we should be doing and our strategy to align means (resources and capabilities or the what) and ways (methods, priorities and concepts of operations or the how) to achieve ends (goals and objectives or the why).

  • Structure: This factor includes both organizational (human dimension) and architectural (technical dimension) aspects.

  • Tactics, Techniques, and Procedures (TTP): This factor represents the tactical aspects of implementing change -- where the rubber meets the road.

In this second blog of the series, I would like to take you through Imperative #2 using the concept model outlined above, and step through the implications.

Figure 2


We need to change the way we look at todays cyber threat because there is a smarter approach; one that allows the cybersecurity community to broaden its focus and see the whole forest instead of getting lost in the trees. Instead of looking at the problem as an ever-increasing volume of discrete events, we must leverage the step-by-step process that most cyber actors use to accomplish their objectives. This process refers to the threat lifecycle as a lens to broaden our focus, and sharpen our actions in dealing more effectively with a limited number of cyber threat playbooks instead of an endless number of individual cyber events.

A critical aspect of this process requires that we achieve full visibility over what is happening in our network enterprise environment on a continuous basis and in near real-time. The increase in visibility can result in more information for the defenders to deal with, and force them to prioritize according to their most vital functions, where those functions map to their enterprise network architecture, and where the resulting key portions of the architecture are both vulnerable with an assessed threat (cyber or otherwise) to them. Defenders must also apply technology and automation to discover the threats using a lifecycle approach (looking at threat playbooks instead of millions of discrete events), and save their employees to take active business action in a sustainable way.

By broadening our focus on the threat lifecycle and gaining greater visibility over what is happening in our network environment, we can sharpen our actions by adjusting security architecture to be where it matters instead of a legacy view that it has to be everywhere in the hopes of stopping a breach. Smart security architecture placement allows for not only greater effectiveness against a more holistic (and manageable) view of the threat but is also a significantly more efficient way to apply technology, save money, and employ human expertise where it is most needed.

We must also sharpen our actions by evolving from the legacy thinking based on signatures toward more effective TTP that focus on indicators of compromise. There is simply no way to keep up with the exponential explosion in both the number of vulnerabilities in our network environment as well as the number of threat signatures over time. The Internet of Things phenomenon will only exacerbate the problem by increasing the overall attack surface. However, by tracking a relatively small number of defined techniques across the cyber threat life cycle categories (or broadening our focus), we can sharpen our actions to prioritize important events, put understandable context around them, and then rapidly make these indicators consumable so that we can automate the adjustment to our cybersecurity posture.


THREAT: We have traditionally viewed cyber-attacks, breaches, and other incidents as discrete events.When I was working at U.S. Cyber Command as the Director of Current Operations, I used to tell my leadership that we were experiencing millions of events (mostly probes, but many times other, more serious, events) per day.Millions!

We set up a system to triage the most serious events, assigned teams to chase them down, logged the status of each event, followed through with isolation and remediation, and then processed all this through an incident management tracking system that, over time, just ended up looking like a mountain of exponentially endless work needing more and more people to keep up with.

This type of approach was only putting us further and further behind, and distracted our workforce from what was really important.This gets back to the math problem that I covered in my first CDR article on Imperative #1. Its impossible to get ahead of the problem if you address the Threat using that kind of model.

Whats changed over the past few years is that weve collectively figured out a way to work smarter rather than harder.Adversaries and the national security cyber community use a common process that involves a set series of steps or a lifecycle that a cyber adversary must step through to be successful.

The lifecycle involves information gathering and reconnaissance or probing, then the initial foothold into a network, then the initial compromise and deployment of an exploit or another tool, then the establishment of control of the access established, then privileged movement through the network to get to the place where they can accomplish what they came to do, and finally, the exfiltration of information or other more disruptive, deceptive or destructive results.

In most cases this takes time (at least hours, if not days/weeks/months), and when you view the adversary activity in this manner, you can see that putting in place mechanisms to monitor your network enterprise for these various stages of the lifecycle it can be possible to watch an adversary walk through, and on top of that, you realize that instead of dealing with an avalanche of millions of discrete events, you are now talking about a reasonably manageable number of threat playbooks. Some estimates are that there are only a few thousand of these playbooks, and as our company CSO Rick Howard likes to say, You can put that on a spreadsheet!

STRATEGY: From a strategy perspective, this requires looking at the entire lifecycle, and not just simply at bits and pieces. I list the term limited visibility in Figure 2, but in many cases, its more accurately defined as zero visibility into what's happening within an organizations network.

When an organizations IT staff does have visibility, its usually the result of being informed by an external entity (FBI or some other law enforcement agency) that something's amiss. That forces the staff to find out what happened (past tense) and dig into the forensics after the fact. Nobody in the cybersecurity community wants to spend their life cleaning up the mess in aisle 9!

We need to shift the dynamic from limited or no visibility over what's happening within our networks to seeing everything that's happening on our networks in near real-time. Some in the US Government, such as the Department of Homeland Security, call this Continuous Diagnostics and Mitigation or CDM.

This raises an interesting point about making sense of all this new, near real-time data. It can be overwhelming unless you have a way to prioritize what's most important. How do you do that? How do you manage it without having to hire more and more people as your alerts go through the roof?

One way that works is to first look at the most critical functions of the organization. In the military, we called these mission-critical functions functions without which the organization would fail to achieve its mission. It would be the same for any business. Then, you translate those mission critical functions into where they reside on the network, and which segments of the network, systems and endpoint devices are then mission critical (or cyber key terrain as it is known in the military).

