Defending many attack vectors from the ‘problem of one’

By Jamil Farshchi, Visa, a CSO40 workshop moderator and advisory board member

We all have problems. Technologies, processes, people, you name it. But there is one problem that affects us all, equally and more than any other. It drives our strategies, our control decisions and our execution. It’s at once powerful yet disempowering, infinitely complex yet inordinately simple, timeless yet pressing. Such are the characteristics of the “problem of one”.

The playing field is tilted in favor of our adversaries. To win, we must defend all possible attack vectors, yet our adversaries need only exploit one. We can spend millions on protection, they just need to buy (or find) one zero day. One injection vulnerability, one hard-coded password, one misconfiguration, that’s all it takes for us to lose. To make matters worse, the attack surface is expanding rapidly. As digital information continues to grow in volume, criticality and value, our infrastructures, devices and applications that harness and generate the digital information are growing in kind. Such are the dynamics of the technology that underpins our businesses, and again, it takes just one weakness in that technology to put us at risk of losing. To compete, we need a thoughtful strategy and outstanding execution.

There are a variety of strategies we currently use to navigate this uneven playing field. One example is to attempt to meet or exceed the security maturity of our industry peers – a relative maturity strategy – such that the adversary chooses to attack the weakest link rather than us. Another is the compliance-based strategy where we focus on traditional controls and standardized methodologies – like ISO or NIST – to establish layered protections. Another is the fortress approach which emphasizes the creation of an impenetrable outer shell which doesn’t allow our internal weaknesses to be exposed. No matter which strategy is used though, a competitive strategy – even if executed flawlessly – cannot guarantee success. And in the end, we don’t want to just compete, we want to win.

Every strategy can be countered.

The relative maturity strategy sputters as soon as the economics of the attack fall out of your favor. For example, if a nation state decides that Los Alamos National Laboratory (LANL) is a strategically lucrative target that they want to attack, it doesn’t matter how much better LANL is than its peers – LANL will be attacked.

The compliance-based approach is great if one has the resources and support to implement and maintain all the controls, but breach after breach of compliant organizations has demonstrated that being compliant is about control breadth, not effectiveness – and effectiveness is only half the battle.

The fortress approach meanwhile, emphasizes control effectiveness, but just like the Maginot Line, it is at the expense of coverage. Furthermore, the limited flexibility of the fortress approach – and associated challenges with BYOD, cloud and mobile services – makes it a poor match for modern productivity- and usability-focused businesses.  

In light of all these challenges, how are we expected to win? We change the rules.

Nowadays, if you hear someone tell you that they have never had a security incident, you know that they are uninformed, disingenuous, or attempting to be humorous. That’s our reality. None of us are immune to security incidents. As a result, winning is no longer solely predicated on stopping all attacks. Instead, it’s based on identifying and remediating attacks as quickly and with as little damage as possible. Winners and losers are defined by the timeliness of threat detection, accuracy of characterization, and ability to continually learn and tailor decision models — based on environmental and behavioral factors — to glean higher fidelity, faster more predictive insights. The foundation of this capability is security data analytics.

The data analytics-centric approach helps to offset some of the asymmetries our adversaries enjoy by leveraging the fact that we understand our environments better than they do, and can therefore better detect unusual behavior. It helps us generate greater value from current tools through sensor enrichment and temporal analysis. As a passive control, it generates less workforce “friction” than active controls – enabling the business with improved usability and reduced time-to-market. Finally, a data-centric approach naturally facilitates information sharing and can therefore help us generate favorable information asymmetries by correlating, prioritizing and actioning data across multiple data sets from organizations in real or near-real time. These data analytics-driven enhancements serve to demonstrably improve the speed, accuracy and quality of a detection and response capability, collectively helping to redefine the playing field in favorable way.  

Emphasizing detection and response and investing in data analytics at the expense of everything else isn’t the answer. But when held up as a primary capability within the broader scope of a competitive strategy (such the relative maturity or compliance-based strategies that we discussed earlier), advanced detection and response – anchored by advanced data analytics – will aid in muting strategic weaknesses and in turn, help address the problem of one. It won’t even the playing field – we will continue to be at a disadvantage for the foreseeable future – but it will help to make us more competitive, and position us for a chance to win.

~~~~

Jamil Farshchi is VP of Information Security at Visa Inc. Throughout his career, he has been responsible for protecting some of the world’s most sensitive assets (#NuclearWeapons @LANL), the economy’s most critical systems (#Visanet @Visa) and humanity’s most innovative technologies (#Hubble #MarsRovers #MissionControl @NASA). Jamil is a 2011 CSO Compass Award winner.

Jamil will be co-moderating a workshop at this year’s CSO40 Security Confab + Awards event, to be hosted by CSO March 31-April 2.  Awards are presented to 40 organizations for their security projects and initiatives that demonstrate outstanding business value and thought leadership.  Jamil and Bob Bragdon, publisher of CSO magazine, will lead a moderated workshop on security best practices during the afternoon of March 31.