Cybersecurity leaders face a constant onslaught of attacks. So, it was fitting when Daniel Clark Lee, security operations center manager for the city of Los Angeles, flashed a quote from Sun Tzu’s The Art of War on screen during his presentation at the .conf24 Splunk user conference in Las Vegas: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
“So, threat intelligence is really knowing what your enemy is doing, and knowing how you can defend and protect yourself,” he said.
During the presentation, Daniel Clark Lee and city of Los Angeles CISO Tim Lee talked about the challenge of battling practically unlimited threats, as well as the importance of focusing on actions that will have the greatest impact and shore up the most glaring vulnerabilities.
Click the banner below to explore how to establish strong cyber resilience.
Tim Lee called this approach “precision security,” likening it to precision medicine, a practice in which treatments are personalized for individual patients with the aim of using the minimum effective medication dosage to achieve maximum results.
“I believe effective security shouldn’t be complicated,” Tim Lee said. “Spending more money on tools does not equal better security. The amount of investment and spending on cybersecurity have gone up, and data breaches and ransomware incidents continue to increase. More isn’t always better.”
“You need to implement the right security tools ... the right security strategy and program to address the unique and the most significant threats that you are facing,” he added. “That’s precision security.”
GO DEEPER: How to select the right SIEM solution for your state or local agency.
Addressing the Most Pressing Cybersecurity Challenges
Daniel Clark Lee laid out three primary challenges facing SOC managers. First, he cited limited IT resources. Next, he mentioned limited resources dedicated specifically to cybersecurity teams.
“I can’t tell the IT people to patch everything immediately,” he said. “I need to be able to strategically determine: ‘Okay, these are the vulnerabilities that are the highest priority for us to focus on, and if we can get these ones knocked out, we can get a lot of the really important ones.’”
Finally, he talked about the challenge of communicating with C-suite leaders about cyber vulnerabilities: “A CISO or someone else in the organization will read a news article and say, ‘Oh, this is really bad, I saw this on the news. This vulnerability, can you tell me if we’re vulnerable for it?’ We want to create a workflow and a way for us to quickly do that.”
The solution to all three of these challenges, he said, lies in finding ways to quickly identify the vulnerabilities that put the city at greatest risk. This helps administrators prioritize patching, results in easy wins and allows cybersecurity professionals to clearly communicate their strategic decisions to the rest of the organization.
For Los Angeles, this means creating lookups in their Splunk environment for critical vulnerabilities. For instance, LA relies on the Known Exploited Vulnerabilities catalog issued by the federal Cybersecurity and Infrastructure Security Agency.
“We sort it so we can see what are the oldest vulnerabilities that CISA is saying should be patched immediately,” Daniel Clark Lee said. “Those are things that I can focus on. I can tell people, ‘We know this vulnerability is being exploited, and this government agency has come out and told other federal agencies, you have to patch by this specific date.’”
442
The number of IT professionals employed by the Los Angeles Information Technology Agency
Source: ita.lacity.gov, “About ITA,” July 17, 2024
Taking Quick Incident-Response Action
This ability to quickly search for and sort specific vulnerabilities is also useful, Daniel Clark Lee said, when leaders hear about a specific breach in the news and become worried about their own organization’s environment.
“We create a vendor catalog and device catalog to be able to reference when we’re looking at these news articles,” he said. “But more importantly, we can set up triggers inside of Splunk to look for specific words. If we look for just a specific vendor, we can very easily use Splunk to identify all our assets or all of our device vendors.”
He also stressed the importance of using Splunk to sort vulnerabilities by potential impact, using the Common Vulnerability Scoring System: “I’ll go through those easy wins … where I can just address a single vulnerability, and it takes care of a whole bunch of vulnerabilities throughout the whole bunch of different systems.”
He added that organizations should look to take advantage of free services to assist with vulnerability scanning. For instance, he highlighted the Shadowserver Foundation, a nonprofit security organization, as well as CISA’s Cyber Hygiene vulnerability and web application scanning services.
He also highlighted the need to use fresh threat intelligence and said that internal data is often one of the best sources of this information: “Sometimes it can be a week, a month or a year later that we’re getting this external information. If I’m looking through my SOC itself … that’s where my freshest cyberthreat intelligence is going to be.”