These key points within the organizations architecture would then be assessed against two other factors (mission criticality being the first factor) to determine vulnerabilities (both cyber and non-cyber), and the threat (both cyber and non-cyber).

It is at the intersection of all three factors: 1) critical to the mission, 2) vulnerable and 3) there's an assessed threat (either general or specific) to them that the organization should then focus its ability to continuously monitor for full visibility. Is your network security provider give you the capabilities to prioritize the Mountains of Data to make it relevant to your needs? You should be asking that question.

Another way to increase greater visibility over what is happening on your networks without adding to the complexity of your environment or adding tons of people is to apply technology and automation to discover the threats using a lifecycle approach (looking at the whole threat picture instead of millions of discrete events). This will save the people you hire to use their skills to take business action in a sustainable way. This will also REDUCE the need for people, not add to it.

Instead of detecting suspicious elements of a possible attack, you consider ALL of the characteristics and automatically detect one of the playbooks that I mentioned in the initial threat discussion. Even if your attacker changed one characteristic, you could recognize, for example, the command and control protocols. Then, even though another part might have been changed, you can block the whole attack for this particular threat playbook. The overall playbook would be detected and blocked. Now, what if your automation was so extensive that it self-learned in real-time from hundreds of thousands of attacks that happen every day in the world?

I'll describe more about how this can be done using automation and an integrated platform approach in my next blog on Imperative #3.

ARCHITECTURE: In my last CDR entry, I focused on the human, organizational structure implications of the imperative for change, describing the need for organizations to move the decision-making forum from the server room into the boardroom and C-Suite.This blog Im focusing on the architectural structure implications of the imperative to move from being everywhere in the network to being in the right architectural places to be effective.

Traditionally, many organizations (including several in the military of which I was a part) thought that to provide an effective defense you had to be everywhere, and we liked to call this concept a layered defense.

We learned the m&m lesson long ago about the insufficiency of having a strong outer shell, but being soft and gooey in the middle, which meant that once inside a network, a cyber adversary pretty much had the run of the place.

But in our best attempts to be strong everywhere by putting point solutions all over the layers of our networks and hoping to catch something. We were strong nowhere, and worse yet, we created so much complexity by bolting on and jury rigging multiple point solutions that were not natively designed to communicate with each other that actually made the situation worse.

Smart architecture is about the precision placement of the right network and endpoint device security in the architecturally relevant places based on the cyber threat life cycle. Instead of being everywhere and strong nowhere, its smarter to be in the right places and strong where it matters.

If we apply the broadening our focus aspects I just described for the threat lifecycle and greater visibility above, then we can sharpen our actions by adjusting security architecture to be where it matters most.

Finally, this kind of approach is not only more effective; its significantly more efficient because you can save resources regarding both technology and the humans to run it. In fact, I should have put a dollar sign on the left and a cents sign on the right of that bottom left quadrant in Figure 3!

TTP: Finally, as we look at the TTP side of Imperative #2 we see something very, very powerful happening.

If you look at the number of vulnerabilities in our networks, systems, apps, etc., over time, you can see exponential growth.Its the same with malicious software signatures for anti-virus and anti-spyware. Over time it is clearly exponential as well.How do you possibly keep up with that?

According to Cisco, by 2019 there will be 25 billion devices connected to the Internet. Today, we have 16 billion. Thats a 55% increase in your attack surface to protect.

However, there is some good news. If you look at the process or basic techniques that cyber adversaries use to compromise endpoint devices, there are only a finite (less than three dozen, we believe) number of these techniques. Buffer overflow and heap spray are two of the most widely known examples of these techniques.

Every cyber actor and organization uses them, and I can tell you from my military experience that we used these same techniques for national security purposes.

The exciting news for the cybersecurity community is that by tracking these small, defined techniques across the cyber threat life cycle categories (or broadening our focus) we can sharpen our actions to prioritize important events, put understandable context around the compromise indicators (like specific adversary groups or people, related indicators and targets of their activities), and then rapidly make these indicators consumable to adjust our cybersecurity posture.

This excites me, because for the first time this offers the chance to see some daylight and it helps to rebalance the attacker/defender scale that I covered in Imperative #1.Dealing with three-dozen endpoint compromise techniques and five threat lifecycle steps is something we can keep up with, rather trying to sort out and deal with millions of things daily.

The faster organizations consider a model that is not dependent on hiring more and more people the sooner they will have a defense model that can sustain in our changing world.

Organizations would not have to keep on hiring more and more people, and instead allow current employees to use their skills to take necessary business action. This would keep their business secure and their best people engaged and employed in a sustainable model.


We've learned a smarter approach to deal effectively with a limited number of cyber threat playbooks and techniques instead of an endless number of discrete cyber events.

By achieving full visibility over what is happening in our network enterprise environment on a continuous basis, we can apply technology and automation to discover the threats using a lifecycle approach and take business action in a sustainable way. But, we should prioritize that approach using the intersection of these three factors: Business/Mission Criticality, Vulnerabilities, and Threats.

We can sharpen our actions by adjusting the security architecture to be where it matters most instead of a legacy view that has to be everywhere in the hopes of stopping a breach. Smart security architecture placement is not only more effective, it is also much more efficient.

Finally, we should evolve from a signature approach toward more effective TTP that focus on indicators of compromise so that we can sharpen our actions to prioritize important events, put understandable context around them, and then automate the adjustment our cybersecurity posture.

In my next blog of this series, Ill be discussing Imperative #3 We Must Change our Approach.


US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.