3 Reasons Cybersecurity is More Difficult Than Before (Part 2)

I my first post, I sketched a woeful portrait with reasons cybersecurity is more difficult today than in years past. Now that the dire picture is clear, what should we do to resolve these difficulties?

It begins with a change in mindset. The long history of human folly tells us that people are fallible. Men and women make decisions based on an ocean of biases, rules of thumb, and best guesses.

This ecstatic glow of subjective certainty should be dismissed as a source of knowledge. Passive Security demands blissful complacency rooted in a false belief; a belief that we can predict, model, or conform this wholly unknowable world into our predefined biases.

I propose something different. Instead, we can be scientific. We can be skeptical, we can use reason, we can have enough intellectual courage to say, "I don't know". Science is a method above anything else. It embraces uncertainty and in a cybersecurity context, it accepts an awareness that absolute prevention is unattainable

In Part 1, I spoke of the 3 principle reasons for security becoming more difficult. The method I am proposing can address these challenges.

Increased Complexity

A method that begins with assumed compromise will accept complexity as inevitable, therefore, not something to avoid. The method employs open-ended dialogue with the facts, the data, and the adversary. We will not know ahead of time where the labyrinth will lead us, but we can have confidence that as complexity changes, we have open-ended ways to accommodate it.

This is the same way that a child's language expands. Once a few rules are in place and the open-ended system is adopted, there's nothing to prevent further understanding. I don't know the next word one of my children will learn next - but I do know they have the equipment to go wherever it leads. When you learned the combinatorial meaning of: "This is the cat that ate the mouse", there was nothing to prevent you from understanding, "This is the mouse that ate the cheese". By learning a few rules, a grammar, combined with an open-ended system we can discover boundless possibilities.

If we are going to address the evolving complexity, it begins by accepting the complexity cannot be contained - it can be understood.

Increased Sophistication

The method to address evolving sophistication begins with an awareness of our own ignorance. We simply do not know the techniques that will be used tomorrow (let alone in years ahead). What we can know is that it will happen.

Adversaries only have to be right, once. Security teams must to be right every time. This lopsided ratio can be exploited with marginal sophistication - a 1% advantage is more than enough.

Going back to the example of learning language...the way humans grow a sophisticated vocabulary is through exposure to speakers with varied usage. If we believe we have reached a pinnacle of lexical capability, next year's dictionary will happily correct us.

Building an extensive awareness of sophisticated techniques begins with an understanding that such techniques are possible and they have no end. Adversary imagination dislikes notices saying, "Keep out". They evolve to fit the environment - they are survival tactics of a belief-generating, goal-seeking animal. Human behavior is goal-directed, not stimulus-driven. The degree of sophistication will always grow to meet the demands humans have to achieve certain goals. Adversaries are human, with all the typical flaws, shortcomings, and problem solving skills we would expect from a specimen of homo sapiens.

When we discover these techniques through threat hunting, we need not dismiss them as unimaginable or impossible - just as we do not dismiss a new entry to our vocabulary simply because it's our first hearing. We adjust to growing sophistication with an open mind that is empathic to adversarial behavior. Simply put, thinking like the enemy.

Volume of Security Alerts

This method I'm proposing helps us distinguish true/false when the deluge of alerts comes pouring in. This scientific, evidence-based reasoning function is required to manage all of our security alerts. An exhaustive account of what our alerts are saying is not feasible, so we need to put infinite sets into “chunks.” Chunking creates associations and clusters – a triage. Triaging alerts can happen when we reduce variables to discrete clusters based on associative relationships. It is the relative value of an alert that is key; the context clues that serves as identifying markers of legitimate concern.

The term "triage" is used most often in healthcare. Imagine 500 patients dropped off at the emergency room at once, each with various presenting illnesses and symptoms. Based on the combination of discrete variables, medical staff can carve up the group into associations (relative values) with each group receiving specific treatments (response measures).

However, this discrete and combinatorial process is taxing on human reasoning faculties. For a computer, it is inherent.

Continuous and routine data processing is serial, systematic, deliberate, and often mundane. Humans get tired, lazy, and apathetic – computers do not. This combinatorial assessment is algorithmic in nature, and we humans cannot compare with computers for speed and accuracy.

By coalescing relationships based on any number of variables, incident responders can find the needle in a stack of needles. With associations, you can find categories and their endless combinations with other categories (e.g. applications, geolocations, users, addresses, unknown entities).

This works, provided we are evidence-based and knowledge-driven. Which is foundational to this proposed method.

Conclusion

Being a security professional is not for the faint-of-heart. It demands a scientific, skeptical mindset coupled with a florid imagination and open mind. We can meet these challenges and we can create a path forward. However appealing the lure of Passive Security may be, it is a poisoned challis. We can shake free of all of that, we can embrace uncertainty, use the tools of reason, and the method of science to better understand the threats we face. But only if we evolve (just as the threat landscape has).

#firemon #threathunting #cybersecurity