Strategic security

Do you really want to keep solving the same security problems forever?

win compet chess challenge strategy plan

Some time ago I was having a conversation about solving problems with a friend and we hit upon a clever way to think about security and why we can struggle to get certain security problems solved. We are an industry that likes to deal with security in a very tactical manner but sometimes we need to be more strategic.

We like to focus on tactical security quite a lot. What I mean by “tactical security” is when we see a security problem, we solve it. Solving problems is usually fun and comes with a sense of accomplishment. And let’s face it, solving problems is generally why most of us are able to collect a paycheck. We’re really good at solving problems.

The question we should be asking is if we should be working on a solution or should we be focusing on the cause of the problem? How many times have you solved the same problem over and over again? None of us want to answer this because the answer is depressing. The reality is we spend most of our time doing tactical security. We run from one fire to the next all day, every day.

What we should be doing is becoming more strategic. Strategic security is an investment in the future instead of fixing problems from the past and the present. We tend not to see this as an investment, so we neglect strategic thinking on a regular basis.

Strategic security isn’t about solutions, it’s about defining problems. If we fix the same problem more than once, we’re not solving the real problem. We’re fixing a symptom of something bigger. If you can fix the bigger problem, the smaller problems go away.

We aren’t good at defining strategy in many cases. Thinking tactically is easier than thinking strategically. Solving problems is easy, eliminating problems is hard. Understanding problems is fairly difficult for many of us. How many times have you been in a meeting and someone asked, “what’s the problem we’re trying to solve?” We love to solve problems we don’t really understand.

I’m going to pick on stack buffer overflows for my example. They’re a type of security flaw that doesn’t really get much attention these days, they used to be a pretty big deal. They are also a great example where strategic thinking made a far bigger impact that constant tactical problem solving.

In Phrack issue 49, Aleph One wrote “Smashing the Stack for Fun and Profit.” That paper was the example of how buffer overflow exploits worked for years (it’s still required reading). The issue described is a standard stack buffer overflow attack. That attack doesn’t work anymore unless you disable a bunch of security protections.

Eventually someone made the strategic decision to invest time and money into building new technology that turned a stack buffer overflow into a crash only. A denial of service on certain services is bad, but it’s a whole lot better than remote code execution. Before those fixes we chased every single buffer, overflow flaw and fixed it quickly. We solved a lot of problems, but we weren’t solving the real problem.

This example explains what I mean when I talk about tactical vs strategic thinking. Tactical security is fixing every single buffer overflow problem one at a time. Strategic security is making stack-based buffer overflows go away.

Strategic security isn’t something easy. You can’t just decide to focus on solving strategic problems. These are big problems that need new ways of thinking in many instances. It can take years just to understand the problem in some cases. There are even problems we may never understand no matter how long we study them.

Strategic security involves looking at problems and their causes, not just constantly creating solutions. Sometimes it’s good to take a step back and try to understand the problem you’re actually trying to solve. Sometimes we do things because it’s just something we’ve been doing for a very long time. It made sense in the past, does it still make sense?

One of my favorite examples today is to ask, “why do you have a firewall?” The quick answer to that question is generally “are you serious.” But most networks today are full of untrusted and uncontrolled devices. Is having a firewall something you’re doing just because, or is it solving a real problem? Do you even understand the problem anymore? Is there a more strategic problem we should be working on?

I bet if you sat down and mapped all of the solutions you currently have deployed against the problem they solve, you’re going to find some gaps in knowledge and even some places you’re wasting resources.

You should spend some time thinking about your security strategically and see if it makes a difference. You don’t want to keep solving the same problems forever.

Copyright © 2018 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022