The New Reality in Security: Offense Always Wins and Defense Always Loses

In this era of Heartbleed, Shellshock, Backoff PoS, thefts of personal digital property belonging to celebrities, and countless[1] other “data breaches,” every headline is a reminder that the game called cyber security has significantly changed over the last 15 years.

We must wake up to the fact that we need to think in a fundamentally different way about protecting our information, systems, networks, and devices. We must recognize the reality that in the world of cyber security only one truth is absolute: offense always wins and defense always loses. Once we accept this fact, we can embrace a new approach to protecting what is important.

Cyber defenses focus on preserving the “confidentiality, integrity, and availability[2]” of systems and information, also known as “digital assets.”  These digital assets exist because they enable business to survive in a world driven by efficiencies and profitability. The field on which the defense plays represents a complex integration of technologies purchased and deployed over the last 5, 10, 15, or even 20+ years.

In addition, many of the companies that exist today have grown through countless mergers and acquisitions, creating a fragile mesh of loosely integrated technology. IT personnel have their hands full just maintaining the day-to-day operations of this infrastructure, let alone securing it.

To “win” in cyber security, defense must be right 100% of the time, while offense only has to be right once. We must wake up to the reality that defense is an impossible task; no matter what actions we take, we will lose.  We must embrace a new approach focused on reducing the pain of the inevitable loss by focusing on three key areas.

First, we must make life harder and more expensive for the offense wherever possible.  Making it harder to win will ultimately decrease the number of “wins.” This requires viewing our digital assets from a systems perspective, as an adversary does, and removing the “low hanging fruit.”

We also have to accept that we can’t defend against all levels of threat; ranging from massive armies of automated bots to organizations that spend massive amounts of time and money on sophisticated attacks.  As a result, we must determine the level of sophistication we are trying to counter and design security measures using an adversarial-based approach[3].

Secondly, we must find out earlier when we have lost by implementing systems that quickly, efficiently, and cost-effectively alert our security personnel.  We need to focus first on knowing that we lost before we can discover how and what we lost. Simply knowing that a loss has occurred enables the initiation of critical incident response and communications processes[4] and ultimately limits the impact.

In other words, we need an effective “smoke detector” for cyber security. This is a critical area of investment for most companies today and an area where the market is lacking efficient and effective technology.

Finally, organizations must focus reducing the impact when the loss happens.  This begins with identifying and declaring an organizations top “digital assets.”  Once everyone understands what must be protected at all costs, a calculated, risk-based approach can be implemented to protect those assets. Risk can be managed through a combination of policy, training, and technical controls such as behavioral monitoring, access control, encryption, and network segmentation.

While some users may complain about the increased time and energy it may take to access the most critical assets, if it is worth protecting, should it not be harder to access?  Equally important is the creation and testing of incident response and crisis communications capabilities before the loss of data occurs.  This means developing and refining those talking points, strategies, and relationships, that will be critically important to your brand and reputation in the first minutes and hours after an incident occurs.

Only by embracing the fact that each and every one of us will lose at the game of cyber security can we develop the right approach to surviving.  The game is never-ending and the day will arrive when your organization appears above the fold of a major news publication… are you ready?

Now, “play ball!”

References:

[1] According to the “The Second Annual Study on Data Breach Preparedness” released in September of 2014 by the Ponemon Institute, 43% of the survey respondents had experienced a data breach in the last year. http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf

[2] Sourced from Title III of the E-Government Act entitled the Federal Information Security Management Act of 2002 (FISMA).  The FISMA defines three security objectives for information and information systems as discussed in NIST FIPS PUB 199, http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

[3] For more information on adversarial modeling, see the Sandia National Laboratories report on “Categorizing Threat: Building and Using a Generic Threat Matrix.” Found online at http://idart.sandia.gov/methodology/materials/Adversary_Modeling/SAND2007-5791.pdf

[4] According to Mandiant’sM-Trends 2013: Attack the Security Gap™  Report, “The typical advanced attack goes unnoticed for nearly eight months”  www.mandiant.com/mtrends2013

The opinions expressed in this and other contributors’ articles are solely those of the author and do not necessarily reflect those Norse Corporation.