Blog COVID-19: Early Lessons for Cybersecurity Operators

COVID-19: Early Lessons for Cybersecurity Operators

News broke the other day that there were at least two cases of COVID-19 in Santa Clara County, California as early as February 6, well before the first outbreak was discovered in Seattle twenty days later. What does this have to do with cybersecurity? More than you may think.

Trusting Your Gut

In Santa Clara, an astute medical examiner in the county reviewed deaths from early in the year and sent tissue samples to the CDC for analysis. The results showed two COVID-19 cases. The county’s health affairs officer said they had a “very uncomfortable feeling” they were missing cases. The county executive said both the deaths occurred during a time the CDC was restricting tests to those patients exhibiting severe respiratory symptoms and recent travel to China. The news has set off alarms as the virus appears to have been around a lot longer than previously thought. 

How many cybersecurity operators have had that “very uncomfortable feeling” and seek to piece together whether a penetration has occurred and, if so, when? Operators routinely conduct retrospective analysis relying on point solutions to identify potentially problematic activity; reviewing past alerts from security event management, endpoint detection, vulnerability scans, case management tickets, and threat intelligence. This analysis is time-consuming and tedious but critical to the security of the company.

Parallels Between Pandemic Response & Incident Response 

Cybersecurity executives should pause to consider how they handle cyber operations today. Certainly, the loss of life does not compare with a cyberattack, but the speed and impact of a cyber event can be significant. Dan Geer, a cybersecurity expert and biostatistician, has said the future of humanity is conjoined with cybersecurity. A survey from the SANS Institute last year showed security operators--the cyber world’s healthcare professionals--are in short supply and overworked. Sound familiar? Operators lack enterprise-wide visibility, automation, orchestration capabilities, and have too many tools that are not integrated. They encounter a silo mentality between security, incident response, and operations.

COVID-19 underscores the need for companies to move swiftly to fuse output from their security tools to rapidly assess current events and easily engage in retrospective analysis. This approach requires the aggregation and correlation of event information in centralized repositories. For example, the output of security event incident management systems should be fused automatically with endpoint detection alerts, current threat intelligence from closed and open sources, and case management tickets. To do so saves precious time and increases efficiency.

Taking A Proactive Stance

A handful of companies and organizations are evolving into this model. Several companies insist the alerts from existing internal security tools must be easily fused with external data sources. Similarly, companies are asking for means to quickly exchange data with other parties, whether whole sectors, municipalities, or joint venture and supply chain partners. The pandemic has underscored that such exchanges within or between organizations must be cloud-based as maintaining on-premise security solutions are far more difficult to operate from home. 

The COVID pandemic has accelerated movement to fuse data around the cyber threats associated with the virus between companies. IBM X-Force IRIS, BAE, AlienVault, Intel471, Bitdefender, the CTI League are sharing threat intel with each other and making it available to other organizations through TruSTAR’s COVID-19 OSINT Community Project. There is a strong parallel between this model and combatting COVID-19: we have created a common point where data is correlated and made available to cyber defenders to contain the threat. Similar to the pandemic: this is “contact tracing” analysis for cyberspace. This exemplifies the future of cybersecurity, a common means of processing and exchanging data.

While healthcare and cybersecurity may seem like distant cousins, they both have a finger on the pulse of the world and need the best equipment possible to keep its heartbeat strong.

If you are interested in finding out more about TruSTAR's COVID-19 initiative, you can find out more here.

Presidential Executive Order: “Collect and Preserve” Incident Data. Is this the Catalyst for Cybersecurity’s Black Box? President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity defines a solid path forward for the Federal government and its ... Read More
Only the Paranoid Survive, Recast for Cybersecurity Andrew Grove's seminal business management book Only the Paranoid Survive offers a fitting title for the current state of cybersecurity and a roadmap ... Read More
The Data Dilemma in Cybersecurity Last week, the Wall Street Journal reported that the “scarcity of data needed to train models is slowing progress” toward the promise of fortifying ... Read More
The Good, Bad, and Ugly of Threat Intelligence with Patrick Coughlin Recently Co-Founder and CEO of TruSTAR, Patrick Coughlin, sat down with Ron Eddings and Chris Chocran from Hacker Valley Podcast to discuss how ... Read More