Cyber Defenses – Bloodied, Battered and Bruised

Bloodied, battered and bruised is the fighter who bobs and weaves trying to anticipate and block the opponent’s moves.  Eventually, he is worn down, the opponent laying combination after combination to the head, ribs and kidneys. This continues until the defender boxer is knocked out, dragged off the mat to hopefully fight another day. Unable to return for the next round. 

This picture is much like our cyber defenses today. Culturally trained to block every punch, cyber defenses attempt to detect where the next punch will hit. Standing toe-to-toe with an adversary that is much more devious, much more innovative and completely offensive in nature. Therein lies the problem.  One boxer defending against multiple opponents all in the ring at the same time. 

All cyber defenses today are just that – defensive.  Most everything we deploy is based upon what is known.  Largely, this means that any nuance or change by the attacker goes unnoticed until the blood is already running from your infrastructure. Your ribs are already cracked by the time you feel the excruciating pain. Data is hemorrhaging by the time you detect it and hopefully, triage the wound. You can’t even tell how much data you have lost only that it was significant. 

The see, detect and arrest methods of cyber security only serve as an after-the-fact solution.  All too often, security leadership uses this method as a demonstration of heroism. Like Rocky, they believe they can take the body blows and headshots while eventually knocking out their opponent and being seen as a hero to the organization.  In the meantime, highly sensitive data has flowed through your defenses and customer confidence is eroded.  Risk assessments and proactive remediation strategies from those who ‘told you so’ 2 to 3 years prior, long since forgotten are dusted off and put back into play.  All of a sudden, all the true vulnerabilities that were communicated are now being fixed. All the issues identified in your IT environment as high risk are en vogue for remediation.  The CIO is paying attention, finally realizing the gravity of the risk and money flows across your desk like a plague of locusts.  However, how long before the CIO and the rest of the business go back to the status quo?  Will they realize that the protection of their assets requires different thinking? How long will the organization employ security professionals who thrive on the pain associated with see, detect and arrest?

It is too late for the current round since your reputation is weakened, unwanted audits become the norm, partners flood you with questions, attention is taken away from your core business and money is diverted to repairing the corporate ribs, broken nose and black eyes. The physical scars are apparent, but the mental scars should have the company asking a series questions as to how we got into this predicament.  What led us down the road to build a culture of security that lives in the past?

Recent breaches talk about users clicking on links that exploit zero day vulnerabilities.  I ask why the user pulled the file from the junk mail bin? Why then did the user click on the link? Why did the user have admin privileges to their desktop?

Recent breaches talk about attackers performing privilege escalation on non-admin users and I ask why were the target systems not properly configured to prevent this?

Recent breaches talk about compressed files being transferred out of the organization to harvesting and intelligence collection servers and I ask why the file transfer protocol was even running on those devices?

Recent breaches speak of admin accounts being accessed.  I ask why system adminstrators are using full root access accounts during non-change/release windows?

Recent breaches indicate that some rule or list was not applied on a technology that may have prevented the attack. I ask why is it that most technology is only 20% deployed with respect to functionality and why are there no clear procedures to continue tuning and building out the solution the same way that the threat continuously changes?

Recent breaches speak of this mythical best they name advanced persistent threat.  I ask why make something up as a catch all for poor security practices, incompetence and the illusion you project at security due diligence?  

Instead of relying on technology to detect an attack in real time (which is pretty much an oxymoron in itself since detection in real time is already too late), why not look at the real systemic issues associated with truly exploitable weaknesses in your environment?  Instead of worrying about a technology rule that was not implemented, why not configure each device properly removing unnecessary ports, services and accounts?  Why not build your systems like you build a house with every component inspected to code before the next component can be added? Why not inspect the whole system prior to occupancy? Why not have every change to that existing system inspected before going back into service?  (Why is it that CIOs are not required to be certified as a CISSP? Isn’t the CIO the general contractor for all IT systems? General contractors for homebuilding requires certification across all aspects of the building process (foundation, plumbing, electrical, etc.).  How can CIOs be allowed to reach such a critical position and not have the same type of IT certification and validation that a general contractor maintains?)

Some say “don’t blame the victim” but the real victims here are the customers and users. The real victims are those who are still under the auspices of the see, detect and arrest leadership of many CISOs and CIOs. The real victims are those that buy signature based systems that require the past to function. Take a look at those who say don’t blame the victims and seel who is paying for their services or buying advertising space.

You can write, deliver, communicate, scream, yell and stamp your feet until you are blue in the face and yet it takes a breach to get action.  I have had many progressive security practitioners lament over this fact. They present the evidence with solid metrics only to be turned away. That’s even if their communications are allowed to see the light of day.  Some CIOs (and yes, even CISOs) prevent such communication because it makes them look bad. And so goes the culture of after-the-fact security.  It is a no bad news environment.  It needs to change.

An ounce of prevention is truly worth a pound of cure. An old adage but one that is the key to many the woes of information security today.  The C-Suite knows this when it comes to business practices but conveniently forgets this when it comes to IT.  Prevention comes in the way of building security into everything that you do.  It absolutely must start there. For those CISOs who do this, my hat goes off to each and every one of you who have fought and won those battles.  Your organizations are not paying you enough!

And so our boxer stands in the ring taking combinations from a multitude of opponents. Being softened for the fatal blow. Bloodied, battered and bruised barely able to stand. The final question to be asked is: “When will we realize that the best defense is a most aggressive and targeted offense?” For another day …