Improving Cyber Strategy by Learning NFL Defensive Tactics

Improving Cyber Strategy by Learning NFL Defensive Tactics

In one of the best security presentations of 2018, Nick Drage explains how to improve cyberdefense using NFL (American football) strategies and tactics. I interviewed him to learn more.

 

Why are enterprises losing so many global cyberbattles?

Despite hard work, long hours, smart people and great individual hacking tactics, what online trends are overwhelming security teams?

How can cyberpros who are constantly upgrading OWASP skills and working nights and weekends already, do more with less? 

What other professionals' disciplines can we learn from, and what analogies and examples can help teach us lessons to improve security effectiveness?

Recently I met Nick Drage online. Nick is the principal consultant at Path Dependence Limited in the U.K. He is a security thought-leader, practitioner, global cybersecurity consultant, and he presents on security issues at conferences worldwide.

I was very intrigued by Nick’s recent presentation in Belgium which packs so many helpful examples, practical lessons, fun stories and more about what’s going on in our security industry.

In addition, even though we come from very different backgrounds, Nick and I both believe, write and talk about how security teams and leaders can learn a lot from American football. But he takes his analogies and lessons even further than most. 

I strongly urge you to watch this passionate, clear, ground-breaking presentation. I'll go further, this video is in my "must watch" category for all cybersecurity and technology leaders as well as frontline cyberpros. Note, this was given at an OWASP event in Europe. Caution: You’ll need 45 minutes, but it is well worth your time.

NFL / Global Cybersecurity Similarities

At a summary level, what is Nick's case? As the NFL playoffs rolled into divisional round games this weekend, more and more cybersecurity experts are seeing similarities between football strategies and cyberdefense strategies. Indeed, the lessons learned go much deeper than executive level analogies and fun tips.

After all the effort we put into improving our technology, why does everything seem so awful in cybersecurity? Here are some of Nick’s main points in the video presentation:

·       In any battle, we have: Grand strategy (the ultimate goal), strategy (the big idea), tactics (the things you use) and operations (the way you use them).

·       You, working long hours, becoming the best (hacker) you can be — by improving your skills with passion. But team play is lacking.

·       Whatever we build, including infrastructure, applications, code, we make it as good as we can. But the sum of the parts seem to lack coordination.

·       Meanwhile data breaches are way up — along with global risks and cyberthreats moving forward.

·       Getting better at cybersecurity may feel like we’re playing golf — trying to improve — but we’re not.

·       We need to look to other disciplines to learn from others. We can save decades, and we are at a strategic inflection point now.

·       Need to work smarter — a different way of thinking.  

Quote: “I think our (cyber) industry thinks they are practicing golf, but it looks, sounds and feels a lot more like this. ...” (Go to video 12:45 minute mark). We’re actually playing a game similar to American football — like the NFL.

Why? Both NFL Football and Cybersecurity:

·       Utterly incomprehensible from the outside

·       Complex

·       Team games

·       Highly specialized

·       By situation

·       Attack or defend

·       Offensive and defensive playbooks

·       Fight over territory

Exclusive Interview with Dan Lohrmann and Nick Drage

Dan Lohrmann (DL): Your presentation from Belgium which is part of the "Open Web Application Security Project" (and the YouTube presentation shown above) is titled: "Lessons from the Legion." Who was your audience and what does that session title mean?

Nick Drage (ND): My audience were all the attendees at OWASP BeNeLux, a daylong conference in Mechelen, Belgium, organized by the OWASP organizations from the Netherlands, Belgium, and Luxembourg. They were a variety of cybersecurity focused developers or engineers or managers, or other functions associated with cybersecurity in some way.

As for the session title, "Lessons From The Legion" kind of means "What lessons can the cybersecurity industry learn from the play of the NFL's Seattle Seahawks defense between 2011 and 2017, commonly known as 'The Legion of Boom era,' " and kind of means "To me, as someone who's always had an interest in conflict in warfare, or sports, or video games, the way we handle cybersecurity has always felt wrong, and this is the start of my exploration into why".

DL: What is the main session point that you are making for security teams engaged in cyberdefense?

ND: That there are lessons we can learn from organizations who operate in a similar environment to our own. In particular, the ways those organizations have succeeded or failed can illustrate what we should emphasis or ignore. Trying to make sense of how to win our complex conflicts is a very difficult task, especially as the Internet is such a counter-intuitive environment; looking at football, a less complex area of conflict with much simpler "victory conditions," we can pick out strategies we might have otherwise dismissed.

While the more notable and noisy parts of my thinking relate to football, I think the industry has a lot to learn from war fighters as well, most starkly the importance of logistics and morale — but those lessons are less entertaining and the video clips are less immediate.

DL: Why do you find NFL football analogies helpful?

