A few weeks ago I kicked off a series on automating cybersecurity. As I previously stated, this series will be covering fundamental automation issues surrounding benchmarks and frameworks, platform identification, workflows, assets and their characteristics, configuration items, scoping, mapping benchmarks to frameworks, and metrics and reporting. I’m not going to make the articles quite so tidy, however. We’ll be covering those issues, but from a slightly different approach.
To set the stage, I’d like to start with identifying why automating cybersecurity is important. When I look at the cybersecurity throughout history, I see the following truths:
- Threat agents are motivated more today than they have been before
- Systems’ complexity continues to increase year over year
- Situational security changes rapidly – often on the order of days
- Qualified security practitioners are a scarce resource
Addressing the first truth, we can take a trip back in time. Remember War Games with Matthew Broderick? Remember that “innocent” era when hackers were viewed as high school teenagers with a motivation only of having fun, exploring, and learning. How about the movie Sneakers? Arguably a classic – certainly one of my favorites. The movie Hackers was a bit less romantic, but was nevertheless entertaining. These are not the only threats to deal with today. Instead, we have seen a change – a metamorphosis – of threat agents. Actually, it might be more accurate to call this an addition or a multiplication. Script kiddies were enabled by groups like the Cult of the Dead Cow who issued Back Orifice and other easily used tools. Metasploit is another tool – critical for security research, usable for security exploit. A somewhat lesser-known, but seemingly effective tool is Ronin. Nation States have taken a larger profile because it’s not just nation against nation any longer – it’s nation against critical infrastructure and corporate treasure.
Politics play a heavier role today than they ever have. Anonymous is only the most recent political evidence of hactivism. There have been cybersecurity situations in the past where politics played a role – for some reason, Indonesia comes to mind. Estonia is another, though that might better be labeled as “cyberwar” (a precarious term to say the least).
The second truth is that systems are increasingly complex. Computers were considered complex in the 60s when they were little more than vacuum tubes, wires and lights. Punch cards came later. Tape after that. Volatile memory. Magnetic disk. Thumb drives. Single-core became multi-core. 2400 baud connections became 20 megabit connections. A “system” went from a single computer to an enclave consisting of multiple hosts and network devices possibly of heterogenous nature. Systems may even include mechanical structures and critical infrastructure. With increased complexity comes an increased opportunity for flaws. With an increased opportunity for flaws comes the increased probability of vulnerability exposure followed by vulnerability exploit. This might be a tenuous claim, but at the same time it doesn’t seem outlandish.
In any case, it’s easy to see that system complexity is ever-increasing, and with each increase in complexity we’re pushed from solving security problems for the last set of technology as we are faced with new sets of challenges (consider cloud computing security as a good example of how complexity is on the rise, even when we still haven’t fully addressed the security issues for technology and processes upon which cloud computing is founded). As practitioners of security, we can’t get the previous technology down pat without being forced to assess and mitigate the next technology advance.
Motivated threat agents combined with systems complexity does not bode well for your secuirty awareness either, our third cybersecurity truth. One minute you’re secure, the next minute you’re not. Spear-phishing. 0-day vulnerabilities. Insider threats. Advanced Persistent Threats. New technologies leading to new attack vectors. Attack vectors taking advantage of legitimate work process. Countering your adversary is a lot like a government levying taxes – when you try to collect them, you’re evaded. Attackers do the same thing – cut them off at the pass, and they’ll find another way around you eventually – today’s defense is tomorrow’s Maginot Line. Things change – constantly.
The first three truths really beget the fourth. We find ourselves in the truly unfortunate circumstance of being simply outnumbered. Over the past several years that has been a cry from a variety of sources. By the way, when I say security practitioner, I mean the real thing from the lowest-level security pro to the highest level security manager. This includes the Network Operations Center and Security Operation Center people on the front lines, the malware analysts in research labs, the compliance officers, the auditors, the CSO, the CISO and so on. Not every level appreciates the other, but they’re all equally important in our cyberecosystem, and they’re all equally sparse (well, maybe not regulators).
We need to start looking at security as a game, which may lead to the notion of game theory (Claude Shannon comes to mind here). Either way, Chess seems to be a good game to use as a compare/contrast exercise. The truth is that Chess and security are a lot alike, but they are also very different in one important way. To be good at security, you need to know what you’re doing. To be good at chess, you need to know what you’re doing. Under both circumstances, if you don’t know what you’re doing, you’re going to be had for sure. Both security and playing chess require a degree of situational awareness. If you don’t have that, you’re going to lose because you won’t see what’s coming. If you’re too busy figuring out this move, you won’t be looking several moves ahead. And looking several moves ahead is really where advanced reasoning comes in. If you can’t reason your opponent’s reaction to your moves, and yours to hers, then you’re out because it’s likely that they’ll figure you out before you figure them out. I’m sure there are other similarities, but I’m up against a deadline here. So, in what way do the two differ? In chess, the rules never change; in security, your adversary plays by a different set of rules.
To gain an even better appreciation of our state of security, we might imagine the chess scene from Charlie Wilson’s War. There’s a young guy with a short-sleeved dress shirt and tie in a park playing six chess matches simultaneously. Of course, this scenario is likely embellished a bit for the sake of the movie – they wanted to impart that this guy was smart – but the truth is that this is what security guys have to do every day. They are “one against many,” the David vs. the Goliath, their adversary hugely outnumbers them. In the movie, the smart guy wins. Now imagine that each of his opponents changed the rules without telling him. That’s what we’re up against in the security and compliance industry, and that’s why automation is a dire need for us.
We need automation to help free security practitioners from remedial, mundane tasks so that they can focus on advanced defense and analysis. Threat agents are motiviated and clever, essentially aided by the pain that is securing complex systems, and we don’t have enough boots on the ground to deal with the dynamism that is cybersecurity today. We must seek to automate where it makes sense if we have any hope of leveling the playing field. I’d be willing to bet that our adversaries have taken advantage of automation, so why should we play by the old rules?
Next Month I’ll cover who and what cybersecurity automation seeks to serve.