A couple of weeks ago, I was in a meeting where Mark Weatherford (Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate – quite a mouthful of a title) was talking about one of the challenging aspects of his role: the difference in focus or time horizons between his team and those people “up the command chain” on the legislative side. He pointed out that,
“…the Government approaches issues in terms of years and terms of office, while attackers and threats change constantly and without warning.”
That got me thinking about our “normal” non-governmental information security responsibilities and how we approach them. Where do you focus your attention when it comes to securing your organization?
- Do you look back and build defenses to prevent repeated incursions like the ones you’ve had in the past?
- Do you focus on the attacks in progress, and find better ways to detect and deter them?
- Do you think about what might be and devise ways to stay one step ahead of the bad guys?
In reality, we don’t have the luxury of picking one of these approaches. If we only choose one, we are doomed. Sure, we might be OK for a while but if we don’t look at all of these things in due course, we will suffer the consequences.
The good news is that we know a lot that can help us in each area of focus.
Prepare, Prevent, and Deter:
- This is the world of system hardening (aka Security Configuration Management in the jargon of the pundits & analysts), where we configure our systems in ways that make it harder for people to get into our precious systems. Ideally, they decide it isn’t economical to attack us and they move on.
- This is also the realm of training, where we train people how to create secure infrastructure, how to keep it configured securely, how to test before deploying and things like that. It is also the realm in which we “harden the human” by training them to notice suspicious activities, attack pre-cursors, and social engineering shenanigans.
- This area has the highest leverage of all, since it happens prior to any attack or loss and helps reduce the potential impact of subsequent attacks.
Detect and Neutralize:
- Detection is generally about noticing anomalies pretty close to the time they occur, and driving meaningful action as a result of what you’ve deduced from the evidence. In order to keep you sane and keep the stream of data manageable, this area requires policy-based analysis, heuristic “intelligence,” and a lot of skills in multi-factor analysis of security data.
- The challenge with this “zone” of security is that it requires lots of sensors / telemetry, solid polices, lots of smarts, and constant vigilance.
- This area is the hardest to “win” at because you can’t know everything, and it’s not realistic to catch all the bad guys in the act. You can’t ignore this area, but you can’t rely on this as your sole focus (I call that the “silver bullet” strategy, or the “fool’s paradise.”)
Anticipate and Adapt:
- This is the fun part of security. This is where we deal with “blue sky” scenarios that stretch our imaginations and skills, and force us to innovate. We can do “proof of concept” attacks on our own infrastructure (careful with Production!) to help us think of ways to better defend our Precious.
- The challenge with this domain is that it can be a big distraction because it is so fun. I’ve seen cases where the theoretical steals resources from the practical, here & now aspects of security – and that is bad, because the attackers will try everything, especially the old, boring basic security hole stuff.
What’s your organization focused on? One of the three realms above? Two of them? Or are you lucky enough to be in an organization that is doing a good job across all three?
Connect to the Mission:
In the corporate world, we talk a lot about corporate goals & objectives. In the US Government, you hear a lot about “The Mission,” which is the unifying goal that ties an agency (or multiple agencies) together in a shared sense of purpose. I’m a big believer in connecting our actions as information security professionals to The Mission.
Why is connecting to The Mission so important? Regardless of your focus, you’ll find it more difficult if you don’t have air cover from the rest of the organization. So a good question to consider is this: Is your horizon of focus aligned with that of the people “up the command chain” in your organization? How do you get to an aligned perspective, how do you keep it there, and how do you provide a good feedback mechanism so you don’t drift when something changes in your world or theirs?
If you’ve got all of this nailed, I’d love to hear from you and see how you’ve gotten there – it’s a powerful and special place to be, and I’d love to learn from you.