Given Up on Protection?
Why are cyber attacks exploding while investment in security products is growing at double digits? Equifax CISO Jamil Farshchi’s recent Q&A in the WSJ here illustrates a massive blind spot and group think across the top echelon of security executives. Jamil says, “It’s not realistic to identify and anticipate every possible threat and bring to bear every possible control to mitigate them.” While this is true, a logical fallacy has been embraced – why try? CISO’s like Jamil have essentially given up on prevention, whole cloth. So, what is their solution? Jamil states the broad consensus in the industry is that businesses need to focus on the fundamentals, namely “patch management, asset visibility, detection and response, and strong governance”. I agree that asset visibility (especially in operational technology environments like manufacturing, power and water, etc. where thousands of devices may be on the network unbeknownst to the security teams) and strong governance are a good starting point. Patch management along with detection and response are completely reactive. That is not to say they are bad. But, this is the cat and mouse game that has been going on for the last several decades and it is absolutely NOT working. Adding AI/ML to accelerate the cycle doesn’t solve the problem – it is still reactive. The security industry has given up on protection, which is the #2 pillar in the NIST framework. By analogy, the best way to significantly reduce bank robberies is to make the bank disappear from outsiders and insiders alike and to render the tools they use worthless.
I was in a meeting with a security professional this week who responded, “this sounds like magic” after sharing BlastWave’s approach to security (at which point, we did a spontaneous live demo to show how it worked). I explained that as a former Apple Executive, the importance of ease of use is essential in adapting the system to the way humans interact with networks instead of the other way around. Approaching security from a first principles, hyper-pareto analysis, is a great way to change the thinking and thereby change the outcomes.
A First Principles Approach to Security:
What if instead of investing dozens of billions of dollars on detect and patch security solutions, CISOs and CEOs virtually eliminated the top four attack categories altogether, representing over 99% of adversary mechanisms? What if credential theft and phishing went away? What if human error related to configuration and settings disappeared? What if software vulnerabilities and exploits couldn’t be employed, because the attacker didn’t know what tool to apply or where? And, what if the protective mesh overlay network inhibited remote loading of malware packages?
It’s no secret that the vast majority of breaches start with some form of compromised credentials or phishing. The lures are getting more sophisticated and expecting ordinary users to be able to recognize and “not click” on various trojans and malware loaders is a fool’s errand. Social engineering is largely targeted at gaining credentials as well. Training and retraining and flogging for not perfectly avoiding these lures is not a solution based in reality. Instead, the approach should be to redesign the concept of identity and eliminate the username and password altogether, so there are no credentials to remember or to steal. Password managers aren’t the answer in that the credentials still exist and can be stolen. Single-sign-on is a convenient tool that is better but still retains the same fatal flaws. What if a multi-factor authentication approach to a VPN solution or corporate network didn’t involve usernames and passwords? 90% of the attack surface would disappear.
The next largest category of vulnerability comes from two forms of human error: configuration of the network, and failure to reconfigure network settings when other changes have been made that affect the security posture of the network. Innovative thinking related to self-configuration can reduce the opportunity for human actions, and thereby, reduce the opportunity for human error both at the time of deployment and when devices or people are added or removed from the network.
The Cyber Kill Chain
Many security professionals are familiar with the “Cyber Kill Chain” idea. This concept walks through the major steps every hacker needs to use to perpetrate their attacks. It was originally coined by Lockheed Martin, and it begins with reconnaissance. Much like a bank robber needs to “case the joint” to figure out points of entry and exit, locations of cameras, the vault, security guards, etc., cyber adversaries need to gain intelligence on the target’s devices, applications, and operating systems. Once they know what is running, they can simply look up which exploits and tools to employ to gain access and implant a foothold in the network. After they have access to the network, they will do further internal reconnaissance to identify “the crown jewels” to deploy ransomware or other mechanisms to achieve their ultimate objective. Our insight is directed at thwarting the ability to even see the network, much less categorize the architecture? And, what if this were both true for outsiders and insiders, who can be socially engineered or bought by well-funded state actors? Making a critical asset invisible would reduce that attack surface significantly; but to what numerical extent, I cannot estimate.
And, finally, every threat actor uses various forms of malware (i.e. executables) to achieve their objectives, whether it be espionage or extortion. What if the operating system that the network was based on was purpose-built, thinned down and hardened, so that an adversary would have to get physical access to the server or “virtual machine” to extract the package, manually manipulate the code and get around encryption and digital signatures? That would greatly increase the security posture of the protected devices and network.
The Definition of Insanity
Taken as a whole, applying a first principles view to protection of critical assets could transform the game of cyber security “whack-a-mole” that has been playing out over the last few decades. Cyber spending has been going up massively, while at the same time, attacks have been accelerating. The old approach is clearly not working and fresh thinking is needed to change the balance of power to the defenders. Many people are familiar with the Einstein definition of insanity, expecting different results from the same actions. The cybersecurity arena has created a related corollary, proceeding faster down the wrong path won’t yield a drastically different outcome.