3 x 3 Security Control Pillars

Note: All false-modesty is gone in this article, so if you don’t want to read about some old geezer tell you how great he thinks some of his ideas are, stop reading now.  This is also a near-repeat of an article I wrote last month, so if you read that one, you can stop reading now. <grin>

I’ve been doing computer security for 33 years now and I have written 12 books and over 1000 articles and blogs about computer security. I’ve been everything from a computer trainer and PC/Network Technician to Vice-President of IT (in two national companies). I was the weekly security columnist for IDG/InfoWorld/CSO for almost 15 years. I’ve passed dozens of computer certifications. I’ve been on the board of directors of a few IT security firms and I have belonged to a handful of working group committees for different national computer security organizations. Suffice to say, I think about computer security a lot. Almost every waking hour. I read and listen a lot about computer security. I pay attention to what the best thought leaders say. For over 30 years. I’m trying my hardest to help make the world a safer place for everyone to compute in whatever way I can. I believe if I don’t participate in significantly improving the safety of the Internet for everyone my career will have been an utter waste. That’s me, professionally, in a nutshell.

About ten years ago, I figured out what the biggest, single, problem was in computer security (i.e. that most defenders focus on the wrong things) and I wrote a book about it called A Data-Driven Computer Defense (https://www.amazon.com/Data-Driven-Computer-Defense-Way-Improve/dp/1092500847).

It’s my magnum opus. It matters more than anything else I’ve ever written or done professionally. I know it’s not being humble when I say that I think it’s one of the most important computer security books ever written by anyone. It’s not because I’m a genius. I’m not. I just have put in my hours and thought about the underlying problems for a really long time. I cared so much that I neglected a lot of other things in my life to be able to devote myself to figuring out how to stop cybersecurity incidents. And that along with some luck made me able to see some of the fundamental problems. It was harder to figure out how to fix them.

I don’t say anything surprising or revolutionary in the book other than to put what we all already know in writing. Sometimes all that is needed is for someone to say the obvious for it to become public commonsense. The book’s very simple lessons underpin what is wrong with most computer security defenses, how it got that way, and how to fix. I was delighted with how it did commercially. It sold over 30,000 copies (which is great for a computer security book) and was selected by several organizations as their cybersecurity book of the month. It was even nominated for Cybersecurity Canon Book Hall of Fame (https://cybercanon.paloaltonetworks.com/). I get emails all the time from people thanking me for the helping to change the way they think about computer security. When I die, it’s one of the things I will be most proud of.

3 x 3 Computer Security Pillars

A few weeks ago, I introduced something that I think is just as commonsense as a Data-Driven Computer Security Defense, what I called at the time, The 3 Pillars of the Three Security Pillars (https://blog.knowbe4.com/the-three-pillars-of-the-three-computer-security-pillars). I’ve since changed the name to 3 x 3 Security Pillars and this article is just recovering it for those who might have missed the original article. Below is the graphical representation of the 3 x 3 Security Pillars.

In a nutshell, for every threat and risk your organization faces, you have three major security control objectives:

·        Prevent

·        Detect

·        Recover

You want to prevent bad things from happening to an environment you manage. You want to prevent initial exploitations of your environment and prevent easy spread of it within your environment. If bad things get past your preventative controls, you want early warning and detection of those things to mitigate the damage. And you have to recover from the attack and figure out how to prevent it next time. Long-term, successful, computer security is as much about risk management and gap analysis as it is about bits and bytes.

For each of the three security control objective pillars (i.e. prevent, detect, recover) you have to do everything in your power to mitigate the most-likely, threats. You need to combine the best defenses you can split out among the three types of prescriptive security controls:

·        Policy

·        Technical

·        Training

Every security control needs policy behind it. Each control needs policy, procedure, and guidelines. You must empirically document control expectations so there is no ambiguity. Everyone needs to understand what the biggest, most likely threats are and how you are mitigating them. You need to provide expectations which helps with accountability if someone doesn’t do something right. Or perhaps everyone does everything right and when something bad still happens it means you missed something, and you have to update the controls. Either way, documented and communicated controls helps everyone to understand expectations and row in the same direction.

Technical controls are all the mitigations you can implement using software or hardware, bits and bytes, to enforce a particular input, action, or output. Whenever possible, implement a technical control to mitigate your biggest threats. They help put down the majority of your risks and do so automatically.

Lastly, some amount of badness will always get past your technical controls and end up being seen and evaluated by someone. I don’t care what you implement, technical controls are not perfect, and hackers find ways around them. So, you need to educate your staff and workers as to how to spot badness when it gets past existing technical controls and what they should do when they see it (hopefully report and mitigate).

So, that’s it - that’s the 3 x3 Security Pillars. You need to figure out what your most likely, true, biggest threats are first. Then figure out how to prevent and detect them. You need incident response and recovery for when those threats get by your existing defenses to minimize damage and speed up healing. You execute all these things by issuing policies, implementing technical controls, and educating your people. That’s computer security in a nutshell.

So, every time I learn about a major, likely, threat, I begin by asking myself: “What policies, technical controls, and education do I need to implement to mitigate this risk?” Most people tend to have expertise in one or two of these. Good computer security leaders consider all three, every time, for all threats. This lesson is one I wish I would have learned 30 years ago when I was first starting. It would have stopped a lot of the hard lessons that are only taught by failure.

If you’ve made it to the end, thanks for putting up with my not so humbling, possibly delusional, bragging. But I’m almost 54-years old and I’ve maybe got 10-15 years left in my career, and I wanted to pass along some lessons I’ve learned…and get something written down and passed along to everyone else fighting the good fight. Sometimes all it takes is saying the obvious for it to become commonsense.