Yesterday's War Part Three: Technology and Tactics

Lesson 1: Great Technology from Yesterday is Ineffective in tomorrow’s conflicts

“Our Age of Anxiety is, in great part, the result of trying to do today’s job with yesterday’s tools and yesterday’s concepts.”

-Marshall McLuhan

An M1A2 SEP main battle tank is an amazing piece of equipment. Weighing in at 72 tons, with a maximum speed of 60 mph and a 120 millimeter smoothbore cannon with a maximum effective range of over 2 miles, it is a marvel of modern engineering, and an absolute nightmare for most armies around the world. However, it is ineffective against a single insurgent in flip flops who hides amongst the local population placing improvised explosive devices in the shadows. The bottom line is the best military or security equipment designed to solve the wrong problem can never be effective. Similarly, a next generation firewall is nothing more than a main battle tank. A great countermeasure for yesterday’s threat, where tools that are designed to be cloud native are much more effective for the problems we actually need to solve. As we evolve into the future of security, the only things that will matter are cloud, data, and people. Anything outside of those three concerns will remain relevant until they aren’t, a relatively useful sideshow, but not core to any forward-looking security program.

The first thing to understand is that this is warfare, which means when mistakes are made, real people get hurt. People lose their jobs, investors lose enterprise value, and consumers are exposed to increased risk. I freeze my two year old son’s credit because I know people whose children can’t rent an apartment or buy a car when they go to college because someone stole their identity and destroyed their credit.

Note: The identities of children are far more valuable on the dark web than those of adults because they are less likely to have been used multiple times and it is less likely that anyone is looking at their credit reports. Think about that and decide if it’s worth it to take simple steps to protect your children’s financial future.

We can and should retrofit old technologies to make them more useful in a changing world. We should also seek out new technologies that are purpose built to fight the battles on the horizon rather than clinging to old technology. For example, before putting your firewall in Amazon Web Services, you should ask yourself why you need a firewall for this new environment and evaluate the tools that are available natively from the vendor or from cloud native products to see if there is a better fit. This is not only true with firewalls. It is true with all security technologies we are comfortable with and understand today. Just because they were the right fit eight years ago does not mean they should be a relevant part of your security posture moving forward. It also doesn’t mean that you should buy the latest and greatest technology that has a buzz associated with it.

My best advice is to analyze the risks you face and the data you are trying to protect. I would rank that data and the risks against that data from top to bottom in order to stack rank your risk. I would then focus my time on solving for the top 20% of the risks using a best of breed technology and program. I would solve for the bottom 80% by finding one or two strategic partners that have a broad portfolio that can solve for large portions of those risks at a cost effective, bundled price point. Examples of partners with that kind of breadth are Microsoft, Symantec, McAfee, and Cisco.

Here is an example from my time in the military and as a government contractor. Most people do not realize that we have not built a new main battle tank from the ground up since the 1980’s. However, the tanks that were built to fight the Soviets in a World-War style battle in an open field are no longer relevant to modern conflicts. As a result, the Army and Marine Corps has retrofitted land vehicles with a variety of modifications to make them more survivable and effective on the battlefield. Publicly disclosed examples are reactive armor, remotely controlled weapons systems, and GPS enabled technology that would allow friendly vehicles to locate each other.

However, even though my unit was made up entirely of tank platoons, our leadership realized that many of the missions were not well suited to tanks, regardless of how incredible these machines were. Often, a better strategy was to use an entirely different vehicle that was more suited to the task. This was not always popular. My fellow soldiers loved their tanks, took pride in them, and felt exposed without them. It required us to get out of our comfort zone, but it was necessary to ensure we were fighting the right war. This is similar to what I see today. CISOs who rose through the ranks as network engineers and moved to security where the focus was intrusion prevention, endpoint protection platforms, and firewalls are very comfortable with these technologies and are impressed by how far they have come. It just doesn’t matter. In order to be effective in the future, you must leave your comfort zone and challenge your thinking. It seems obvious, but technologies doing that which they were designed will always be more effective than technologies that were designed for a different problem and retrofitted to solve a new one. Retrofitting technologies can be an important stop gap, but that approach is exactly that. New solutions should be sought to new problems wherever feasible.