ND: I've followed the game, on and off, for about three decades — I fell away from it due to the lack of in-depth coverage, especially in the UK. But then in the last few years, my interest was rekindled when Andy Ellis, currently the CSO of Akamai, mentioned the Football Outsiders website on Twitter. From reading that website and following from there I discovered other resources that meant I could begin to finally appreciate the complexity of the game and the tactics and strategies that work or don't.

And from there, just from the discussions about the keys to team success — playing as a team, findings players to fit your strategy while modifying your strategy to fit your players, the emphasis on preparing for opponents, the importance of analytics in removing human bias from decision-making, and so many more ... I was struck by how those ideas weren't being followed in my industry, that seems to have much more of an emphasis on personal talent and technological superiority.

So those analogies help me conceive of the issues the industry faces, but in a simpler way than trying to comprehend an entire industry.

DL: You take your football examples to a level I have never seen, and offer great lessons that are helpful. What are those key lessons (summarized)?

ND: I think my key lessons would be: 

One — The importance of practice. I think this is something people appreciate but rarely implement. Practice can mean you simply become more adept at the fundamentals required for your profession, which is what most industry training focuses on, but more realistic practice helps you become better in the vagaries of a real world situation, and means you and your colleagues become more familiar with each other’s strengths and weaknesses as individuals and as a team, meaning that you perform better in a real world situations; also practice helps remove issues with your processes or plans when mistakes don't really matter. And especially if you've practiced, at some point, an actual Red Team — that all means when it comes to a real world situation, such as a breach, you've already been through a similar situation so many times before you're in the best condition to respond when it counts.

Two — What I describe as "eliminate the big play", essentially that the most important cyber security issue for many organizations isn't to avoid being compromised at all, but avoid being compromised in a significant way. In the same way that an NFL Defense can give up yards as long as it doesn't give up points, cybersecurity defenders can withstand insignificant compromises of their systems while using those attacks to learn more about their opponent, rather than trying to somehow stop all attacks everywhere they protect.

Three - my final point is "out hit your opponent". In cyber security there's almost no "attacker cost", which gives our adversaries no discouragement from trying different attacks, especially with so many opportunities for automation. By making each attack represent a risk to the attacker not only is the entire conflict more balanced, but you can gain valuable time by slowing down your opponents’ decision making process.

DL: Why is a focus on tactics and tools without a wider cyber strategy such as dangerous thing?

ND: It's dangerous because we do have a wider cyber strategy, it's just not overt and explicit, which means we've not considered issues with our implied strategy overall, or whether there are better ways to face our challenges overall that aren't apparent from a tactical viewpoint. The tactics and tools organizations adopt, for example an emphasis on technological solutions and individual aptitude, or an emphasis over perimeter firewalls rather than micro-segmentation or endpoint security, are emergent properties of the tactics that feel right as point solutions, but possibly don't scale efficiently as part of a complex system.

DL: Do we need a paradigm shift at how we look at attack / defend in cyberspace? Where is this heading next?

ND: Do we need a paradigm shift? I can very confidently reply with a definite "probably." It might be that our current ways of working are the best we can do in a vendor-led and technology focused industry, but it does feel to me as though we've sleep-walked into that situation, rather than intentionally entered it; and that we can achieve more with the talent and resources we have.

And as to where this is heading next? I don't know, I think the Zero Trust Networking / Beyondcorp ideas look promising, but I recall from reading up on the theory behind it a couple of years ago that some of the concepts, such as the all-seeing all-knowing Data Acquisition Network, seemed unworkable. I think the DoD's "Defend Forward" idea is interesting as a way forward, but it seems to be coming in just when the defenders - due to the increasingly virtual nature of infrastructure - finally have home field advantage. I'd love to give you a confident prediction, but I have more questions than answers right now.

 

For the rest of this interview and closing thoughts, See: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/improve-cyber-strategy-by-learning-nfl-defensive-tactics.html

 

Bob Korzeniowski

Wild Card - draw me for a winning hand | Creative Problem Solver in Many Roles | Manual Software QA | Project Management | Business Analysis | Auditing | Accounting |

5 年

"why does everything seem so awful in cybersecurity?" Because there are zero entry level cybersecurity jobs that require no experience. What happens is that companies want to hire cybersecurity talent.? ?OK, so they spam job ads with dozens of ads looking for "experienced" cybersecurity professionals.? Problem is, they're already working elsewhere.? ? So after 6-12 months of getting nothing, they spam more job ads.? ?Meanwhile, they get hacked repeatedly in the meantime. An empty chair does not solve more problems than a rookie. Can't have a NFL defense using empty chairs.?

Aaron Howes

Senior IT Project Manager PG&E

5 年

Looking for a cross comparison for a torn ACL...…. jk I love it!

回复
Brendan Usher

Director at Logical Line Marking

5 年

You’ve sparked my interest Dan, where did you learn about this?

Paul Tisch

Client Executive @ T-Mobile ? Technology advisor ? Problem solver ? Music fanatic

5 年

I love this - thank you for sharing!

要查看或添加评论,请登录

社区洞察

其他会员也浏览了