At MITRE, we believe the most effective response to today’s cyber threat landscape requires bringing everyone into the innovation process. While we welcome new features in commercial products and ideas from researchers, we believe the adaptability of our adversaries means we have to be innovators too. We want our threat analysts to find new ways of identifying attacks, our developers to create new methods for sharing threat information, our operators to determine new strategies for honing in on key problems, and all of our staff to stay vigilant to emerging attack patterns and campaigns.
We call this new, more expansive approach to cyber defense “operational innovation.” Rather than being merely a set of tools, techniques, or capabilities it is a mindset, a powerful way of approaching the problem. Operational innovation is based on the premise that there is often a better way to thwart a cyber attack, and the people on the front lines are in a good position to find it. Inspiration might involve a new concept for deconstructing a problem or a unique slant on analyzing requirements. It might even be based on plain old intuition.
We practice operational innovation by developing prototype tools and techniques, and then testing these concepts against real threats. Some of these ideas will fail fast; some will fail over time; a few may show promise. The point is to keep an open mind and to keep trying.
What You Need to Make this Work
Before you can implement this new approach to cyber defense, certain conditions and resources need to be in place. Most critically, operational innovation needs support from the top. The CEO/CIO/CISO must be fully engaged and willing to invest the time and resources needed to ensure success. Top management needs to be committed to creating a culture that encourages curiosity, experimentation, and an openness to new ideas at all levels of the company.
In addition to top cover, you will need a security operations center (SOC) conducive to innovation, including tools that are adaptable and data streams sufficient for analysis. Add to that your own assessment of where your needs are most pressing; we do this by looking at the most likely threat scenarios and judging our preparedness for each.
The most important ingredient is the people who can come up with these new ideas. Encouraging staff, system administrators, developers, database experts, and reverse engineers to think, “There must be a better way!” is what it's all about.