©2015 Bit9. All Rights Reserved

Building Resilient Security for the Age of Continuous AttacksHarry Sverdlove, CTO, Bit9 + Carbon BlackMITRE Secure and Resilient Cyber Architectures Invitational

What do we mean by Cyber Resiliency?

“Let me tell you something you already know. The world ain't all sunshine and rainbows. It's a very mean and nasty place, and I don't care how tough you are, it will beat you to your knees and keep you there permanently if you let it. 

You, me, or nobody is gonna hit as hard as life.But it ain't about how hard you hit. It's about how hard you can get hit and keep moving forward; how much you 

can take and keep moving forward.That's how winning is done!” 

‐ Rocky Balboa

Compromise, unauthorized code execution or unauthorized access within your environment, should 

NOT result in:

What do we ACTUALLY mean by Cyber Resiliency?

the assumption of

the inevitability ofcompromise

Continuously Evolving Technology Landscape

Cloud Computing

Mobile Computing

Internet of Things

Surface area is ever‐increasing

Perimeters are becoming less relevant

Everything is connected to something

Technology is crossing into our physical world

Continuous (and Cumulative) Vulnerabilities

Continuously Evolving Threat Actors

Criminal Enterprises• Broad‐based and targeted attacks

• Financially motivated

• Getting more sophisticated

Hactivists• Targeted and destructive attacks

• Unpredictable motivations

• Generally less sophisticated

Nation‐States• Targeted and multi‐stage attacks 

• Motivated by information and IP

• Highly sophisticated, endless resources

Continuous Stream of News

Continuous Stream of Data Breaches

Source: Information is Beautiful, www.informationisbeautiful.net, May 2015

attacks arecontinuous

security iscontinuous

cyber resiliency mustinvolve continuous processes

in IT, we hire staff to support technology

in security operations,we buy technology, to

support staff 

A Framework for Cyber Resiliency

Anticipate

Withstand

Recover

Evolve

Understand

Prepare

Prevent

Prepare

Continue

Constrain

Reconsitute

Transform

Re‐architectCyber Resiliency Engineering Framework, September 2011

Simplified Security Lifecycle

DetectRecognize 

suspicious or malicious behavior

RespondInvestigate, assess scope, determine root cause, recover

Prevent

Harden systems from attack, repel hostile 

actions

How Are We Doing?

Respond

Prevent

Detect

Bulk of our budget continues to be hereStill weak in predictive security

More emphasis on actionable threat intelStill relying largely on point‐in‐time scanning

Expensive, reactive, disruptiveNot continuous at all

Pop Quiz: Which Comes First – Detection or Collection

Most programs alert on interesting first then collect artifacts afterwards

By prioritizing data collection over detection, you accelerate 

investigation, finding root cause andscope, recovery, and threat hunting

Reduce Dwell Time By Prioritizing Data Collection

Compromised(attacker present)

Recovered(attacker expelled)

Breach Discovered(attacker identified)

DWELL TIME

Proactively collecting data here is automated and efficient

Reactively collecting data here is time consuming and expensive

Reduce Dwell Time By Prioritizing Data Collection

Compromised(attacker present)

Recovered(attacker expelled)

Breach Discovered(attacker identified)

DWELL TIME

By prioritizing data collection before detection you can eliminate the tedious and time consuming 

data acquisition process exponentially reducing dwell time and accelerating your response

“Response is the closest thing we have in IT to dogfighting”

‐Bruce Schneier, BlackHat 2014 Keynote

Time is the dominant parameter. The pilot who goes through the OODA cycle in the 

shortest time prevailsbecause his opponent is caught responding to situations that have already changed.

Col John Boyd, 1966

ObserveOrientDecideAct

Evolution of the Security Lifecycle

Prevent

Detect

Respond

Prevention Leads to Need for Visibility

Visibility

Intelligence

Response

Prevention

Visibility Creates Desire for Intelligence

Prevention

Visibility

Intelligence

Response

Intelligence Leads to Prediction

Prevention

Visibility

Intelligence

Response

Predict

Principles of Resiliency

Non‐persistence

Recovery

Segmentation

AdaptabilityDeception

Intelligence Diversity

UnpredictabilityOrchestration

Least Privilege

Redundancy

Case Study: The Simian Army

Chaos MonkeyLatency MonkeyConformity MonkeySecurity Monkey…

Parting Thoughts

Cyber resiliency is a part of cyber security

Threats are evolving and continuous

Security needs to evolve and be continuous

Not just constant prevention –constant detection and response are required

This requires visibility, which leads to intelligence, which leads to predictive security

Security happens with people, not technologyBut technology is an invaluable tool to support the people

Monkeys are your friend ‐ automate your resiliency!

Questions?