In the last 48 hours, a hurricane of e-mails has crossed my Inbox, with breathless and self-congratulatory subject lines like "Our latest release detects Bad Rabbit" and "XYZ now protects XYZ customers from Bad Rabbit." In other words, "If you use our product, you were exposed to Bad Rabbit, but now that we know about it (from someone else) we deployed an update." Once you decode the messages, it’s clear that the content is not newsworthy, differentiating or exciting, it’s just an excuse to partake in the latest frenzy.
Last month I discussed cybersecurity effectiveness, particularly in regards to the growing threat of fileless attacks. But effectiveness is only one piece of the equation.
First and foremost businesses still need to go about their business. Unfortunately, it has long been the case that the more effective a cybersecurity tool is, the slower and more intrusive it is and the more effort it takes to manage it. The complexity and pain of managing – not buying, managing! – security tools often forces companies to reconcile themselves to unacceptable exposure, for example to security-related business disruption, for want of resources to manage cumbersome defensive technology.
In about two weeks, I’ll be participating in the Mid Market CIO Forum in Austin, Texas. Events such as these are vital as they bring IT professionals together in a setting that is intimate enough to get real answers to their unique set of challenges. For cybersecurity practitioners in particular, the market is incredibly confusing. On top of a profusion of various technologies you have a rapidly changing threat landscape where the threat of the day seems to dictate the conversation.
The article below was sent to attendees of the Mid Market Forum, but is relevant to many of us in the security field. Only when asking different questions, moving beyond the standard security discussion, will security practitioners find the set of solutions that meets the specific needs of their business.
Last week’s news about cyberattacks was sobering. Cybercrime is rampant and notorious. “WannaCry,” “Jaff,” and “Cerber” - the names of the attacks that got the most publicity - read like names of gangsters from the days of Prohibition, with unique personalities, techniques that range from brutal to devious, and a lurid line-up of targets and victims. Only the wanted posters are missing.
Imagine this. You are in charge of public health and must deal with an unrelenting epidemic. You have two options for protecting the population.
The first option is to monitor each person for symptoms of infection. You buy analytical technology and infrastructure, hire staff and build hospitals. You send forth specialists to monitor everyone. When they notice symptoms, more tests are performed. The symptoms are
subtle (fatigue, headache, stiffness), and healthy and sick people look a lot alike, so to be on the safe side you test far more people than are truly ill. Once you suspect infection, you quarantine the person and start a course of treatment. Sometimes the people are cured. Sometimes they are not. You can’t guarantee that you will find everyone who is infected. Or that everyone you treat is ill. The monitoring and mandatory quarantine intrude on civil liberties, disrupt lives and interfere with the economy. To compound matters, the disease mutates, so you have to continually design new screening tests and retrain the specialists.
This year’s Black Hat USA conference was bigger and badder than ever, with attendance up nearly 30% according to show organizers. Of all the security conferences, Black Hat has the most clear divide between the technical practitioner side and the security vendors, and the main themes varied depending on which side of the divide you were standing. From the practitioner side, these ranged from enhancing technical skills (excellent training) to strategies and threats, to leadership and alignment with the business. The instructors and presenters were world class, the content was superb, and thoughtfulness and creativity were everywhere.
All good for the practitioners and kudos to the organizers. On the vendor side, things were a little more nuanced.
Imagine a conversation like this.
ASPIRING VIOLINIST: Maestro, what should I do to be a violin virtuoso?
MAESTRO: You must practice 48 hours every day on the tuba. I will sell you a tuba.
ASPIRING VIOLINIST: But there are only 24 hours in a day. Did you say tuba?
MAESTRO: If you won’t follow my advice, I can’t help you.
More Madness than Method
It sounds absurd, but conversations like this unfold daily when enterprise cyber practitioners meet with industry vendors and security consultants. The industry tells them that they are not doing enough. They must install more security technology, hire more analysts, and patch more frequently. This may seem simple; merely a matter of budget and execution. But the technology is not up to the task and the cost of following this advice to the letter would force enterprises to spend themselves out of existence. And it still wouldn’t work. Not enough hours, wrong instrument.
The ancients’ experience of modern computing was limited to say the least, but they gave us a nice framework, the Socratic Method , that moderns can use for dealing with the problem of cyber security. The Socratic Method is a process of question and response, designed to challenge and eliminate bad ideas, refine good ideas, and arrive at sound conclusions. If it worked for Socrates, maybe it will work for us. Here is dialogue that unfolds between Socrates and the Security Architect of, for the purposes of this exercise, the Bank of The Peloponnese.