Know, prevent, detect, respond, recover. This aspirational model of cyber security is as ubiquitous in our industry as the colorful wheels used to depict the concept. Like similar mnemonic aphorisms from other disciplines – stop, drop, roll, or work quickly, change speeds, throw strikes – this familiar view of the top-level goal of cyber security remains basically unchallenged. It is a given.
The problem is that the model represents a terrible aspiration view of cyber security. Obviously, it is an accurate observational view of cyber security. We all seem to do these steps to some degree, and the security advice you get from consultants nowadays involves which direction to slosh your emphasis. (By the way, the current fad is to emphasize the latter steps, which just seems nuts to me. But, whatever.)
My view is that the thinking behind this model helped lead to attacks on Target, Home Depot, Sony, Yahoo, OPM, Equifax, Deloitte, and on and on. Think about it: Aspiring to any model where three fourths of the steps presume that an attack has already occurred, is like deciding in advance to punt on third down. To that end, I would propose a much different aspirational model – one targeting a more successful outcome. Here it is:
Explode, offload, reload.
These three terms, even with no explanation, are much more likely to produce some pause to your malicious adversary than that dumb wheel on your PowerPoint deck. When you do read the explanation of the steps below, I hope you will agree that they comprise a more viable cyber defense than the sleep-inducing alternative they replace. The challenge is that they require a change of perspective – and that may not be easy.
First, the process of exploding your perimeter-defined infrastructure into smaller distributed workloads will produce predictable views: Excitement for cyber security engineers, and horror for C-suite executives. (Sadly, most compliance initiatives today generate exactly the opposite range of emotions.) The reality, however, is that perimeters do not work, so you must get rid of them. Explode your network. Period.
Here is a harsh, but accurate analogy: If a terrorist bomber targets a building with a truck-full of explosives, then so long as a drive path exists to the facility, a bad outcome will occur. But if the security team has already “exploded” the building by dismantling it into its composite bricks (workloads), then the image comes to mind of a confused truck bomber parked outside an empty lot, wondering where the target went.
Second, the process of offloading smaller distributed workloads into virtualized cloud infrastructure produces similarly disparate emotions: Eagerness for security engineers, and hesitancy for the C-suite. Such executive hesitancy is more prominent when the offloading involves the use of public cloud, but this may be the only viable economic option for companies not rich enough to build their own software defined data centers.
Off-loading distributed workloads to virtual infrastructure reduces cost (hardware replaced with software) and maximizes flexibility. Adjustment of virtual computing and networking to support these offloaded workloads makes this step economically feasible in modern infrastructure. The instincts of traditional IT managers involve deploying hardware and then leaving it alone. This will not stop capable hackers.
Finally, the process of reloading cyber security involves the careful selection and deployment of modern protection technology into your newly virtualized, distributed architecture. By shifting workloads to an alternate environment, you create a new greenfield target for virtualized security technology solutions. Such once-in-a-lifetime opportunities are not to be missed, so this must be attended to properly.
Anyone reading this note knows that no shortage exists of commercial cyber security technologies. Adaptive authentication, machine learning detection, cloud visibility tools, on-demand SDN security, and on and on, represent amazing new software defenses that will reduce cyber risk. Reloading these new capabilities into your new distributed architecture will make things more challenging for your adversary.
Look, I acknowledge that many of the readers of my column have PowerPoint decks with that colorful wheel on the first chart they use with customers every day. I’m also aware that NIST bases much of its work on the know, prevent, detect, respond, recover model. (I’m even aware that Gartner has replaced know with predict, dropped recover, and charges $195 for the report that explains the change. Ugh.)
But my advice is offered here nevertheless. We are losing the cyber war to nation-state and criminal groups, so perpetuating existing approaches based on familiar models is crazy. Why not rethink whether your organization (or product) (or service) would benefit significantly by losing the colorful wheel, and replacing it with this new approach: Explode, offload, reload.
(Drop me a note here after you remove that wheel from your charts!)