Many organizations protect their cyber infrastructure by looking inward, focusing on their own networks and systems. They dedicate themselves to reducing the attack surface, assessing their vulnerabilities, and conducting system patching – all to continuously monitor their own networks.
To Gary Gagnon, senior vice president and chief security officer of the MITRE Corporation, this defense posture makes about as much sense as having Tuuka Rask turn his back on the opposing team during the Stanley Cup playoffs. Rask, the star goaltender for the Boston Bruins, doesn’t fend off slapshots by staring at his own goal’s crossbar or checking the durability of the net. He focuses on his opponents, watching as their playbook unfolds, identifying their weaknesses and signaling to his teammates for backup.
Gagnon thinks this strategy can be just as effective in protecting cyber assets. “Initially, we were like a hockey goalie facing the net instead of watching the threat. By turning around, we get to work on knowing the opponent, understanding their moves. We are able to balance security against threats. Our defenders become collectors of information and intelligence to build a defensive strategy and optimize response,” he explains. “Learning as much as possible about the adversary’s tactics and techniques gives us an edge in discovering and stopping attackers.”
As the director of cybersecurity at MITRE, Gagnon plays a key role in guiding the defense of some of the nation’s most critical cyber assets – those of the Federal Aviation Administration, the Department of Defense, and the Department of Homeland Security. He has unique insights into his client base, having held leadership positions in solving information security issues for the U.S. Army, U.S. Navy, and National Security Agency.
MITRE is a not-for-profit organization that operates federally funded research and development centers (FFRDCs). Government agencies establish FFRDCs to address specific, long-term needs that can’t be met by in-house staff or traditional contractor resources. In this capacity MITRE plays a unique role as a trusted adviser to both military and civilian government agencies.
For Gagnon, earning and preserving that trust means never recommending any cybersecurity capability or approach to a sponsor that hasn’t first been tested on MITRE’s own computer networks and systems.
“We realized that we needed to run our network security solutions here to understand and prove them out before taking them to our government sponsor customers,” says Gagnon. “That way, we practice what we preach and we preach, what we practice.”
MITRE’s approach to cyber defense is based on the “kill-chain” framework, originally developed by Lockheed Martin. The kill-chain depicts the phases of a cyber attack, comprised of a series of steps that an adversary might take to compromise, control and exploit a target.
By better understanding adversaries – their tendencies, techniques, tools and intentions – organizations can bolster their threat-based defenses and improve their chances of preventing, detecting and mitigating cyber intrusions.
“MITRE adopted the ideas, practiced them, added to them, and started talking about them, and promoting them with our sponsors,” says Gagnon.
In fact, MITRE offers many ways to help sponsors adopt this more proactive stance. For instance, it helps diverse stakeholders create partnerships for sharing detailed cyber threat information, which can then be used to improve the defense capabilities of each individual member. Partnerships also give members tools and strategies they might not otherwise have access to.
In keeping with his commitment to “practice what we preach,” Gagnon test ran this integrated approach to intelligence- and resource-sharing at MITRE before bringing it to clients. One of his first moves as CSO was combining MITRE’s physical and information security divisions, a departure from industry standard. “These functions cannot and do not operate independently,” he says. “They’re all part of a security ecosystem.”
This security ecosystem consists of a highly capable and motivated team. MITRE relies on an all-inclusive approach, in which every security team member can manage, rather than just route, an issue or inquiry through to resolution. “We work as risk management advisers for the organization,” notes Gagnon. “Our value is rooted in continuous improvement, sharing what we learn and changing thinking about security to a threat-based defense model.”
To share information across an entire community, there needs to be a common language and Gagnon has led MITRE’s efforts to establish and communicate software industry security data standards to fortify vendor products against vulnerabilities.
To fully understand the critical needs of his sponsors, Gagnon focuses on customer engagement. “At MITRE, we view security as a team sport and operate as a team,” he says. “It’s the only way to gain adoption across our various organizational departments, understanding client issues and demonstrating due diligence to ensure success.”
Security Scorecard
- Annual Revenue: $1.7 Billion
- Security Budget: Confidential
Critical Issues
- Brand Protection/Intellectual Property/Product Protection/Counterfeiting/Fraud Protection
- Business Expansion Support
Security Mission
- Asset Protection/Theft
- Enterprise Resilience
- Fraud/IP Theft: External, Partner and Insider Threats
- Regulatory Compliance
- Risk Management Planning
- Supporting Business Growth
- Supply Chain
- Technology Integration and Management
- Workplace Violence