There is an old saying that “There is strength in numbers.” But what happens when that strength is on the side of the intent to do harm?
Micro Focus’ 2020 State of Security Operations report, recently revealed insights into how many organizations are actually tackling this challenge. The report showed four insights that highlighted that organizations are struggling with a crisis of human resources.
- Threat detection continues to remain a hurdle - there’s clearly no shortage of threats, but there’s definitely a shortage of personnel to detect and analyze them.
- Increased reliance on external resources. 87% of respondents already outsource some of their IT security functions to managed security service providers (MSSP) with an average of three functions outsourced.
- More and more tools are in use. Security Operations is such a broad area that more and more tools are needed for complete coverage.
- Malware remains the #1 threat concern. Of all the security threat types out there, organizations are most concerned about malware, followed closely by phishing/spear-phishing attacks and ransomware.
The talent war is real, the strength in numbers favors our opponent, we now have the original digital transformations we were planning pre-COVID, and now we have additional transformations that we have to take on to enable a distributed workforce that was previously never a consideration. There simply are not enough properly equipped resources to meet global demand, and even then, an organization is only as strong as its weakest analyst. The adversary knows that and, leverages the vulnerabilities in human behavior to advance their position in the “infinite game” of cyber warfare.
If you are not familiar with the concept of finite and infinite games, then I would encourage you to read the book “The Infinite Game” by Simon Sinek. Cyber resilient, a term that did not effectively exist five years ago, refers to an organization’s ability to enable business acceleration by preparing for, responding to, and recovering from cyber threats. Organizations are now not only feeling their way through a new degree of distributed workforce that they didn’t previously contemplate but are still trying to manage the digital transformations that now consist of previously planned and newly identified work required just to survive.
The stage is now set: a real talent war; strength in numbers that favor our opponents; pre-COVID planned digital transformations that now include additional transformations to enable a distributed workforce that was previously never a consideration. If these realities don’t conspire to force an organization to genuinely take an in-depth look at their cyber resiliency, what realistically will?
The lesson of the rubik's cube
The object that best represents this challenge is the Rubik’s Cube. The puzzle has approximately forty-three quintillion permutations. In 1992 the cube had a number of 42 “proven” moves required to solve it, and the world record was set at 17.02 seconds. In 2006, the number of “proven” moves decreased to 27, and the world record was subsequently set at 11.13 seconds. In 2010 a group of mathematicians, computer programmers, and about 35 CPU-years of idle computer time donated by Google proved that no more than twenty moves were ever required to solve the puzzle from any starting position; and in 2018 Yusheng Du set the world record for solving the puzzle at an astonishing 3.47 seconds. So, what lessons we can take from this puzzle, and how can we translate these insights into security operations?
- With familiarity comes increased speed and effectiveness. The more familiarity with the puzzle the faster the puzzle can be solved, and for decades always resulted in fewer moves than previously contemplated.
- There are “Core Moves”. No matter how scrambled the puzzle may be, leveraging the core moves will always result in quick success.
We can translate these insights into security operation:
- Familiarity with the overall landscape, aided with innovations in both technology and techniques, has resulted in the ability to carry out successful attacks faster.
- Like the cube, security operations professionals deal with a very complex puzzle that is considered to have near limitless possibilities.
No matter how “scrambled” our puzzle may appear there are “core moves” that can improve security posture. One substantial difference separates the player of the Rubik’s Cube puzzle and the player of the cyber security puzzle. The difference is that the puzzle types are different. The individual working the Rubik’s Cube works a “finite puzzle”, meaning there is a definitive start and end - the player can “win” or beat the puzzle. Our cyber security puzzle is an “infinite puzzle” in which there are no winners or losers. There are simply players with the will and the means to keep playing. The players “end” - not the game. So, in our application we should not be playing with an eye toward “winning or losing”. Rather we are playing to improve our relative position versus our adversaries. I strongly urge you to remove the words “win” and “lose” from any discussion associated with this puzzle, and instead reframe with “success” and “failure”. This may appear on the surface to be semantics, but the resulting mind shift and perspective is profound.
