Ancient lessons for a modern security program

There is an old parable, which has many variations depending on culture and age, that is usually referred to as Blind Men and the Elephant. If we go with a simple version, such as what is described on Wikipedia, the parable goes like this:

A group of blind men heard that a strange animal, called an elephant, had been brought to the town, but none of them were aware of its shape and form. Out of curiosity, they said: “We must inspect and know it by touch, of which we are capable”. So, they sought it out, and when they found it they groped about it. In the case of the first person, whose hand landed on the trunk, said “This being is like a thick snake”. For another one whose hand reached its ear, it seemed like a kind of fan. As for another person, whose hand was upon its leg, said, the elephant is a pillar like a tree-trunk. The blind man who placed his hand upon its side said, “elephant is a wall”. Another who felt its tail, described it as a rope. The last felt its tusk, stating the elephant is that which is hard, smooth and like a spear.

The lessons learned vary, depending on how the rest of the story is told. However, the primary consideration is that when one focuses on a small area of a large thing, the truth of your finding may not be accurate or representative of the whole. An elephant is neither a snake, nor a fan or a tree trunk or a spear. Each of the blind men accurately described their small portion of the elephant, but could not accurately describe the elephant as a whole.

Organizations today suffer a very similar problem. As networks become more and more complex, the need for specialists who can handle all the moving parts is critical to keep everything up and running. Commonly, you’ll find network engineers to maintain the switches and routers, system admins watching over servers and backend data centers, developers who create and curate the code which applications are based upon, and desktop support staff who keep the workstations and laptops and other user-facing devices stable and available. Each has their area of expertise, and each is heavily relied about whenever something goes wrong in one of those areas.

Nevertheless, in this day and age of data breaches, ransomware, intellectual property theft, and other forms of cybercriminal activity, how do we easily identify how and where an attacker has infiltrated our environments? If we consider your environment to be the elephant from the parable, you may suddenly find yourself in very familiar territory, especially when a security incident takes place. Network engineers may say that a perimeter firewall has been breached and they’re locking it down, while a domain administrator rushes to verify if administrator credentials have been compromised, all while the desktop support folks are scrambling to make sure patches have been applied. But does any single group have the visibility of the entire environment to make a sound decision on how to defend against the active attack. They are, by nature of their specializations, the same blind men from the parable.

Here is where security professionals and the security program at large must take up the mantle to establish a true holistic view of the organization’s environment and be the champions to help each of the vital pieces and groups understand the true nature of the situation at hand. It’s one of the reasons that true security experts are hard to come by, as they must understand and establish advanced competency in nearly every area of an organization, from the technology employed to the business processes and the corporate tolerance for risk. Without this open-eyed visibility, not only will organizations flail and waste precious time and resources when attempting to combat a cyberattack, but even day-to-day operations can be impacted by not better quarterbacking the efforts from the various specialist teams to optimally align with the rest of the moving parts that make up the infrastructure as a whole.

Security teams must demonstrate leadership in these situations and lead the charge to establish whatever tools (such as SIEM tools, Intrusion Detection Systems, network monitoring tools, log management programs, etc.) and processes (centralized reporting structures, event and incident reporting mandates, access control coordination, event review and response procedures, etc.) are needed in order to create that “single pane of glass” visibility than many vendors tout and most every C-suite executive is looking for. Your specialists are there for a reason, and are effective when they can focus their expertise. Don’t make them lose than focus by trying to guide all areas of the organization, especially where they have no operational responsibility or authority. This is where security professionals can shine, shedding light on where to make best use of the resources available.

It’s our responsibility and duty to help every group understand the elephant in the room for what it really is.