Controlling enterprise risk by maximizing IT capabilities.
Blog
Seawalls for cybersecurity—lose the noise, keep the budget
A seawall is a perimeter defense for the coastline that blocks damage from the known behaviors of the regular, expected movement of ocean water. An InfoSec seawall is a perimeter defense that blocks damage from the regular, expected threats that have already been solved, but will continue to persist.
To do their job effectively, cybersecurity analysts pursue threat prioritization. Of all of the alerts going off, which attack indicators are important and relevant in our environment, right now, that we don't yet fully understand? Call it efficiency, utilization, or simply the best strategy to defend the fort. But what happens to attacks that can be de-escalated because the defensive control coverage against them has consistently worked and become understood? They go on a seawall.
To be clear, a seawall is not a standalone defensive strategy. It is a component of defense in depth that helps the cybersecurity team utilize its resources best for prioritization of threat intelligence and analysts' actions. For example, domains, hashes, and IPs that go on the seawall are put there to suppress de-escalated alerts. Those controls placed on the seawall have proven to work, and the team knows that. They will “catch all the flies that are just going to land on the sticky paper.” This allows the analysts to spend their efforts focusing on getting closer to the threat actors themselves — towards the top of the Pyramid of Pain. The seawall isn't totally ignored; should something anomalous occur at the seawall, the system can indicate to the team that the threat intelligence may need to be revisited.
A side benefit of the seawall is how it can illustrate to management the deluge of threat activity upon the organization's infrastructure. As fiduciaries over the business, leadership can utilize seawall data to avoid the perception that fewer resources are needed for security as a result of the cybersecurity team's success in suppressing compromises.
In the pursuit of STRONG security and efficient utilization of IT resources, a seawall can carry a very heavy load for a well-constructed cybersecurity program. It lets the analysts float above the expected attacks on the surface and focus on what attacks are heading toward their infrastructure in the deep.