A seawall is a perimeter defense for the coastline that blocks damage from the regular, expected movement of ocean water. An information security seawall is a perimeter defense that blocks damage from the regular, expected threats that have already been solved but will persist.
To do their job effectively, cybersecurity analysts prioritize threats. Of all the alerts going off, which attack indicators are important and relevant in our environment, right now, that we don't yet fully understand? Call it efficiency, utilization, or simply the best strategy to defend the fort. But what happens to attacks that can be de-escalated because the defensive control coverage against them has consistently worked and become understood? They go on a seawall.
A seawall is not a standalone defensive strategy. It is a component of defense in depth that helps the cybersecurity team utilize its resources best for prioritization of threat intelligence and analysts' actions. For example, domains, hashes, and Internet Protocols (IPs) that go on the seawall are put there to suppress de-escalated alerts. Those controls placed on the seawall are proven to work, and the team knows that. They will catch all the flies that are going to land on the sticky paper. This allows the analysts to spend their efforts focusing on getting closer to the threat actors themselves — toward the top of the Pyramid of Pain. The seawall isn't totally ignored; should something anomalous occur at the seawall, the system can indicate to the team that the threat intelligence may need to be revisited.
A side benefit of the seawall is that it can illustrate to management the deluge of threat activity upon the organization's infrastructure. As fiduciaries over the business, leadership can utilize seawall data to avoid the perception that fewer resources are needed for security as a result of the cybersecurity team's success in suppressing compromises.
In the pursuit of strong security and efficient utilization of information technology (IT) resources, a seawall can carry a heavy load for a well-constructed cybersecurity program. It lets the analysts float on the surface, above the expected attacks, and focus on attacks heading toward their infrastructure from the deep.
STEVE BOMBERGER is head of IT services at SEI.