There's a lot of information about Lockheed's implementation (search for Lockheed Kill Chain presentation), but here's a specific presentation they gave at black hat:
The high-level takeaway is that they developed a response methodology (modeled after a military killchain) that breaks up an attack into different phases, and they then have protection (and more importantly, detection) processes in place for each phase.
The idea is that for an attack to be successful (ie: data is exfiltrated, which is predominantly the type of attack they are concerned with) that doesn't just magically happen. Each phase of the kill chain has to be bypassed, so you have multiple places to detect (and hopefully prevent) it.
You also have the benefit of asymmetrical information, which is to say, that when you stop an attack inside the kill chain, you have all the information that got them to that point, whereas they don't necessarily know why the attack was unsuccessful. That allows you to build a knowledge base specific to the attacker so that future attacks can be stopped earlier on in the process.
Lockheed's kill chain implementation (and ours as well) is lacking the last phase of response that is present in the military one (mainly: they can launch a missile strike or send tanks, whereas we are obviously slightly more limited in our response).
Basically, this process came about as a reaction to reality of the defense situation (which is that for all intents and purposes you can't actually stop them from getting into the network, you have to have a response plan to mitigate attack success that includes your systems getting compromised).
https://media.blackhat.com/bh-us-12/Briefings/Flynn/bh-us-12...
The high-level takeaway is that they developed a response methodology (modeled after a military killchain) that breaks up an attack into different phases, and they then have protection (and more importantly, detection) processes in place for each phase.
The idea is that for an attack to be successful (ie: data is exfiltrated, which is predominantly the type of attack they are concerned with) that doesn't just magically happen. Each phase of the kill chain has to be bypassed, so you have multiple places to detect (and hopefully prevent) it.
You also have the benefit of asymmetrical information, which is to say, that when you stop an attack inside the kill chain, you have all the information that got them to that point, whereas they don't necessarily know why the attack was unsuccessful. That allows you to build a knowledge base specific to the attacker so that future attacks can be stopped earlier on in the process.
Lockheed's kill chain implementation (and ours as well) is lacking the last phase of response that is present in the military one (mainly: they can launch a missile strike or send tanks, whereas we are obviously slightly more limited in our response).
Basically, this process came about as a reaction to reality of the defense situation (which is that for all intents and purposes you can't actually stop them from getting into the network, you have to have a response plan to mitigate attack success that includes your systems getting compromised).