• United States



by Dan Geer

Dan Geer: It’s lonely in the middle — but it doesn’t have to be

Jan 21, 20138 mins
Data and Information SecurityIT LeadershipNetwork Security

A note from security luminary Dan Geer to those middling firms that are not yet resource-rich enough for how information-rich they already are.

For the middle class of companies, information protection is especially hard.

On the one hand, you now have information that is both a present corporate operational necessity and information that is what will build your future. The new and/or tiny firm may have intellectual property that is what their future is made of, but when a company is small the problem of protection is more straightforward because some one person still knows what it all is and where it all is.

[See also: Dan Geer: International man of mystery]

The Fortune 100 industry leader may have trade secrets that are likewise what their future is made of, but by virtue of their size they can buy protections sufficient to keep the protection problem and the apparatus to solve it inside the company.

For the middle-sized firm, keeping the protection problem inside the company is closer to intractable than it is for either the small firm or the large because the mid-range problem gets too big for one person to handle much before the mid-range firm can afford a full, in-house protection regime.

This note is written for those middling firms that are not yet resource-rich enough for how information-rich they already are.

This is a risk management problem. Because you want your information to be used (else why have it?), your information will be in motion. While there are security solutions to information-at-rest, information-at-rest that is not used is irrelevant to this discussion. (Take it offline if it is simply archival.) You need a solution for information-in-motion. It is worth repeating that you will still have your digital information even if someone else steals it — unlike when your car is stolen. The Verizon Data Breach Investigations Report (DBIR) regularly reports that the majority of information theft is silent: the DBIR’s number is that 80 percent of all information theft is discovered by an unrelated third party. The Index of Cyber Security (ICS) asked CISOs “Have you and/or your colleagues discovered an attack at another entity?” for which 55 percent said “Yes and confirmed” and another 10 percent said “Yes but unconfirmed.” Information that is stolen is information-in-motion, just not a desirable motion.

The great strength of capitalism is the division of labor. We all do it every day. It can be a convenience, or a cost saver, or a matter of safety. As circumstances change, you may bring something in house that had been done for you by others, just as you may have others handle something for you that you may have been doing for yourself before. We think that information protection may well be something that, when you are small, you do for yourself out of necessity. When you are really big, you may do it for yourself out of some combination of discipline and cost. In between, the risk management question is “Is our skill up to the job?” Better to say “No” and find a solution than to hope that the bad guys just don’t notice you.

Information protection has parts that everyone should do. It also has parts that are very, very context dependent. Knowing the difference and acting accordingly is not something we advise that you learn by trial-and-error. The body of knowledge required for information protection grows daily due to a combination of sentient enemies, mounting complexity, and business demands of ever faster. At least at first, you need a mentor who can teach you what you need to know while standing in for you until you are truly ready to solo.

Information protection means a program, not a tool, not a silver bullet, not a small number of enlightened facts. It means learning what it is that you don’t know that you don’t know (without the expensive embarrassment of the serious errors our opponents will surely deliver). An information protection program is, at its best, something that a mentor jump starts for you and, over time, brings you to the point where whether you take it over entirely for yourself, or keep it as a partnership with your mentor, is a choice that you make for reasons that no longer include whether you know what you are doing. Everyone understands that, say, driving tractor trailers or doing surgery is not something you would teach yourself.

Information protection isn’t either. The base reason most information theft is silent is that most middling firms don’t know what information they have, do not have any indicators of how movement actually happens (source, target, frequency, volume, etc.), and have relationships with counterparties that complicate the situation. None of that is something to be ashamed of; it is merely a fact and all but inevitable in the growth curve of the firm. As such, the first step is setting up a program to learn what the firm’s current situation is and, only then, make decisions on what might be done differently, if at all. And keep score.

This first-things-first approach demands a mentor with the tools to take a high definition photograph of your information in motion movement — the source, target, frequency, volume, etc., mentioned above. If experience is a guide, then you will have some surprises. Again, this is nothing to be ashamed of, but better you get those surprises quickly and from a trusted mentor rather than reading about your data breach in a newspaper. Note that the kind of mentor we suggest is not a penetration tester, not an auditor, not a per-diem consultant, and not a reformed criminal peddling a product.

Rather, we are suggesting a mentor who can instrument your firm without any outward sign that this has been done so that the measurements you then take are unbiased and au naturel. We think this means instrumentation that is silent in its installation, silent in its operation, and which is therefore implemented as a so-called ” Software as a Service (SaaS). Think of a SaaS information protection program in its initial data gathering phase as a one-way mirror. You are not “on the floor” but you can see what is going on in a way you have never before been able to see, and discuss what you are seeing with your mentor while looking at real data, not hypothetical scenarios, all in a way that does not (yet) perturb current reality. This is what a scientist would describe as “not poisoning the experiment” — getting untainted data on your information protection situation as it is. A mentor who can instrument your firm and give you a complete (and new) view of your information protection situation is good, but not good enough.

Your mentor’s instrumentation harness is better if it also allows you to test control strategies before you implement them (“What if I block CD burns across the board?”) and to do so with data that is not some industry norm or the output of some model, but is instead a real-time simulation of what would happen were a proposed policy to be enforced using your data as they are observed.

A mentor would not, of course, be starting from scratch and would not be just one or two steps ahead of you in the mentor’s own trial-and-error process. An experienced mentor doesn’t start from scratch — that is ridiculous and inconsistent with being a mentor. The good mentor will say “Your firm is the kind that needs to protect data that your counterparties have entrusted to you, so let’s start with an instrumentation configuration that is relevant to firms of that sort” or something equivalently tailored to what sort of firm that you are. This is the jump start you need to not waste time or money and to get to real risk management at all deliberate speed.

There is an old joke about a drunk looking for his keys under a streetlight because the light is better there. As a pitfall, this one is commonplace. Consultants and penetration testers will tell you that the most important thing for you to do is to fix the problems that they are best at finding. This may work, if you are lucky enough to have lost your keys under a streetlight. It is not, however, the path of wisdom. The path of wisdom says that you don’t start with where you want to be; you start with where you are. The mentor you need will show you where you are so that you know where you are starting from. This is not a nuance; it is the core of why instrumentation of your firm with a SaaS analytic engine plus a mentor is the point of this essay. Once you know where you are, then the careful imposition of controls by way of the instrumentation and analytic baseline you by that point already have becomes your information protection program, a program devoid of wishful thinking.

In summary, if you want to fly, then hire an experienced flight instructor with a good plane. If you want to protect your information, then hire an information protection mentor who has a lot of hours in the air but whose measure of success is that you can make informed decisions based on real data that, frankly, you wouldn’t know about if that mentor wasn’t on your side. The opposition is probing and, given time, they win. Get “there” first.