The team looked at a full spectrum of anticipated threat actors and capabilities. Nation-states could attack critical infrastructure and cause physical harm, for example. Criminal organizations could use ransomware to affect oil production along the supply chain. And hacktivists could attack email servers and cost the company hundreds of millions of dollars.
Two clear vulnerabilities emerged. One was the IT environment. As the company rapidly moves more business processes into a third-party cloud environment, it leaves their data and applications in a more uncertain—and potentially exposed—state.
The other challenge: the company’s operational technology environment. Countless motor controls, switches, conveyor belt valves, pressure centers, pumps, and turbines make up the physical equipment involved in extracting and producing oil—and much of it is not monitored or secured.
To protect these two different domains, our team brainstormed a wide range of plausible cyber incident scenarios to determine the right types of security measures to implement for the future. In a series of mind-mapping exercises, they “connected the dots” on how machine learning and deception technology might play a valuable role in those virtual mousetraps.
They considered the rapid growth of attack techniques and, how current methods of identifying attacks will likely become obsolete. And they simulated “hunting,” a technique to detect hard-to-find threat activity hiding within the “black spots” of a network.
“Hackers don’t look for the hard way in. They’re looking for the low-hanging fruit,” says Will. “Our goal is to defend, mitigate, and increase the level of effort for an adversary. We want to make it hard enough for hackers that they decide to go someplace else.”
After several months, the team delivered their program blueprint and an implementation plan. Only then did the CISO let them review the current program so they could understand gaps and chart a course to the future state.
What they found was a program that was “siloed and piecemeal,” says Matt. “They can’t move quickly enough to adapt to new risks.”
The future-state program, on the other hand, is designed to be agile, with a highly integrated operating model in which a distributed network of teams is empowered to work fast in their own environments, but still be highly linked to one another and operate with shared purpose.
Based on Booz Allen’s recommendations, the company is making its forward-reaching cyber program come to life.
“We showed them how to blend art and science into a future-looking masterpiece,” says Matt. “We showed them how their security professionals could complement and amplify the impact of their security tools and technologies to enable the business.”