In Part 1 of this article series, we considered the specific elements that make up the game of chess and how they parallel the core elements of effective security programs.
In Part 2, we’ll look at some fundamental chess concepts, such as time, space, material and structure, and how these ideas parallel concepts in security. We’ll also cover the concept of game play, as mental models have clear parallels in security.
Once you have a basic appreciation for chess, the next thing to do is to start playing, which invariably means losing. The great chess master Jose Capablanca famously said:
“You may learn much more from a game you lose than from a game you win. You will have to lose hundreds of games before becoming a good player.”
In chess, the expectation is that a beginner will play hundreds of games without ever winning. These games are practice for the real thing – the tournament. It is through losing that the player learns, and as they learn, they get better.
Security should have a similar concept. Security teams should be constantly practicing for a cyber attack, and yet they don’t. Red teaming is an incredibly useful activity that allows you to constantly improve your security controls and processes by learning from your failures.
Don’t limit red teaming to an annual test for audit purposes; you’ll get a lot more value from this exercise if you implement it as a continual test capability. This approach is the only way that you can be ready to defend against a real cyber attack.
In chess, there are a number of fundamental principles – force, time, space and structure – that can be leveraged to create an advantage. However, one player is rarely superior at all of them.
Whether it is sacrificing a piece in order to gain time and weaken an opponent’s structure or giving up central space in the hope that it will prove to be a liability for your opponent, a good chess player has to be able to make choices that fit what is happening on the board.
This is also true in security. Security leaders have to make hard decisions between competing needs, usually due to resource and budget constraints. At any given point in time, it is critical that you understand the strengths and weaknesses that exist within your security program. This knowledge will allow you to make informed decisions about trade-offs and allow you to maintain the strongest posture possible.
Force is the material strength that you have compared to your opponent. In security, if you decide to skimp on your controls relative to the type of threats your organization faces, you will have handed the advantage to your opponent from the start.
As a reminder, strength isn’t a function of how many controls you have or how much money you spend. Strength is based on how your security model is designed and operated. Skimping doesn’t just mean not spending enough money – it’s also about not spending enough time and effort to ensure that your controls work together effectively in terms of people, processes and technology.
The idea of advantage through owning the tempo of the game is a very subtle and important one. In security, you can think of it as a race between the attacker trying to complete their objective while you are trying to prevent or catch them. If your processes are ad hoc and you are having to learn as you scramble along, it is unlikely that you will catch up with a sophisticated attacker.
However, if you train and practice for emergencies and you have your processes well-defined, well-drilled and well-tested, you will have a chance. Knowing what to do when you see a particular type of suspicious activity and knowing what to do to prevent key assets from falling into the hands of your adversary takes practice, but never practicing will only ensure that you fail.
In chess, space is the ability for your opponent to gain a foothold or influence within your environment. Just as your chess pieces need to be able to work together to execute a specific plan, so too do your controls. True defense-in-depth is where you have systems of controls that complement each other in terms of the control objective they are there to achieve.
For example, it’s well understood that solely relying on signature-based anti-virus is not sufficient to prevent malware from infiltrating your systems. Numerous layers of different security technologies and processes must be in place and working together to prevent, detect, and respond to modern malware. When you do this effectively, you make it much more difficult for your opponents to succeed.
Most beginners in chess pay little regard to pawns, yet chess masters study them until they understand all the ways in which they can be used. In chess, pawns are the most limited of pieces, but they provide the foundation for everything else. It is the pawns that can prevent your opponent from gaining a foothold and create the right structure so that your major and minor pieces can achieve their full potential. The lowly pawn can even charge down the board and become a queen.
In security, the equivalent of pawns are the foundational controls. These are all the basic things that should be done correctly without a second thought. These foundational controls include comprehensive asset inventory, vulnerability management, secure system configuration, access control, secure sdlc, monitoring, incident response, as well as other basics. Together, they give you a solid security foundation that will make it difficult for your opponent to gain a foothold.
Even if you acquire the latest and greatest security technology, if you don’t have these basic pieces in place, there will be holes that allow attackers to bypass even the most sophisticated controls, thereby rendering those solutions useless.
A standard adage in chess is that “the person who wins is the one who makes the next to last mistake.” This is definitely true in security. Even as an incident unfolds, you may make mistakes, but you must keep going and wait for your opponent to make their mistake.
This is the reality of incident response. You need to instill this way of thinking into your security team so that they do not face these situations with a defeatist attitude that is all-too-easy to develop. It’s easy to be overwhelmed by the widely held view that defense against cyber criminals is futile. Yes, you may lose, but if you are not willing to go down fighting, then you should not be playing at all.
As Savielly Tartakower once said:
“No one ever won a game by resigning.”
Defense in Chess
In chess, there are standard points of attack called focal points. These change depending upon the position of the king – castled king side, castled queen side, un-castled and having lost the right to castle. By understanding the principles of attack, you can understand the principles of defense.
This idea is also central to security. There are standard approaches bad actors use to conduct an attack. Understanding how security incidents and breaches commonly occur can help you see the relevance of various controls and how to implement them effectively. Without this understanding, you will be forced to blindly follow frameworks and policies without fully grasping their significance. Such misinformed action will either cause you to make mistakes or render you unresponsive when your attacker changes their approach.
Mikhail Chigorin once said:
“Even a poor plan is better than no plan at all.”
Planning is a very important skill to have in chess, and there are volumes on how one should go about it.
Planning is important for two very good reasons. Firstly, if you have a plan and you are not distracted from it, you have a chance of succeeding. Secondly, without a plan, you are likely to be reactive and not be able to see what is most important.
In security, a plan will let you concentrate on what is important and not get distracted by all of the everyday noise that we encounter in this role. It is important to understand what is important and have your plan in place. This will provide you with something to exercise but also a way to deal with an attack should it occur.
One thing is very clear: if an attack occurs and you don’t have a plan, things will go very badly indeed.
No one likes to play games and lose, but at the highest level, chess is a brutal and unforgiving means of earning a living. The same can be said of security. Reassessing your strategies and tactics through different lenses, such as that of a chess match, can help provide a new perspective.
Security is a fun and rewarding career, but it is not easy. It is rare that you are the key function of your organization’s mission. There will always be struggles for budget and resources. There is a huge array of different demands on your time, and at the end of the day, you may have one attack. But with one breach, it could be all over.
In that vein, I will leave you with a final chess quote from Garry Kasparov, who is possibly the greatest chess player to date:
“Setbacks and losses are both inevitable and essential if you’re going to improve and become a good, even great, competitor. The art is in avoiding catastrophic losses in key battles.”
Title image courtesy of ShutterStock