"The past is never where you think you left it." ― Katherine Anne Porter
Cybersecurity is a fast-paced industry, one that combats an ever-changing threat landscape. It's a semi-organized chaos of point solutions, patches, and processes designed to keep companies protected from the cyber attack(s) of the day. In the limited time not spent on addressing current threats, most practitioners are focused on what might come next. But little emphasis is put on how past incidents affect current and future threats.
Some of you reading that last sentence might think, "I can barely keep up with current threats; why should I care about past incidents?" I understand how this might sound counterproductive on the surface. However, the past can provide much-needed context for understanding future threats. Here's why the past matters in cybersecurity:
- Find commonality: Past events could be connected to current events — not in the sense that the same threat is re-emerging, but that a previous threat could have shared attributes with a current threat, or that threats could be connected after applying machine learning or prediction algorithms. For example, security information and event management alerts might uncover a phishing email that an analyst then investigates and resolves. As part of that investigation, the analyst has probably identified a malicious IP address. Even though this incident is resolved, the IP address may resurface as the initiator of a future attack. If this information is not widely accessible, the next analyst may overlook the fact that there is a connection between attacks.
- Adapt to evolution: If a past threat evolves into a new one, it's important to understand the original intent and basis for the attack. Rather than responding with an entirely new tactic, you may only need to tweak a past response to adapt to the new threat. Ransomware is a perfect example of an evolving threat that remains similar at its core, with tweaks to its deployment. Information learned in the past is a valuable part of adapting future responses.
- Apply unique insight: After an incident is resolved, security teams file away unique insights learned from that event. However, when a similar event arises again, those insights remain filed away, instead of being used to address a new threat. This can result in duplicate work on the next problem, because the analyst might not be privy to the past insights found by a colleague.
- Identify patterns: Recognizing patterns not only addresses current events but also helps predict and eliminate future threats. For example, individual events can be deemed harmless, but in the context of a series of events, a benign event could be part of a larger, more serious incident. Once a pattern emerges, it's then easier to predict what might happen next, raise the priority level of a current threat, and influence how the threat is resolved. For example, the past helps to uncover targeted attacks as criminals and nation-states try to infiltrate a network, attempting over and over again to achieve success. They often will change their methodologies but frequently there will be some pattern that emerges only if the past can be compared with the present and future.
The past should be neither ignored nor forgotten, especially in cybersecurity. However, security teams can easily overlook the past if it is not prioritized because of the rapid nature of the job. To stay one step ahead of hackers, find ways to use the past to better inform the present and secure a better future.
- 7 Takeaways From The Equifax Data Breach
- 5 Problems That Keep CISOs Awake at Night
- The 'Team of Teams' Model for Cybersecurity
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.