Lose the Security Wheel
Know, prevent, detect, respond, recover. This aspirational model of cyber security is as ubiquitous in our industry as the colorful wheels used to depict the concept. Like similar mnemonic aphorisms from other disciplines – stop, drop, roll, or work quickly, change speeds, throw strikes – this familiar view of the top-level goal of cyber security remains basically unchallenged. It is a given.
The problem is that the model represents a terrible aspiration view of cyber security. Obviously, it is an accurate observational view of cyber security. We all seem to do these steps to some degree, and the security advice you get from consultants nowadays involves which direction to slosh your emphasis. (By the way, the current fad is to emphasize the latter steps, which just seems nuts to me. But, whatever.)
My view is that the thinking behind this model helped lead to attacks on Target, Home Depot, Sony, Yahoo, OPM, Equifax, Deloitte, and on and on. Think about it: Aspiring to any model where three fourths of the steps presume that an attack has already occurred, is like deciding in advance to punt on third down. To that end, I would propose a much different aspirational model – one targeting a more successful outcome. Here it is:
Explode, offload, reload.
These three terms, even with no explanation, are much more likely to produce some pause to your malicious adversary than that dumb wheel on your PowerPoint deck. When you do read the explanation of the steps below, I hope you will agree that they comprise a more viable cyber defense than the sleep-inducing alternative they replace. The challenge is that they require a change of perspective – and that may not be easy.
First, the process of exploding your perimeter-defined infrastructure into smaller distributed workloads will produce predictable views: Excitement for cyber security engineers, and horror for C-suite executives. (Sadly, most compliance initiatives today generate exactly the opposite range of emotions.) The reality, however, is that perimeters do not work, so you must get rid of them. Explode your network. Period.
Here is a harsh, but accurate analogy: If a terrorist bomber targets a building with a truck-full of explosives, then so long as a drive path exists to the facility, a bad outcome will occur. But if the security team has already “exploded” the building by dismantling it into its composite bricks (workloads), then the image comes to mind of a confused truck bomber parked outside an empty lot, wondering where the target went.
Second, the process of offloading smaller distributed workloads into virtualized cloud infrastructure produces similarly disparate emotions: Eagerness for security engineers, and hesitancy for the C-suite. Such executive hesitancy is more prominent when the offloading involves the use of public cloud, but this may be the only viable economic option for companies not rich enough to build their own software defined data centers.
Off-loading distributed workloads to virtual infrastructure reduces cost (hardware replaced with software) and maximizes flexibility. Adjustment of virtual computing and networking to support these offloaded workloads makes this step economically feasible in modern infrastructure. The instincts of traditional IT managers involve deploying hardware and then leaving it alone. This will not stop capable hackers.
Finally, the process of reloading cyber security involves the careful selection and deployment of modern protection technology into your newly virtualized, distributed architecture. By shifting workloads to an alternate environment, you create a new greenfield target for virtualized security technology solutions. Such once-in-a-lifetime opportunities are not to be missed, so this must be attended to properly.
Anyone reading this note knows that no shortage exists of commercial cyber security technologies. Adaptive authentication, machine learning detection, cloud visibility tools, on-demand SDN security, and on and on, represent amazing new software defenses that will reduce cyber risk. Reloading these new capabilities into your new distributed architecture will make things more challenging for your adversary.
Look, I acknowledge that many of the readers of my column have PowerPoint decks with that colorful wheel on the first chart they use with customers every day. I’m also aware that NIST bases much of its work on the know, prevent, detect, respond, recover model. (I’m even aware that Gartner has replaced know with predict, dropped recover, and charges $195 for the report that explains the change. Ugh.)
But my advice is offered here nevertheless. We are losing the cyber war to nation-state and criminal groups, so perpetuating existing approaches based on familiar models is crazy. Why not rethink whether your organization (or product) (or service) would benefit significantly by losing the colorful wheel, and replacing it with this new approach: Explode, offload, reload.
(Drop me a note here after you remove that wheel from your charts!)
CIO at United Way of Connecticut
7 年I agree with Ed on this one, the days of building a better wall are not an effective weapon against today's threats. Once you can admit that you are not impenetrable, it makes perfect sense. For many, it makes sense to spread the systems out instead of putting them all together in a single security structure. I like to use the Pearl Harbor analogy; after that event the US Navy realized that it was better off having many smaller distributed bases vs one big base for half your fleet.
Security Engineering - Product Security
7 年‘Explode, then reload’ - how can that fix or redesign better software and electronic information systems? It's a M?bius strip of brokenness. The companies you mention had a breakdown (or lack of) integrity and detective controls (like Target). Configuration management, boot integrity, access controls — all well known to the industry but not fully implemented. It's not complicated to design the correct preventive solutions, just engineering time and money — however other priorities took precedence, likely arrived at with a business scope ‘risk model’
Active Risk Management
7 年I agree that the security models in use are not adequate. I tend to believe that the models try to protect all data which is not realistic. I believe that the strongest protections work when concentrated on the data of highest value and the users that need to work with it. Much easier to keep the eyes on the prize versus trying to save everything. Other data may be managed by concentrating on recovery efforts. Segment off the people and the lower value data from the high value and use your resources (and budget) appropriately.
Retired
7 年I'm not a security expert, but aren't most security failures the result of one or both of these issues? 1. Social hacking, where staff loses control of their 'secret' credentials. 2. Software that has bugs and allows access to unplanned information. I don't see how these issues get solved after the fact. We can lecture people and programmers on being very careful, or we can change the way things work. We are already 'patching' the use of Identities and passwords with 2 factor authentication and we patch, patch and repatch software. For example, If we design systems where data items are only available via specific business processes executed in the proper order then a typical user can never access a whole database at one time. How can someone steal thousands of customer records if the database only shows one record at a time and only when the 5 preceding steps have been completed? We will made the databases and the database designers work harder up front to prevent problems in the future. Why do our operating systems allow data to be executed? The common buffer overflow only works because our processors allow data to be executed. Again, we will ask people, computers and software to work harder early in process.