Let’s now explore our “core moves”:
- Understand time and how to evaluate cyber security activities within it
- Appreciate the power of reciprocity - the vulnerability with no effective patch
Respect culture so that it does not eat your strategy.
Understanding time and evaluating cybersecurity activities within it
Our first core move focuses on understanding the concept of time. Our adversary understands it well, and often manipulates it. They understand where they can go fast, and where they must go slow. In order to better understand time, you must understand some essential elements. One of the most thought-provoking books I ever read on computer security was actually published in 1999 by Winn Schwartau called Time Based Security. It absolutely reframed how I looked at physical, computer, and even cybersecurity. I would like to focus on Protection Time (Pt) and Exposure Time (Et).
- Protection Time can be summarized as the total amount of time that all of implemented security defenses layers provide. If an organization does not know, by way of authoritative evidence, then it has no choice but to assume Protection Time is zero. The goal is that the Protection Time exceeds Exposure Time, or Pt>Et.
- Exposure Time is the time it takes to both detect a threat and react to the threat sufficiently to minimize it. If the organization has never performed “in-environment” exercises then the organization does not know what its Exposure Time really is when faced with the training, tools, and environment available daily to the SOC.
Think of Exposure Time as the reason someone would have burglar alarm. The homeowner first sets the environment to a “secure state” by ensuring doors are closed and locks are set. Lastly, the alarm is set. The alarm maximizes the Detection Time (Dt), signaling that the “expected state” has been altered. Reaction Time (Rt) is the time it takes the homeowner to take an appropriate response to assess and minimize the impact of the threat. If we say that the homeowner has one-minute of Protection Time and requires forty-five seconds of Reaction Time, then we can deduce that that homeowner only has a maximum of fourteen-seconds of Detection Time. Sometimes the formula view makes it easier to consume Pt>Et where Et=Dt+Rt.
The takeaway here is right now, do you know, with confidence, what level of Protection Time all the investments amount to?
Appreciate of the power of reciprocity – the vulnerability with no effective patch
Imagine standing on a train or subway platform and someone walks up to you and says, “May I have your password?”, and if you provide it, they gave you a piece of chocolate. Does this scenario sound absurd? In your head did you just scream out “I would NEVER do that!”? Would you respond differently if a stranger walked up to you and casually said “Here, have a piece of chocolate.” Then after politely accepting the piece of chocolate and eating it the stranger then asked, “May I have your password”? In 2017, this situation happened to 1,208 unsuspecting commuters when a group of researchers from the University of Luxembourg went to a local train station and performed this experiment. They were studying the power of reciprocity.
Reciprocity is a mutual or cooperative interchange of favors, privileges, or trade and sits at the foundation of “proper social etiquette” in almost every culture. Its power is immense, as those who engage in social engineering are aware. Exploited properly, it is a near automatic response and the social conditioning to reciprocate far outweighs the training many organizations provide their employees against it. It is a vulnerability for which there is no reliable and effective “patch”. The results? 43.5% of the experiment group, those who were given chocolate before being asked, divulged their passwords when asked. The control group, those who were asked for their password before receiving the chocolate, fared slightly better. Only 29.8% of those respondents provided their password. Here are a couple of questions to consider:
- In your organization, are there users that have 24x7x365 high privileged accounts?
- Is that privileged account the user’s primary account?
This is why targeted spear-phishing and malware is so pervasive a concern. Because the weakest link is the person, and the power of socially conditioned behavior. As experts, we must encourage business leaders to acknowledge this act of human behavior in order to strengthen cyber resiliency, even during a security personnel shortage.
