The common wisdom in the cyber security profession is changing. We’ve long focused exclusively on “blocking it all at any expense” – “it” being malicious attacks and malware. And we’ve done so often without a contingency plan should a compromise occur.
However, lately you hear a lot of smart people saying things like “data breaches are not a matter of if, but when.” That might sound like a surrender – or fatalism. But it’s actually a good thing.
Networks are complex animals already. Changes brought about by the Internet of Things sure aren’t going to reduce that complexity. Taking a realistic approach to the threat landscape is the first step to building a solid defense.
But I’ve noticed that this conversation seems to stall on how to best fashion a viable defense in this new reality. I am concerned about how often proposed answers strictly rely on technology. Don’t get me wrong; I am a vehement proponent of defense-in-depth. But defense in depth, absent context, is just a solution looking for a problem.
If we believe that breaches really are a matter of “when,” not “if,” then the element of time is a key consideration in designing defenses. At Cisco, we advise our customers and prospects to look at attacks on a continuum: before, during, and after an attack. At the “before” stage, blocking technologies and threat intelligence are both important to keeping the bad guys out.
But if all of your efforts are front-loaded on the “before” end of the attack continuum, you put yourself at risk when you are unable to respond appropriately during the attack. Nor will you have mechanisms in place after the attack to “roll back the tape” to see the origin of a potential threat and its behavior, to retrospectively eliminate it and adapt your defenses accordingly to be better prepared for the next time.
My perspective on this isn’t theoretical, but based on painful experience. Early in my IT career, the Love Letter virus wreaked havoc on our messaging infrastructure. The issue we faced wasn’t a lack of talent or outdated technology. Rather, it was that were so focused on blocking it all, that we never spent any time on how to respond should something get in.When that something did get it in, we were caught flat-footed and it took quite a bit of effort to regain our balance. Rest assured, we created incident response processes on the fly that served us well down the road, but it was a painful lesson that I’ve clearly never forgotten.
Fortunately for us, the Love Letter virus was really nothing more than a nuisance. Aside from wasting our time, it did no lasting damage to our systems, data, or business. We can’t say that about today’s threats, which are extremely sophisticated and (often) destructive. Our adversaries are very talented and operate in an environment in which the job of making and distributing malware has been commoditized. In short: it’s no longer necessary to have deep skills to use these powerful weapons.
If we agree that the bad guys will get in, then it is only logical that we extend our thinking to defending along a timeline. Doing so allows us to detect, mitigate, and respond accordingly. Should we ignore the time component, we will continue fighting with one hand tied behind our backs.