The Reporting Killchain


In 2013 at ISSA International in Nashville, TN, I gave a talk on using "big data" tools for security compliance and continuous monitoring over traditional security toolsets.  The talk pulled directly from a project I had been working on for a large US government agency that ultimately failed regardless of the agreed value it provided to the organization (I actually got an award from that agency for the work!).  The outputs and experience from that provided me some insights that ultimately have taken me the past couple of years to reconcile and mature into the "Reporting Killchain".

Obviously, the name is intended to be a "tongue & cheek" reference to the "Cyber Killchain" we often hear referenced in so many articles, blogs, and presentations.  By all means, I think it is one of many valid concepts to reference for developing a comprehensive security strategy.  But the reality is that so many organizations claiming they're "attacking the cyber killchain" is a more than just laughable...its downright sad!

My Experience...

In the project I mentioned above for that agency, we were tasked with implementing a continuous monitoring tool for FISMA and other security requirements.  A ton of tools were analyzed and ultimately none of them were purchased.  The money was reallocated to something else and we were left holding the responsibility to make something work.  We ended up turning to an existing project to leverage a "big data" tool (vendor is unimportant) which already had much of the data we might need being aggregated into it and which had zero cost for us to use.  Why didn't we use that in the first place...well...we'll to get more into that in a coming blog post.

Before we transition though, the reality was that "big data" tool "off the shelf" would not meet the requirements to provide the level of monitoring and reporting we were required to provide.  Though that tool had a "FISMA" app/plugin we could use, it only covered approximately 20 of the several hundred controls we were ultimately required to monitor!  That was only IF you sent the right sources into it.  We knew we had a lot of work to do!

"The Reporting Killchain"

The concept finds its roots in organizational behavior and by all accounts is very much a "thank you captain obvious" for many of you.  Still, this concept is meant to bridge the gap between security practitioners and "the organization" as well as to hopefully be a point of reflection for those finding themselves unsuccessful or outright jaded in their efforts to improve their organization's security postures.  What I've tried to do is boil down some key points in the "reporting process" where needs, ideas, goals, etc. get shot down, bogged, down, and fail to move forward.

These breaking points have been described to me time and time again by countless other colleagues and professionals and are present in, if not directly responsible for, every single breach or security incident that I've ever seen!  I don't say that to be dramatic.  Almost every major breach I've read about had some point in its reporting killchain where the outcome could have been drastically different had the message passed through the chain transparently.

Over the next few blog posts, I'll drill down into each of the points of this "Reporting Killchain" in what I hope will be an engaging discussion on how we as security practitioners can break it for the sake of our sanity!