4. Keep Important Information Off The Network. "One of the things I learned at the FBI is that there are certain types of things we don't put on the network," he said, including information about sensitive investigative techniques or transcripts from court-ordered intercepts. Since keeping super-sensitive information off of the network makes it much more difficult for anyone to steal it, Henry said, "I don't understand why more companies aren't compartmentalizing their data."
5. Change Metrics To Track Breach Response Speed. Today's information security programs should be measured in part by their response speed. "How long after the adversary gets access to my network will I be able to identify and mitigate the threat?" said Henry. "The old information security metric would have been, 'Can we stop the adversary from getting on the network?' And I would say that if your bonus is tied to that metric, there aren't going to be a lot of Christmas presents under the tree this year."
Henry recounted how the bureau made a similar conceptual change when it began measuring how quickly it could respond once a threat was identified rather than simply looking at the number of arrests, indictments, and convictions it won.
6. Increase Intelligence Sharing. Which information security threats have the potential to cause the most harm? Businesses need to answer that question, said Henry, so that they can put their finite resources to best use. To do this, they need better threat intelligence. "We have to be able to prioritize the threats, and more granular intelligence allows you to do that," Henry explained. For real-world threats, such sharing was accomplished in part thanks to the FBI-coordinated National Cyber Investigative Joint Task Force (NCIJTF), which facilitated intelligence-sharing between 18 intelligence and law enforcement agencies.
Now the private sector needs similar ways of sharing high-quality information about information security attacks. To help make that happen, Henry pointed to nascent efforts aimed at sharing the government's threat intelligence with businesses. In either scenario--real-world or online--the goal is the same. "We need to understand who the adversary is," Henry said, "because if we understand who they are, we can take proactive measures."
Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)