70%@40 transparency 62% 61% Continuous innovation The innovation speed of adversaries is far higher than that of the defense. Previously 54% unknown, or so-called zero-day, vulnerabilities are commonplace. Even more challenging is the fact that attackers need only to identify one new method of attack behavior to avoid detection, whereas defenders need to cover all possible concepts of operations — an 54% impossible task. Defensive tools suffer from the need to undergo product sales cycles that are in the order of years to bring new methods to market. Finally, the underlying network of organizations do not technology is constantly changing underneath the defenders, with the advent of “Bring currently have a role or Your Own Device” and the Internet of Things (IoT). There is a need to accelerate defensive department focused on the operations, and data science can help. impact of emerging Through interaction with hunting teams, incident responders and penetration testers, data technologies on scientists can rapidly deploy new methods for detection, acting directly on operational data information security to produce new continuous-monitoring tools and future indicators of attack. Organizations 70%@40 transparency need to be able to ask thousands of questions of their data, determine which are effective and bring those rapidly into production. Red teaming 62% The terms “red team” and “blue team” derive from traditional military war games: red teams are the attackers and blue teams are the defenders. In current cybersecurity usage, a red 62% team is a group that actively challenges an organization to improve the effectiveness of its of organizations say security via specific exercises that leverage techniques including penetration testing and that securing emerging 61% social engineering, among others. technologies (e.g., cloud, Such exercises should be undertaken regularly to monitor that both the organization as a virtualization, mobile) is a whole and the platform architecture itself are secure from attack, using techniques similar medium or low priority to those exhibited by real attackers. Organizations need to ensure that any findings are fed back into the development life cycle for remediation. 54% Running red team versus blue team scenarios enables organizations to see how the cyber platform detects attacks and where opportunities exist to modify or build new detection models throughout the attack kill chain. Along with identifying potential blind spots within the network, this has the added benefit of training the new generation of hunters using controlled exercises. This is especially effective when a red team member is paired with the blue team, notifying the blue team of progress and validating detection. Red team intelligence should be sourced from a variety of locations, including research papers, presentations and forums. By applying this information to the platform, an organization can determine how effective the cyber analytics are and whether there is a need for new models and anomaly-detection modules to be developed. Red team attack tools and methodologies are evolving faster than defensive tools and methodologies, so pairing red team researchers with data scientists and blue team hunters rapidly reduces the time to generate new models and modules. The red team can simulate the new attacks within the network to validate platform detection. Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 13