Know, prevent, detect, respond, recover. This aspirational model for security is as ubiquitous in our industry as the color-splashed wheel graphics used in depicting the concept.
Like similar mnemonic aphorisms from other disciplines – stop, drop, roll, or work quickly, change speeds, throw strikes – this all-to-familiar view of the top-level goal of cybersecurity remains basically unchallenged. It is a given.
The problem is that the model represents a terrible aspiration view of cybersecurity. Obviously, it is an accurate observational view of cybersecurity. We all seem to do these steps to some degree, and the security advice you get from consultants nowadays involves which direction to slosh your emphasis. (By the way, the current fad is to emphasize the latter steps, which just seems nuts to me. But, whatever.)
My view is that the thinking behind this model helped lead to attacks on Target, Home Depot, Sony, Yahoo, OPM, Equifax, Deloitte, and on and on. Think about it: Aspiring to any model where three fourths of the steps presume that an attack has already occurred, is like deciding in advance to punt on third down.
To that end, I would propose a much different aspirational model – one targeting a more successful outcome.
Here it is: explode, offload, reload.
These three terms, even with no explanation, are much more likely to produce some pause to your malicious adversary than that dumb wheel on your PowerPoint deck. When you do read the explanation of the steps below, I hope you will agree that they comprise a more viable cyber defense than the snooze-inducing alternative they replace. The challenge is that they require a change of perspective – and that may not be easy.
First, the process of exploding your perimeter-defined infrastructure into smaller distributed workloads will produce predictable views: Excitement for cybersecurity engineers, and horror for C-suite executives. (Sadly, most compliance initiatives today generate exactly the opposite range of emotions.) The reality, however, is that perimeters do not work, so you must get rid of them. Explode your network. Period.
Here is a harsh, but accurate analogy: If a terrorist bomber targets a building with a truck-full of explosives, then so long as a drive path exists to the facility, a bad outcome will occur. But if the security team has already “exploded” the building by dismantling it into its composite bricks (workloads), then the image comes to mind of a confused truck bomber parked outside an empty lot, wondering where the target went.
Second, the process of offloading smaller distributed workloads into virtualized cloud infrastructure produces similarly disparate emotions: Eagerness for security engineers, and hesitancy for the C-suite. Such executive hesitancy is more prominent when the offloading involves the use of public cloud, but this may be the only viable economic option for companies not rich enough to build their own software defined data centers.
Offloading distributed workloads to virtual infrastructure reduces cost (hardware replaced with software) and maximizes flexibility. Adjustment of virtual computing and networking to support these offloaded workloads makes this step economically feasible in modern infrastructure. The instincts of traditional IT managers involve deploying hardware and then leaving it alone. This will not stop capable hackers.
Finally, the process of reloading cybersecurity involves the careful selection and deployment of modern protection technology into your newly virtualized, distributed architecture. By shifting workloads to an alternate environment, you create a new greenfield target for virtualized security technology solutions. Such once-in-a-lifetime opportunities are not to be missed, so this must be attended to properly.
Anyone reading this note knows that no shortage exists of commercial cybersecurity technologies. Adaptive authentication, machine learning detection, cloud visibility tools, on-demand SDN security, and on and on, represent amazing new software defenses that will reduce cyber risk. Reloading these new capabilities into your new distributed architecture will make things more challenging for your adversary.
Look, I acknowledge that many of the readers of my column have PowerPoint decks with that colorful wheel on the first chart they use with customers every day. I’m also aware that NIST bases much of its work on the know, prevent, detect, respond, recover model. (I’m even aware that Gartner has replaced know with predict, dropped recover, and charges $195 for the report that explains the change. Ugh.)
But my advice is offered here nevertheless. We are losing the cyber war to nation-state and criminal groups, so perpetuating existing approaches based on familiar models is crazy. Why not rethink whether your organization (or product) (or service) would benefit significantly by losing the colorful wheel, and replacing it with this new approach: Explode, offload, reload.
(Drop me a note here after you remove that wheel from your charts!)
About the Author:
Dr. Ed Amoroso is Chief Executive Officer of TAG Cyber LLC, a global cybersecurity advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.
Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as a Research Professor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cybersecurity and dozens of major research and technical papers and articles in peer-reviewed and major publications.
Ed holds a B.S. degree in Physics from Dickinson College, MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cybersecurity and media technology and he has served as a Member of the Board of Directors for M&T Bank, as well as on the NSA Advisory Board (NSAAB). Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.