Respecting culture so that it does not eat your strategy
Management guru Peter Drucker is famous for the phrase “culture eats strategy for breakfast.” Many a CISO, and their soldiers, undervalue this truth, and it comes with a high price. This “core move” is understanding the corporate culture and stresses the importance on, selecting tactics that are complementary to the culture. This approach enables the subtle adjustment of culture while simultaneously advancing strategy. Answering objectively and honestly as to which of these two statements BEST represents the organization’s culture can quickly help any security executive or architect make good tactical decisions to advance their strategy.
- Statement 1 – A place for everything, and for everything a process
Those who most identify with this statement will generally be able to leverage tactics that result in limitations and control. The organization’s culture will typically trade freedoms for safety because of their cultural risk tolerance.
- Statement 2 – They’re not really rules they’re more like suggestions
Those who most identify with the second statement usually have to leverage more reactive tactics. Because the organization’s culture values freedoms, and finds most up-front attempts at control as bureaucratic, needlessly restrictive, and will stifle the organization’s ability to function.
Applying the moves to the puzzle
Remember the premise “what happens when strength in numbers doesn’t benefit the good guys?” The talent war is real, it is infinite, and no organization is going to win it. With this backdrop, let’s apply the core moves to the puzzle.
Move one - gain understanding on the organization’s Protection and Exposure times and use that insight to strategize and execute. No more tools or processes unless they can be quantifiably measured by properly improving Protection Time or contributing to reducing Exposure Time. Perform semi-annual third-party penetration testing. Align these activities with “in-environment” exercises. Use these results to determine Protection Time and Exposure Time gaps, then be purposeful in addressing those gaps when considering tool purchases and outsourcing decisions, etc.
Move two - acknowledge the human weakness and proactively block against it. Professionals should go beyond anti-virus, anti-malware, anti-ransomware and email gateway filtering. Start with multi-factor authentication and consider encryption technologies to preserve data analytics. Next, Data security. Encryption technologies exist that can preserve the data for analytics and maintain business use but render it useless if compromised. Don’t depend on data owners to sacrifice their job convenience to make your life easier, nor are data owners great data classifiers. It won’t happen. Invest in data discovery and data classification technologies. Consider entity behavior analytics for systems and applications that are in scope for regulations, such as PCI and GDPR. User behavior analytics and real-time monitoring on any designated “Service” account. These moves can be implemented with minimal invasion on the overall culture, and they go a long way in addressing the human element. Proper network segmenting is also a plus. Implement a privilege management program, which begins with limiting, with intent to eliminate, all 24x7x365 privileged access. No person or service should be assumed to be trustworthy, so no account should be privileged “at rest”. Implement this in phases as this action often causes a significant culture battle. Build on these moves with a comprehensive identity and access governance plan. It is essential but not before the basic blocking activities.
Move three - really understand and respect the culture so that it does not eat your strategy. Ask at least 25% of the business colleagues you interact with on a regular basis at every level of the organization which statement best describes the organization. Realize that you will not change culture by revolution. You do not have a strong enough mandate, and do not believe you do. It is that important. Armed with this truth and the strategy, define tactics in order from least against the culture to the most against the culture and then arrange them in progressive order so that they build on each other systematically nudging and subtly reshaping culture. Silent erosion versus violent revolution has worked far more than it has failed. Patience is required! Also, remember the power of reciprocity. Use it to the strategy’s advantage and when you take, give where you can. For example, when implementing a privilege management solution make sure that it is well managed and doesn’t impose such cumbersome processes as to be unworkable. Remember people still has to do their job. Consider a short-term “safety blanket” compromise such as a “break glass” account that is highly monitored and guarantees an investigation if triggered, but still provides a level of comfort during the acclimation period. You have already seen social engineering work against the organization, now use it constructively for the benefit of the organization.
No one ever solves or “wins” the infinite cybersecurity puzzle. Instead our core moves are intended to compensate for an imbalance of strength. While the adversaries have more strength in numbers, their numbers are seldom coordinated. The goal is to know both yourself and your enemy. As Sun Tzu said in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Good luck!