2017 has been a banner year for IT Security. The massive publicity of attacks like WannaCry have focused public attention like never before on a hitherto obscure field. Non-technical people, including board members, nod gravely when listening as the CISO or wise friend harangue them for attention, behavior change or budget on the topic of IT Security. It’s in a way comforting to think that such attention is a good thing. After all, there’s no such thing as bad publicity, right? This is certainly the age of “I don’t care what the news papers say about me as long as they spell my name right“.
Not so fast, my friend. Despite all of the attention, all of the massive investment by venture funds in IT Security, all of the hand wringing and tut-tutting after the latest attack makes the front pages, there are some deeply rooted inconsistencies if you look closely at the scene.
Paradox #1: More data, less information
For some time now, we are drowning in data but starving for insight. This recent survey of CIOs shows that:
- 95% of CIOs believe data is changing the way their organizations do business
- 83% see data as a valuable asset that is not being fully utilized within their organization
- 64% believe their organization is not making optimal use of the data to drive their business forward
In 2010, Eric Schmidt, of Google noted that every two days, we create as much information as we did from the dawn of civilization up to 2003. Data is everywhere, but insight is not. Why? Because the barriers to producing data are so low. In the Middle Ages, when paper was a sign of wealth, and books were locked up in monasteries, knowledge was considered valuable and creating it was costly. Today the challenge is different. We live at the opposite extreme, where instrumentation in practically every network connected device emits data, nonstop. The challenge, as always, is what does it all mean, to me, now? That level of insight continues to be elusive. Getting at it requires a mix of technology, data science and domain expertise and process discipline — a trifecta that is rare.
Paradox #2: More connectivity, less understanding
Today more and more of our lives are online. Every desktop, phone, tablet, watch, automobile and x-ray machine is online and generating reams of data. Networks are interconnected leading to even larger networks. So much so that no less a personage than Elon Musk worries that Skynet is about to become self-aware. Sure, connectivity has created tremendous positive changes, including new markets in developing nations, efficiencies in the marketplace and benefits for social interaction that were unthinkable a mere decade ago. But the same connectivity that lets you travel the globe in one click works the other way also. Deplorables from far flung locales can be at your doorstep with one click.
The sprawling network also begets the problem of not knowing your “home” turf. There is increasingly less understanding of the ways into and out of complex interconnected networks which makes them harder to defend. And, what of the Mir Jafar‘s amongst us — the scary thought of the insider threat? Effective defense demands actionable intelligence. It’s essential to answer the 4 Ws (who, what, where, when), but prevention and effective countermeasures require the 5th W (why), which is knowing motive, i.e., understanding. In his blog, David Bianco describes network defense as defenders working to push attackers up the pyramid pf pain. The highest form of defense is to understand the attackers’ tactics, techniques and procedures (TTP) so as to deny them their prize.
Paradox #3: The wisdom of crowds, the irrelevance of crowds
The latest buzzword in IT Security circles for the past couple of years has been threat intelligence, or crowd-sourced observations of bad behavior with the attendant publishing of these actors and their actions on a global scale. If the bad guys collaborate and share info on TTPs (ransomware as a service?) then should defenders do the same? Should every defender be left to analyze artifacts from the past and work in isolation to determine the future?
Surely the answer is no, and yet there’s the question of applicability and relevance to our specific network. If Ivan the Terrible is on the rampage in Kazakhstan, should the sheriff of Middleburg, VA worry and shore up his defense against the TTP used there? Probably not. And so the paradox. While crowds can give you a million eyes, it doesn’t necessarily translate into actionable intelligence to defend your network.
Disruption is a good word, signifying creativity and innovation—shaking up things in a good way. But disruption often has unintended consequences. More information, connectivity and crowdsourcing are also shrinking insight, eroding understanding and empowering irrelevant data points. These are points to ponder as we journey deeper into this 21st century.
Tip of the hat to Amy Zegart whose article in The Atlantic got the neurons firing.