Just because you’re doing the right things, doesn’t mean you’re doing things right
Part 1 of a 3 Part Series on how businesses can leverage proven US Military “Intelligent Adversary” tactics to stay cyber-secure.
If I were to ask an IT Professional to explain why his or her network is secure, I would probably hear a response that goes something like, “I have the latest and best technology, I do regular vulnerability scans, I do an annual penetration test, and I am in compliance with my industry’s security requirements and standards.” At face value, that sounds like a solid answer and it appears that the IT Professional is taking the necessary steps to ensure that his company’s network is secure. In reality, it is more likely that this answer is only partially correct.
In spite of the efforts that IT Professionals across all industry verticals take to secure their networks, the widely accepted approach of deploying the latest technology, conducting vulnerability assessments, and following compliance checklists is not adequate. While each of the aforementioned components is important, they are generally applied independently and without operational context which means they are viewed as administrative functions. The notion that network security is an administrative issue is problematic because virtually every company relies on its network to conduct business operations. So businesses must ensure that their networks are ready for the inevitable attack. We call that “cyber readiness” in the Military. When I was responsible for Navy Cyber Operational Readiness I learned quickly that my business, the US Navy, could not fight if it didn’t control its networks. The constantly growing list of companies that have been breached over the past few years is an indicator that many businesses are not cyber ready.
So how does an organization achieve truly effective cyber readiness? Most importantly, businesses need to view network security holistically. It isn’t enough to “check the boxes” by buying the latest and greatest technology, conducting vulnerability assessments, and completing compliance checks. A different paradigm, which has proven successful in the Military, built upon three interdependent focus areas is what is truly needed. The three focus areas Network Infrastructure, Compliance, and Operational Behavior, form the Cyber Readiness Triangle, depicted below.
Let’s briefly discuss each of the three focus areas to more fully understand how they contribute to more comprehensive cyber readiness:
1. Network Infrastructure. Perhaps the most significant problem that I have observed in industry since leaving the Navy is that businesses tend to look for the next best technology that will provide an acceptable level of security without increasing IT management cost. This approach falls short because we continue to see businesses being breached. It only takes one next generation firewall to be misconfigured for an attacker to find a way to breach a network. So we see how even the most sophisticated technology will not be effective if that technology is not employed properly.
2. Compliance. Up front, compliance is often viewed negatively because there is a tendency for people to focus solely on what’s needed to meet the compliance requirement. Think about certification “boot camps” that are focused on preparing students to pass the certification exam rather than ensuring students finish the course with a firm understanding of the material. But in this case, let’s assume that most IT Professionals perform due diligence when they execute the various compliance checklists associated with their particular industry. Let’s also assume that compliance standards are valuable and that they provide comprehensive frameworks for businesses to use when developing and maintaining cyber readiness. Even with these assumptions, compliance standards don’t tell businesses anything about new hacker techniques, or what tactics and technology businesses can use to protect their data in response to the constantly changing threat. Finally, many standardized compliance programs are overly generic and do not take business operations into account.
3. Operational Behavior. What are employees doing on the company network, and how is that activity affecting company cyber readiness? A business can deploy the most advanced technology, pass every compliance audit with flying colors…and get breached because a an employee clicks on a malicious link in a phishing email. Conversely, even if every employee of a business follows established information assurance policy to the letter, the network may still be vulnerable due to outdated patches or misconfigured routers.
No business is immune to cyber-attack and in fact, businesses should expect that it’s just a matter of time before an attacker succeeds. But because attacks are inevitable doesn’t relieve a business from its obligation to do everything possible to prepare. But preparation isn’t a series of checks in blocks. Preparation means businesses understand that Network Infrastructure, Compliance, and Operational Behavior work together to form the Cyber Readiness Triangle and that if one leg fails, the triangle collapses.
Part 2 of this series will cover “Red Teaming”, a Threat-Based approach to network assessments. This edition will discuss why and how Red Teaming is different and more effective than current assessment processes. Stay tuned!
Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on Active Duty in the U.S. Navy, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft. Comments and questions for Mike Walls are welcome: firstname.lastname@example.org