Intense Defense: Building a Robust Active Defense Ethos
War and Peace
One of my favorite Latin sayings was one that was considered common during the height of the Roman Empire. In pace, ut sapiens, aptarit idonea bello or for those of you who do not speak Latin: In peace, like a wise man, he appropriately prepares for war. Many information security professionals laugh and roll their eyes at comparisons made to ancient military texts (Western or Eastern alike) yet, there is something that strikes me as being invaluable in adopting these concepts and applying them to all scenarios where in conflict may result. Tell me where in life you can find a scenario that may not result in some form of conflict?
Ok, good we are on the same sheet of music. It is an act of wisdom to be prepared during peace so that when the time comes and duty calls, you and your compatriots are prepared mentally, physically and emotionally. This is an idea that is as old as time and yet we somehow dismiss it as being an inappropriate one relegated solely for the armed forces and in no way applicable to the day to day walk that the average security analyst takes in his or her life. How much more wrong could we be? Leaders lead from the front; not the rear. As such, we have an obligation to prepare ourselves and our ranks for the conflict during times of peace because we know it will come. And when it comes (and yes, it will come) we will want to know that our peers and ourselves are prepared having taken the time to understand our strengths, weaknesses, affiliations, population behaviors and much more. We will want to know that our active defense is an intense defense. That the mere mention of a campaign sees us scramble into position not out of fear, but out of obligation and duty to protect that which we have been chartered to protect (whatever that may be to your individual enterprise).
Deeds, Not Words
Leaders (Managers, Directors, VPs, CISOs/CSOs, and CIOs etc.) you have an obligation to lead. To instill confidence and ensure that your subordinates — and that which you have been tasked or chartered to protect remains protected is your responsibility. It is your duty and one you should not take lightly. Additionally, you cannot hope to defend against or defeat a determined, sophisticated threat actor if you do not know yourself and your environment. If you do not understand in detail your environment and your user population how can you possibly hope to engage an adversarial opponent? Enterprises in today’s world simply do not have the luxury of sitting idly by watching the world from behind their NAT’d IP or Proxy’d IP address space hoping that no one takes note of their existence. Long dead are the days when security via obscurity was an effective model (provided you believed it was effective to begin with). No. Today’s world is a world where clear and present dangers face our work force populations on a daily, hourly and sub-hourly basis. It is a world of instant communication and imminent threat. Your organization must (regardless of its size or prominence) take an active approach to its threat mitigation. Passivity invites detriment.
There are ample examples that we could cite (but for the sake of time will not) over the last ten years which demonstrate that unequivocally. Your first step in establishing a solid defense is conditioning a sense of involuntary reaction anchored in hard training. This involuntary reaction must be conditioned beyond the point of reason; it must become as natural as protecting oneself from being struck by a moving object. It is dependent upon the simulation and study of scenarios that exhibit a comparable model of reality to the one in which you, your peers and your user population exist in on a daily basis; year in and year out. For information security professionals, this should resonate deeply. If you find yourself in a position of authority today you must consider the consequence of not acting with vigor. The cost could be astounding and damage irreparable and the lessons frightening. It doesn’t have to be that way!
“Passivity invites detriment.”
And?
While I wholeheartedly agree with you, it appears that the business culture within the US (and perhaps parts of the EU) accepts passivity. How long have security professionals been hawking the “not if but when” model for security incidents? Even with annual reports publishing statistics based on particular customer bases, I can’t say that I’m seeing a great deal of difference in the security landscape over 13+ yrs in the industry.
What’s required is a cultural change, and one that won’t come from any external stimulus. We’ve had statistics and numbers, we’ve had compliance regulations and fines, and where are we, from a macro-perspective? Sure, it’s great to say these things, and it’s a “win” if just one organization decides that it’s important to protect their customer’s data. But in the big scheme of things, it’s the usual “..it won’t happen to us…” mentality.
Harlan,
I obviously agree. The fact is that leadership needs to lead and take ownership from the outset rather than after an event of interest occurs in my opinion. You’re correct on cultural change being necessary. I believe this is at the root of a lot of these issues. Leaders need to lead from the front; not the rear and that includes cultural stewardship!