Today, I am putting my money where my mouth is. I have been talking about thinking differently about infosec as being a powerful tool in the future for several months now, but here are three concrete examples of how security folks need to think differently than they do today. (Note that some of you may have already begun to embrace these ideas – if so, awesome, you are ahead of the curve!)
#1 – Think like attackers AND defenders – We as infosec folks often get so caught up in our statements of ethics, credos and agreements about behavior that we get trapped inside them and become blind to the methods and ways of attackers. Many security folks I meet have taken such steps to distance themselves from attackers and they often show utter disdain for attackers, tools and techniques that they are essentially blind to the way attackers think. This is a dangerous paradox. If you don’t understand your opposition, you have no way of being effective in measuring your defensive capabilities. If you can’t think like an attacker, maneuver like an attacker and understand that they are not bound by the rules that you attempt to impose on them – then you will likely have little success in defending your organization against them. To better defend our assets, we have to be able and willing to understand our enemies. We have to have a realistic knowledge and capability to replicate, at the very least, their basic tools, techniques and attitudes. Otherwise, we are simply guessing at their next move. Essentially without insight and understanding, we are playing the “security lottery” in hopes of hitting the big defensive jackpot!
#2 – Deeper defenses are better defenses – We must extend defense in depth beyond an organizational approach to a data-centric approach. The closer to the data the controls are implemented, the more likely they are to be able to add security to the core critical data. (Of course, normal rationality applies here. The controls have to be rational, effective and properly implemented and managed – as always!) This is why security mechanisms like enclaving, data classification and eventually tagging are the future of enterprise security. If we start to think about our security postures, deployments and architectures with these ideas in mind today, we will be able to leverage them in their present state and eventually gain the maximum from them when they are fully ready for integration.
#3 – Think risk, not compliance – I am going to continue to talk about this, no matter how much heat I get from the “compliance guru set”. Striving for compliance with various regulations or standards is striving for the minimum. Guidance, regulations and law are meant to be the MINIMUM BASELINE for the work we need to do to separate liability from negligence. Compliance is a milestone, not a goal. Effective understanding and management of risk is the goal. Don’t be deceived by the “compliance guru set’s” argument that meeting baselines if effective risk management. It is NOT. Regulatory compliance, ISO/PCI compliance pays little attention to and has little management for attacker techniques like vulnerability chaining, management/analysis of cascading failures or zero-day/black swan (Thanks, Alex!) evolutionary capabilities. This step requires upper management education and awareness as well, since those that control the budgets must come to see compliance as a mile marker and not the end of the race ribbon!
I hope this helps folks understand more about what I am saying when I assert than in 2008, we have to think differently if we want infosec to improve. Of course, thought has to precede action, but action is also required if we are going to change things. What is clear, from the problems of 2007 and further back, is that what we are doing now is NOT WORKING. It should be very clear to all infosec practitioners that we are losing the race between us at attackers!