Security, like soccer (or football, for everyone outside the US) is a ‘weak link’ sport. You are only as good as your weakest player. For most malicious actors, cybersecurity is a game and the difference between winning and losing is the big payout: accessing your data. That is their goal. Your job is to play defense against these malicious actors in order to protect your data, your organization and your reputation.
What Does Security Have to do With Sports?
In soccer, the goal is to get the ball from one end of the field to the other, and then to eventually get the ball past the goalie. Think of each player on the defending side as a piece of your security infrastructure/ standing:
The job of the Defending Midfielder is to keep the ball away from the members behind them. Think of them as your IT team. Their job is to test the standing of the pieces behind them. This is usually done through penetration testing and various other system checks to ensure a strong back field.
Think of the Wing-Back as the frontline defense of your perimeter security. These would be your boarder routers. Their function is to protect the back lines and control the flow of the ball between the defensive lines behind them, or to clear the ball. These are the last (or first) touchpoints into an untrusted network (the Internet). They act like the first and last filtering layer.
The Full-Back would be your firewalls, IDS, IPS and Virtual Private Networks (VPNs). The firewall’s job is to act like a choke by utilizing a set of rules to either allow or deny traffic to pass though. In this case, the ball will be cleared (forced out), or it will get by and be controlled by the players behind the Full-Back on the field. The same goes for the IDS, IPS and VPNs. Each have a clearly defined role, but the bottom-line test of their effectiveness is whether the ball will get past them or whether it will be cleared.
Center-Back/ Center-Half/ Central Defender
After getting past your perimeter security, we next have the internal network components. These are your personal firewalls, operating system (OS) and system configuration. If the ball makes it this far, the game gets a lot scarier as it has now bypassed your other layers of security/ defense.
This is where the humans behind the machines become the real decision makers as to how the ‘match’ will play out. In some cases, the users unknowingly allow malicious actors to bypass the perimeter by introducing the threat directly to the machine – for instance, by turning off security features to access a blacklisted site or program, or by inserting their own personal (read: potentially infected) thumb-drive or external drive directly into the USB port.
This is where user training/ coaching comes into play. Employees must practice good security hygiene. The best and most expensive security system in the world is only as good as the worst-trained employee at your company.
Finally, you get to the most important position, the Goalkeeper. In soccer, the Goalkeeper is regarded as the most valuable player on the team, as they provide the last line of defense before the other team scores. They protect your most valuable asset: your company’s data. Accessing this is the end-goal of malicious actors – either to steal it, to destroy it, or to encrypt it and demand a ransom for its safe return.
The Goalkeeper is also the weakest link in the chain, as they have no backup. This is it, folks. The ball literally stops (or doesn’t stop) with them.
Most legacy antivirus (AV) products use signatures, either explicit or generic, to define what is a threat. In many cases (50+%) it may be a threat they have never before seen, aka a zero-day. Signatures are useless against zero-days. This is why you read about so many incidents and breaches occurring in the world today.
This is the position you need to examine and ‘hire for’ most rigorously. There is a reason that the goalkeeper is often the most highly paid member of a soccer team. Ask yourself these questions when determining how good your defense is:
- Is this the best possible product I can deploy?
- If there is a breach, do I feel like I can go to those I answer to and defend my decision in using this product?
- Is a reactionary product sufficient for my needs?
- Am I okay with bulky solutions that disrupt productivity?
- Would I know if a system is compromised? How soon after the compromise would I learn this?
- If a system is compromised, will I still trust the product I used to defend it?
If the answer is '"no" to any of these questions, you may want to consider replacing the weakest player on your team and make sure all the players are working together. Too often, organizations add layer after layer of security tools that complicate IT and security management, only to find that the tools bog down user's systems.
The key is to focus on the basics and teach all the players on your team (yep, that includes every single one of your employees) how to play the best possible defense by just being appropriately paranoid about links, attachments, and unknown players digging for data.
The team needs to work together like a well-oiled machine, and much of that is best done through user-education and streamlining the security infrastructure of your organization.