Why Cyber Resilience Can Benefit from a Left-of-Bang Strategy
Security teams can greatly strengthen their cyber resilience by adopting a left-of-bang strategy
“Is our network secure? Are we as safe as we possibly can be from cyber threats?”
Today any technology leader can expect to be asked these questions, whether by a company executive, a board member or a commanding officer.
To answer these questions with confidence, you need a lot of data — data about endpoints, patch levels, network activity, ransomware variants, and so on. You also need to know where that data is and how to collect and analyze it. Only by collecting and analyzing this data can you conduct a meaningful and comprehensive assessment of your network’s security.
For most organizations, this kind of analysis requires in-depth, multi-week or even multi-month surveys of IT and security specialists. Even then, the resulting analysis will likely only be relevant at the time the data is collected, parsed, and reported. New vulnerabilities and other risks could pop up a day later — even a few minutes later.
A better approach is to put tools and processes in place that can collect security data continuously in real time. With real-time data about the status of networks and endpoints, you can respond to questions about overall security with definitive answers. Then you can describe the state of your organization’s cyber readiness on a Monday morning and then accurately describe it again on Friday afternoon, even if your company has launched a new service on Wednesday or closed an acquisition on Thursday.
And because you have built an automated system for delivering the answers you need at any time, you will find yourself at an operational advantage when defending against attacks. That is, you will be one step closer to having achieved cyber-readiness in the face of cyber threats.
Questions that lead to cyber readiness
Cyber readiness ultimately involves answering three different questions, each related to a different aspect of cybersecurity. These questions are:
- What is the state of my network? (Cyber hygiene)
- What threats can I find? (Threat detection)
- How quickly can counter-threat actions be deployed (Counter-threat actions)
Together, these questions add up to cyber readiness. You can think of the problem mathematically if you like:
Cyber Hygiene + Threat Detection + Counter Threat Actions = Cyber Readiness
In this blog series, I’m going to explore each of these topics in detail. First, though, I’m going to begin by talking about a defensive mentality that underlies this approach to cybersecurity. It’s a philosophy developed by the Marines during the Iraq War. It’s called Left of Bang. Here’s how it works.
Preventing attacks instead of reacting to them
By the middle of 2006, the U.S. Marine Corps realized they needed a new strategy for protecting their troops in Iraq. The Iraqi insurgency was in full swing. Insurgents were burying improvised explosive devices (IEDs) in roadways, and these hidden devices were taking a devastating toll. In September alone, IEDs wounded 776 Americans. And these devices, many of which were powerful enough to destroy a 27-ton Bradley Fighting Vehicle, seemed to be everywhere. In July, 666 IEDs were detonated. Marines found nearly another thousand devices primed to explode.
(For a detailed account of these attacks and the Marine response, see Left of Bang: How the Marine Corps’ Combat Hunter Program Can Save Your Life by Patrick Van Horne and Jason A. Riley.)
At the stage of the war, Marines were highly trained to react effectively when problems occurred. But reacting to IED explosions wasn’t reducing the frequency of the attacks. Nor was reacting doing much to reduce the strength of the insurgency overall. The Marines needed a new strategy.
Marine General James Mattis, Commander of the First Marine Expeditionary Force, wanted Marines to get ahead of the game and go on the offensive. He wanted a new type of training for Marines — training that would help Marines adopt a “hunter-like mindset,” assessing situations quickly, identifying potential threats, and taking the most effective course of action. Thus, the Marine’s Combat Hunter program was born.
The chief idea behind this program was to move Marine actions “left of bang.” Picture a timeline for an IED attack. In the middle of the timeline, the IED explodes. That’s the bang. To the right of the bang are all the reactions to the explosion: a damaged vehicle, fleeing civilians, and medics rushing to the scene.
By 2006, left of bang — the time on the timeline before the explosion occurred — consisted mostly of insurgents planning the attack, building the IED, and burying the IED in the road. Marines had little insight into these activities. Consequently, very little of their directed actions occurred left of bang.
The Combat Hunter training program changed that. Marines learned how to observe social patterns in public places. They learned to look for anomalies, such as individuals acting out of step with the street or market where they were inhabiting. They learned to notice when locals moved away from a location unexpectedly, perhaps because they knew an attack was going to take place. And Marines learned when to take the offense, capturing insurgents before they could strike first.
As a military advisor in Iraq between 2005-2006, we would apply ‘Left of bang’ basics to reduce risk to our convoys and improve the quality of our outcomes – to arrive at our destination on time, safely. Critical to this approach was observability, agility, and predictability. To most Americans, Long Island, Michigan, and Tampa are places, but to Marines and Soldiers, these terms relate to high threat routes where a left of bang approach improved convoy readiness. Recognizing the golden hour, working across silos, and integrating technology into our mission planning were key to our survivability, and our convoy readiness.
In summary, the training taught Marines to:
- Identify threats based on behavior
- Assess both subtle and overt indications of threats based on human behavior, intentions and environments
- Think critically on the fly, focusing on what is most important
- Make sound snap decisions based on the information available
The Combat Hunter training made a difference. Suddenly, Marines were able to read situations more successfully. They were able to detect threats earlier, including threats from IED attacks, and take action to avoid losses. IED casualties declined. Insurgents were captured. Trainees praised the program, wishing that they could have learned its insights sooner.
The program demonstrated the benefits of thinking proactively — that is, in operating left of bang.
What left of bang training can teach IT security teams about safety
Today, many IT security teams find themselves on the defensive. They are doing their best to defend against a broad range of attacks, including ransomware, phishing, and business email compromise.
But they have limited visibility. Most are working with incomplete or outdated endpoint inventories. They’re not sure what software components are installed where, leaving them vulnerable to supply chain attacks. All too often, IT security teams find themselves working hard to work hard or in essence reacting to threats, data calls, and cyber events by living in a right-of-bang world.
Consider how left-of-bang thinking can refine the questions I mentioned earlier that lead to cyber resilience:
- What is the state of my network? (Cyber hygiene)
Left of bang insights:- Do I really understand the state of my network? Can I see my network?
- Am I noticing everything that I should be noticing to detect threats as quickly as possible?
- Do I have insights into meaningful anomalies, even if they’re subtle?
- What threats can I find? (Threat detection)
Left of bang insights:- Can I detect the subtle anomalies that indicate threats I might have overlooked?
- Do I have the ability to find threats everywhere, on every endpoint at every location connecting to my networks or handling my organization’s data?
- How quickly can counter-threat actions be deployed (Counter-threat actions)
Left of bang insights:- Can I respond more quickly, making sound snap decisions to prevent attacks or contain them more quickly?
- Can I understand the scope and nature of attacks more quickly?
- Can I contain them and take action to prevent similar attacks from happening again?
Security teams can greatly strengthen their cyber resilience by adopting a left-of-bang strategy for cybersecurity and applying these insights.
Taking a closer look at cyber readiness
In my upcoming blog posts, we’ll take a closer look at best practices for cyber hygiene, threat detection, and counter-threat actions.
Meanwhile, learn more about how the Tanium Converged Endpoint Management (XEM) platform helps security teams improve their visibility, control and remediation capabilities to strengthen cyber readiness.