• United States




Think your security strategy is up to par? Think again!

Sep 08, 20155 mins
Business ContinuityData BreachGovernment

The writing on the wall suggests that our strategies are based upon an outdated understanding of how people, processes, and technology work together to protect our organizations.

golf sand trap
Credit: Thinkstock

2014 was the year of the breach. It included admissions from Target, Home Depot, and even Dairy Queen. The trend has continued into 2015 with a new twist. There have been an alarming number of security failures throughout our local, state, and federal government agencies.

Each of these breaches sends ripples throughout the organization, ruins brand reputation, exposes sensitive information, and (in 2015) resulted in financial losses totaling $400 million. The public sector alone experienced 50,315 incidents, and over 300 confirmed cases of data loss according to the 2015 Verizon Data Breach Investigations Report (DBIR). With more than 70,000 confirmed incidents and over 2,000 confirmed incidents involving data loss our security strategies are not up to par.

The problem lies in how we view the problem and subsequently build our security strategies. Historically, our strategies were technology centric, focused on certification and accreditation of systems, and more recently continuous diagnostics monitoring (CDM). Technology only provides us with a medium to maintain situational awareness within our networks. In most instances, technology is unable to provide us with vital contextual information. Certification and accreditation focuses on meeting certain standards and checking the appropriate boxes.

Each of these approaches is passive. They’re not actively looking for attackers on the inside because (by default) they assume an attacker isn’t already on the inside. Since 2004, the gap between time to compromise (in days or less) and the ability of defenders to discover a breach in the same period remains vast. Specifically, 75 percent of attackers will compromise a target in days or less; while only 25 percent of breaches are discovered in the same amount of time. Cyber miscreants are like roaches; one always turns up despite all of your proactive efforts. As security professionals, we should always operate from the assumption that someone is on the inside.

Trust relationships are the new Trojan horse

Consider for a moment all of the organizations breached in 2014 and 2015. Now, make a list of those organizations that did not have any technical resources at their disposal. I don’t know about you, but I can only think of one organization that might fall into that category. Technology (or the availability of technology) is not our problem. Trust relationships present a significant threat to organizational security.

I bet you’re thinking I just went off the deep end and must be crazy. You might even be thinking “is he writing a romance piece” but stay with me for a second and I will clearly present my case. In 70 percent of cases (where the motive was known) there was also a secondary victim. Additionally, 75 percent of the attacks spread to the secondary victim within a day and 40 percent within one hour. Attackers are using our relationships with partners, customers, friends, and family to compromise our systems.

Defenders (as opposed to attackers) have an enormous responsibility, and the odds are more often than not stacked in the attackers favor. Attackers only need that one break to get inside, but defenders have to “get it right” 24 hours a day 365 days a year. If we have any hope of turning these odds in our favor, we have to change our mindset. Instead of thinking in terms of proactive lists we need to think like attackers and understand relationships.

Within an enterprise architecture, both system relationships and human relationships are based on varying degrees of trust. The Target breach provides us with an excellent example to help illustrate this point. Target partnered with an HVAC vendor whom they trusted with credentials to their network. The vendor was compromised, and its login information was stolen. From there the attacker was able to move throughout Target’s network and eventually access their Point of Sale terminals.

The checklist mentality results in a fire and forgets mindset. It assumes we are not compromised until something or someone tells us otherwise. Thinking in terms of graphs (or relationships) revolutionizes how we view and subsequently defend ourselves. Furthermore, it helps reinforce the core concepts of due diligence and due care. Now we start to realize that we are only as strong as the weakest link in our circle of trust.

What protected us yesterday won’t protect us today

I deployed four times to Iraq and each time the threat had evolved. Not only did the threat change between my deployments it changed almost daily. In 2003, as a young private three months into our deployment, the enemy was evolving. We had to change our tactics, techniques, and procedures if we wanted to protect ourselves and accomplish the mission. The tactics and techniques that had resulted in success in prior years and prior wars were no longer working.

Like the war on terror, cyber warfare is asymmetrical. Anything or anyone is potentially an enemy even though on the outside it, he, or even she may appear harmless. Threat actors are dynamic in terms of their tactics, techniques, and procedures. Likewise, the steps we take to mitigate threats and defend our resources must also change.


TJ Trent is an expert in organizational compliance and governance for organizations in the cyber universe. His focus is on people, processes, and systems, which provides the foundation for understanding the true place of technology in the cyber world.

TJ works fiercely and passionately to prevent, detect, and eradicate cyber threats. ​During his 13 year career he has witnessed the information technology field burgeon into a powerhouse industry intertwined ​with the fabric of our lives. ​As the lines have blurred between technology and our lives, cyber security and cyber awareness are at the forefront of media attention. The last two years we have been inundated with breach after breach. From healthcare and banking violations to our most sensitive and private photographs. It seems like nothing is safe anymore.​

A super high achiever dedicated to learning and continually improving. TJ has been able to rise to the elite levels of success in his career. With over nine years of leadership experience, TJ has helped many organizations and individuals reach milestones within their careers. As a result, he is also uniquely suited to help you turbo charge your career within the information technology field.

TJ's credentials include a Bachelors of Science-Information Systems Security, Certified Information Systems Security Professional, GIAC Security Essentials (SANS 401), GIAC Certified Enterprise Defender (SANS 501), GIAC Certified Incident Handler (SANS 504), GIAC Certified Intrusion Analyst (SANS 503), GIAC Certified Forensic Examiner (SANS 408), GIAC Certified Critical Controls (SANS 566), and GIAC Certified Network Systems Auditor (AUD 507). TJ will complete his Masters of Business Administration-Technology Management in February 2016.

The opinions expressed in this blog are those of TJ Trent and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.