Blind defence – why we’re losing the cyber security war
Category : Views
Whether you’re the chief information security office (CISO) of a major corporation managing security technologies or leading a security team, you’re most likely very familiar with the objectives of your role. Protecting the company’s assets and ensuring its productivity. You are the wall that stands between the organisation and the adversary, whether it’s protecting from an external attacker that attempts to compromise your organisation or an insider threat that should normally be ’trusted’.
You know that you can’t let any security holes take the ship down, it’s probably very apparent to you by now that security risks turning into working and successful threats are imminent. Although the stats about breaches and the increasing number of incidents, often feel like a repeated anthem crafted by marketing strategists that wear different product hats, the growing trend signifies a clear increase in incidents and threat sophistication. This state raises a key question: while knowing that being alert and on the defence all the time you will still see threats coming to play across different vectors. What is it that has to change to become a ‘winner’ while playing only defence?
Like many other leaders in the security world, the experience of being on the defence all the time is quite challenging to sustain. We’d like to think that building a cyber security strategy to defend any organisation is like playing a game of chess or at times like a game of Battleships. It’s an unfair game where the opponent can see your side of the table unfortunately, you can’t see theirs. Like a game of chess, you have your tools, this is the technology you deploy and the executing hand which consists of your team and processes. As such it is up to you to read the play and hope you’re making the right moves. Your strategy can help you avoid losing and sustain for longer periods of time. However, avoiding losing is not a strategy that can be sustained and neither is it effective for the long term. By taking a step back and understanding the game you can make more informed decisions improving your ability for control and allowing you to turn the tables.
We see that in a lot of organisations, the security strategy succumbs to the daily routine and to dealing with ‘burning issues’ to the extent that there’s loss of sight of the core theme and goal of information security. A parallel problem is known in the software world as ‘feature creep’ – a situation where software has added new features beyond its basic purpose which results in bloat and over complication. Ultimately, in good scenarios the situation raises questions like “why are we doing this?” coupled with lack of fulfilment and a sense of ineffectiveness. When this happens, it’s actually a good thing – this feeling comes from an instinct that requires us to go back to basics, it’s essential to take a step back to the core reason in order to understand why we do the things we do and whether we should keep doing them.
Modelling the problem (luckily, everyone has the same one)
The challenge today for any security operation involves guaranteeing the organisation’s productivity, its smooth operation and integrity by ensuring that data, assets and employees are best protected from security risks.
Security risks like most things, can be dissected to a principal number of components. The security risks you’re facing are in essence the actions of your invisible opponent in the game of chess – you don’t know what their next move is going to be. You can break their move down to a number of principal actions that when combined make their move visible and complete. These set of actions, known as the ‘kill chain’, break one part of the chain the whole action stops. It doesn’t mean a different attack is not coming, but you prevented your opponent’s move and that doesn’t get you closer to losing.
Threats and Risks are cyclic – Repetitive
Being in defence mode all the time is not sustainable, it can be compared to a martial art fight where one side is only attacking and the other is only defending. The defending side is bound to get exhausted and break. The security technology you use probably breaks a vast number of attack kill chains a day – do you know how many? Do you know which ones were successful and are conducted by a determined adversary that will try a follow up attack? How can you turn the tables and gain an advantage in this type of condition?
The concept of the kill chain is known in the security world, and we’ve built our own kill chain model too, however, it’s not ‘yet another kill chain model’. The model we created adopts three additional and essential approaches that are usually missing from other models that we’ve seen so far:
- It is technology agnostic: some kill chain models adapt to the product that they’re aimed at promoting, our model is technology agnostic so it’s not biased – the model is as close to reality as possible.
- It is technology focused: each part of the kill chain is bolted with a specific set of technology categories that are best suited to protect against it.
- It is cyclical and hence realistic: we understand that attacks that are successful will result with another cycle of attack from the compromised asset. This is why our kill chain is comprised of technology layers that can detect, protect and remediate an initial attack and a follow up attack once a potential asset gets compromised.
Understanding the kill chain through a realistic model can give you the tools to control the game and shift the approach of being only on the defence to a new level of sophistication. Adopting this approach can turn the tables and not only allow you to sustain longer periods being on the defence, instead its biggest impact is in the effective shift of costs of an attack to the attacking side while giving you incident visibility and the ability to remediate.