CISOs spend a lot of time on research, so it is important to think about how we conduct and consume research. On one hand, CISOs are drowning in information, and on the other, we cannot get the info we need to make solid choices. Let me start with one of my favorite war stories. When I was mobilized after 9/11, I was tasked to build an Army Regional Emergency Computer Response Center (basically a SOC). One of my main duties included briefing the Commander on the latest research/threat intel on cyber domain adversary activity. I briefed him on who was attacking and what the latest threat techniques were. I quickly realized I had trained him to ‘go to his happy place’ and ignore me because I was briefing him on generic threat activity so it was not anything he would ever make a decision on. It started me on a journey of how to conduct and present research/analysis/threat intel that would be useful/actionable. In this blog post, we delve into the art of consuming, conducting, and presenting effective research.
Crafting Research with Purpose
When I think about research, the goal is to gather information and directly examine the raw data. Analysis is the process of evaluating and interpreting data and turning it into actionable information. Threat intelligence is the outcome of research and analysis that is centered around understanding threats, including their activities and methods.
Initially, we need to determine the goal of research. Is it answering a specific question or discovery? We may want to understand what the most common threat attack methodology against our infrastructure is or what the most common investment our peers are making. Alternatively, we could ask what our greatest risk is based on emerging threat trends around AI, while a different group would want to know what compliance changes are coming. Each of these requires different resources to answer.
Most research efforts start with a need to answer a question or validate a theory. The goal could be to use the research to educate, discover, or validate. If we want to know if our program is working then research could be used to educate leadership on our performance. If we want to know if our network is compromised or has security gaps that could be more discovery. If we want to know if we are compliant then it is more around validation. Each of these objectives has unique questions and requires varied sources and metrics to provide comprehensive answers.
Navigating Learning Styles
Most of us gravitate towards external research based on our learning style. If we are more technical, we want to read about the latest malware, while business-focused individuals lean in on industry trends. I tend to spend a lot of time on emerging trends with most of my effort focused on developing threat methodology. For this, the most recent example is around generative AI. I listened to podcasts on the business impacts, read up on practical uses for InfoSec teams, investigated applications for cyber criminal groups, then spent some hands-on time with the different platforms and finally taught an internal class on the topic to confirm my understanding. I find some hands-on time helps me retain better. It is important for everyone to spend some time studying their preferred learning style when developing research skills.
Harnessing Data Sources and Tools
When thinking about what research we can do internally, we need to focus on data sources and tools. We have both technical sources and analytical sources. When fielding a new security capability, I frequently examine the selection criteria to see if I can design metrics that will enable me to research and monitor its performance effectively. This approach allows me to evaluate the ROI. I might measure the time to complete investigations after I deploy an automation tool. This can be difficult to determine a baseline for and may unintentionally trigger counterproductive behaviors among analysts, so this should be carefully thought out. On the more technical side, I could measure the effectiveness of the incident response processes based on a Red Team/Blue Team exercise. I could measure something like the attack patterns over time to determine if my risk posture decisions are still appropriate. The key takeaway is to investigate the questions and data available to develop the insights to take actions based on trends.
Strategic vs. Tactical Consumers
Another key parameter is the audience. I tend to break an audience into strategic vs. tactical consumers. Both play a vital role as part of your security program. We need strategic insights to help us determine if we need to update our risk posture or redeploy our budget. For tactical consumers we may need feeds for research that support best practices and understanding of how criminals are attacking so we can determine how to manage our security controls.
Presenting Insights: Data as a Story
When it comes to briefing on the research, I prefer to tell a story over presenting the data. Whether you have qualified or quantified data, humans relate to and remember stories better than numbers. So while a slide with statistics lends credibility, a slide showing the impact the data is having will both be remembered and provide more value. Additionally, think about your role — you don’t want to become a news reporter. You need to be more of an advisor offering the results of research that will facilitate actions.
Here is a sample list of resources:
- Organizations - Information Sharing and Analysis Center (ISAC), MITRE, National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), Center for Internet Security (CIS)
- Commercial Groups - SANS, Information Systems Audit and Control Association (ISACA), Information Systems Security Association (ISSA), Cloud Security Alliance (CSA), International Information Systems Security Certification Consortium (ISAC2), The Open Web Application Security Project (OWASP)
- Vendor Threat Research Teams - CrowdStrike Threat Report, IBM Breach Report, Verizon Data Breach Investigations Report, Akamai State of the Internet Reports, Palo Alto Unit 42, Cisco Talos, Naked Security
- News - Wired Security, CyberWire, Bruce Schneider Crypto-Gram, Brian Krebs, Sec Blvd
- Books - recommend you leverage Cyber Cannon which reviews top cyber books
© 2024 FS-ISAC, Inc. All rights reserved.
Insights
