W hat is A ctive D ef ense? To understand how Active Defense can help improve security program effectiveness, we need an analogy. Many organizations think of the ideal enterprise network as a castle or A ctive D ef ense is a fortress: this mental model inclu des thick stone w alls, gu ard tow ers and may b e even a delib erately planned moat. C astles may keep real- w orld invaders at b ay , b u t w e have learned time and again that determined attackers nearly alw ay s su cceed in penetrating even the most secu re netw orks and continu ou sly via targeted attacks. Security professionals can’t rely on the integrity of the network’s ex ecu ted campaign perimeter and mu st operate u nder the assu mption that u ndetected maliciou s activity is present nearly all the time. to identif y and help A more appropriate analogy might be the enterprise network as a contemporary city. This eradicate hidden analogy w orks on several levels. C onsider the evolving w ay s that w e access data. U sers attackers and def eat have mu ltiple rou tes into and ou t of the netw ork throu gh company w orkstations, personally owned mobile devices, cloud storage and more. This means that legitimate users and likely threat scenarios intru ders b oth have nu merou s opportu nities to engage in u nseen activities. J u st as any city targeting y ou r most of sufficient size experiences near-constant unpoliced criminal activity, expanding network size and complexity have confounded defenders’ ability to monitor in near real-time as well. critical assets Indeed, respondents to EY’s 2015 GISS that reported experiencing significant incidents revealed that only 4 5 % of detected incidents w ere discovered b y the S ecu rity O perations Center (SOC). To maintain order, the castle guards of old evolved into the modern police, and secu rity operations prof essionals mu st evolve as w ell. W hat does A ctive Def ense add to the ex isting secu rity operations program? Let’s carry our analogy into the SOC. The security operations team comprises the enterprise’s network police force. Security monitoring with network and endpoint tools is akin to sending officers out to enforce speed limits and watch for crime. In the real world, patrol officers are effective at deterring and defeating the criminals that they can actually see. However, they aren’t effective at defeating the sophisticated crime that occurs behind closed doors and in areas that aren’t patrolled. For this, the city needs detectives. Rather than patrolling and monitoring, detectives cultivate informants, investigate leads, analyze evidence and actively hu nt su spects. How does Active Defense fit into a holistic cy bersecu rity program? M ost secu rity operations teams lack the “ detective” capab ility , and this is w here A ctive Defense can enhance organizational effectiveness. By employing a deliberate operational cy cle to plan, ex ecu te, and review intelligence- driven activities to help implement targeted cou ntermeasu res, f ortif y def enses and hu nt intru ders, A ctive D ef ense practitioners provide the organization with the capability to identify and help eradicate latent attackers that circu mvent traditional secu rity monitoring and target y ou r intellectu al property and b u siness sy stems. E nhancing y ou r secu rity operations w ith A ctive Def ense | 3