This is the third and final blog in a series presenting the testimony I gave on Nov. 14, 2018, before the Senate Armed Services Subcommittee on Cybersecurity, titled “Department of Defense’s Cybersecurity Acquisition and Practices from the Private Sector.” The committee is seeking guidance on strategies the DoD should adopt to optimize its cybersecurity efforts. Part 1 is on threat hunting and Part 2 is on cloud technologies.
In my introductory remarks, I pointed out that the DoD first defined, a generation ago, some of the concepts that still guide the field today in network defense. I also stated that the DoD’s cybersecurity operators are every bit as talented and motivated as their private-sector counterparts. However, I also stressed that the DoD today faces the same cybersecurity challenges as the private sector, and it is important that it adapt accordingly. I outlined the three strategies I feel are most critical for the DoD to adopt: hunting, cloud technologies and the “1-10-60” rule.
In Part 3, I explain the importance of the 1-10-60 rule:
The 1-10-60 Rule
What DoD — and frankly, the Federal government as a whole — needs most is to define a new high-level defensive concept that drives measurable accountability. I suggest a model I developed at CrowdStrike called the 1-10-60 rule. This rule is derived from the premise that to win a battle in cyberspace, speed is paramount. The only way you beat an adversary is by being faster than them.
The concept behind the rule is simple: To be successful at stopping breaches, an organization needs to detect, investigate, and remediate or contain the threat as quickly as possible. The very best private-sector companies we work with strive to detect an intrusion on average within 1 minute, investigate it within 10 minutes, and isolate or remediate the problem within 1 hour: 1-10-60. That may sound impossible if you are accustomed to hearing about breaches that go undetected for months or years, but we work with private-sector organizations that achieve that level of rapid response routinely.
We have to assume that persistent and dedicated adversaries will compromise individual machines periodically through exploitation of known or unknown vulnerabilities, or through simple social engineering. The greatest vulnerability that every organization in the world has — and one that can never be patched — are the users. In our experience, in any enterprise with people, there will always be some who will open suspicious emails, click on random links and supply sensitive information to unknown websites. Cybersecurity training helps but will never completely eliminate this possibility. And when confronting foreign intelligence services, you also have to assume that the initial compromise vector may not even be cyber — but a malicious insider asset they have recruited inside the target organization.
So the important question to ask is not, “Can you prevent the initial compromise?” — that may be an impossibility. Rather, you should ask, “How long does it take for adversaries to take advantage of the initial machine they have established as their beachhead within the network, move laterally across the environment, and gain access to a sensitive resource?” Once adversaries are able to do that, what would have been a minor security event will turn into a full breach that requires a lengthy and complex incident response. If you stop the adversary before they achieve those objectives, you have prevented the breach.
In defining the 1-10-60 rule concept, CrowdStrike analyzed real intrusion data. We studied approximately 25,000 attempted breaches we detected last year across our customer networks, and found that it took adversaries on average 1 hour and 58 minutes to move out from their initial beachhead – that first machine they had compromised on a network. We call this measure “breakout time,” and from a defender’s perspective, that is the time to beat.
I have strongly advocated that corporate boards of directors should also use the 1-10-60 rule as a primary accountability measure of their cybersecurity programs. This system drives clarity into the oversight process by enabling leadership to understand and measure performance. Not every organization can easily get to such fast reaction times, but even if you are not there, you can measure this performance on a monthly or quarterly basis and determine if the trend is going in the right direction. If it is not, you can hold your cybersecurity executives accountable for those results.
DoD must prevail in its mission to defend and secure its IT enterprise. Failure is not an option. Private industry is in some important ways outperforming DoD in cyber defense. But the challenges the Department faces in catching up are not insurmountable. A strong re-emphasis on hunting is the first step. Achieving economies of scale and other efficiencies through adoption of cloud-based security technologies, where possible, will make this easier and more sustainable over the long run.
It is also essential to have a clear ordering principle to inform staffing requirements and acquisition decisions. The 1-10-60 rule is a straightforward, metrics-driven approach based on adversary activity. Broad adoption of this approach will improve security by elevating the importance of speed in security operations, revealing performance gaps, and simplifying oversight. The result will be stronger accountability and better defense.
I have focused my testimony today on concepts rather than technologies. But everything I have described is achievable through practices and capabilities that are widely utilized in industry. DoD can adopt these capabilities, and by enhancing its own security posture, strengthen national defense.
Thank you again for inviting me to testify today. I look forward to your questions.
For More Information:
Watch the complete Hearing of the Senate Subcommittee on Cybersecurity including Dmitri’s Testimony.
Read Part 1 of Dimitri’s Senate Hearing testimony on Threat Hunting.
Read Part 2 of Dmitri’s Senate Hearing testimony on Cloud Technologies.
Learn more about the importance of the 1-10-60 Rule in stopping breaches.