This does not mean older technologies will not play a role, some certainly will. However, that role will change and in some cases, technologies that were on the fringes will become critical and technologies that were the centerpiece of a security strategy will become niche. Fighting these trends only serves to make failure more likely.

Lesson 2: Static Fortifications and Forward Operating Bases are Ineffective in an Asymmetrical War

“There are two ways to fight the United States military: asymmetrically and stupid. Asymmetrically means you’re going to try to avoid our strengths.”

-H.R. McMaster

Modern adversaries on the battlefield and in cyberspace do not attack you where you are strong, they attack you where you are weak. Also, it is impractical to assume all of what you need to protect is or will stay inside a perimeter. In Iraq, we needed to protect average Iraqi civilians and our own soldiers to achieve our objectives. Iraqi civilians were never attacked inside a Forward Operating Base, and our soldiers rarely were. Instead, they would be ambushed where they were most vulnerable. Since there was a large concentration of defensive effort at the edges of these bases, it was ineffective at protecting what matters most.

Abu Musab al-Zarqawi, the leader of Al-Qaeda in Iraq and the founder of ISIS, was an abhorrent person by any measure, but as a tactician, he was brilliant. His goal was not to defeat the United States military, it was to cause such mayhem and bloodshed against a different sect of Islam to spark a civil war. His intention to cause so much mayhem that the international community would recoil in horror, isolating the Americans. What he and his followers did was so horrible, even Osama Bin-Laden disowned him because his tactics were too violent, even for the most famous terrorist in the history of the world, but it was very effective. When he was successful in sparking retaliation from the majority Sunni militias, he was able to successfully convince the disaffected Sunni population that they could not depend on the Americans for protection and needed to join his cause as a matter of survival.

Looking at it from our adversary’s perspective, if the objective is not to capture and hold territory but to cause mayhem and hurt people, static fortifications are useless to protect an omnipresent population. We must make our defenses mobile and agile to move with what we’d like to protect. This is very similar to data security in the age of digital transformation.

Your data is not in your perimeter and most of the time, unless you have purposefully not allowed it to be downloaded to unmanaged devices, it is not only in systems you control. The data either needs to be restricted to areas where it can be protected, or the protections need to travel with the data, almost like a bodyguard. The reality of the situation is the days where we can control where data does and does not go are a relic of the past. Businesses embracing digital technologies has accelerated to the point where most have very little control over how data is stored, used, and transmitted.

There is not a silver bullet technology that can apply protection that travels with data in a comprehensive and scalable way that exists today, but if organizations formulate their security programs with that as their end goal, they can get somewhat close with technologies that do exist and if enough get close, they can influence technology vendors to fill those gaps.

In Iraq, if the Forward Operating Base was too difficult to attack, the enemy would draw troops out and ambush them when they leave. We see similar tactics from cybersecurity attackers. If they can probe your defenses and access your back end database easily, they may. If not, they will use phishing techniques, user error, or compromised insiders to take the data out the front door where it is easier for them to access.

Protecting against this goes back to knowing yourself and knowing your data. You must know how much your data is worth so that you can understand the adversaries and tactics you must defend against. You must also position that against a Return on Investment (ROI). I know it is popular to say that you cannot generate an ROI for an information security investment. That is not only untrue, it is dangerous. As my CEO, Steven Drew is fond of saying, you should never spend a dollar to protect a nickel.

Follow the Series!

This is the third of a six part series. Each new part from the series will be published Tuesday until all six parts are available. You can access part two here: 

https://www.dhirubhai.net/pulse/yesterdays-war-part-2-real-world-context-jeremy-wittkop-cissp/        

You can access part four here:

https://www.dhirubhai.net/pulse/yesterdays-war-part-four-different-adversaries-jeremy-wittkop-cissp

About the Author

Jeremy Wittkop is the Chief Technology Officer for InteliSecure, the world's leading Managed Services Provider focused on the protection of critical information assets. Jeremy was also InteliSecure's first Managed Services Director. Jeremy has also written a book about securing critical information assets called Building a Comprehensive IT Security Program available from Apress publishing on Amazon at https://www.amazon.com/Building-Comprehensive-Security-Program-Guidelines/dp/1484220528/