/ 14 June 2013

Defending the country’s cyber space

Information security officer for FNB Private Clients Adam Schoeman.
Information security officer for FNB Private Clients Adam Schoeman.

Imagine a soccer game between a blue team and a red team. When the blue team scores a goal, nothing happens. If the blue team stops the red team from scoring a goal, still nothing happens. But, if the red team gets the ball past a blue team defender then the red team wins and the game is over. Oh, and the red team has 15 players.

It's a far-fetched scenario, but this is the reality of being a cyber defender and we don't have much going for us. There are more attackers out there, and their research and information sharing is far more refined than ours because they only need to break through the walls once. We are playing a one-way sudden-death match.

Verizon's 2013 Data Breach Investigation Report painted a bleak picture of our state of data security. Of the 47 000 reported security incidents, 621 were data disclosures and outsiders perpetrated 92% of those disclosures.

Although some of the data disclosures didn't require advanced methods of hacking, others were extraordinary, such as the 2012 attack on security vendor RSA and the linked attack on North American arms manufacturer Lockhead Martin.

The data that was extracted from the RSA breach allowed the same group to execute an extremely well thought out attack that was specifically tailored to Lockhead Martin. This breach highlighted the lengths to which a group of attackers will go to gain access to the final target's data, and that any data you are protecting can be accessed by an attacker.

Risk management
Back to that soccer game: The blue team does not achieve anything by attacking the red team and trying to score a goal. Neither does stopping the red team from scoring a goal, because it doesn't change the inevitable outcome. It's only a matter of time until the red team scores and wins.

Based on these rules, there is no way that the blue team can stop the red team from winning. But, what if we can bend the rules or alter things so that when the red team scores a goal, they don't instantly win?

Risk management tells us that a risk = threat x probability x business impact.

By attacking our adversaries and putting up preventative controls, we are trying to reduce the threat aspect of the equation. Yet, because we face an endless supply of threat-agents, trying to reduce the threat variable is basically pointless.

The probability is the inherent chaos of any real-life situation and is impossible to influence, which means that all we have left to work with is business impact.

Prevention is a two-legged principal: It requires you to detect an incident and act on it (the detection leg) and to fix whatever has already been broken (the remediation leg). It is the remediation leg that speaks directly to the business impact variable of the risk equation.

Decreasing business impact
Focusing on business impact makes sense for defenders. Business impact relates to one of only a few competitive advantages that defenders hold. It has to do with what we own and control.

Because it is under our control, the likelihood of us being able to adjust it adequately is far more realistic than that of trying to influence or control anything linked to the attackers.

Therefore, working towards decreasing the business impact to our assets makes mathematical sense because instead of trying to adjust the infinite adversaries, we are focusing on the finite assets that we control and how we remediate them.

We often view business impact as the time cost to the business's productivity when an information technology asset is offline or unavailable, but it can also be the cost of the data that was housed on that asset, which has now been made available to the world or your competitors.

Sometimes it is less painful to shut down an asset that has been breached than it is to keep it online, serving its business function while also siphoning out data.

Possible solutions
Currently remediation efforts are skewed towards attributing an incident to the who and the why. Is that really the questions we should be trying to answer?

In some instances it is. In a report by the North American Department of Defense titled "Resilient Military Systems and the Advanced Cyber Threat", the department said that the only way it foresees being able to defend against the most advanced of attacks (the so called nation-sponsored attacks) is nuclear retaliation.

Although this was meant to act as a deterrent, if the department was unable to attribute an attack correctly, they could declare nuclear war on the wrong territory.

In a non-state scenario, knowing who your enemy is doesn't help you defend against the next attack in line.

Instead, our remediation or "fixing it" strategy should be a strategy to change the rules of the game. This comes down to improving the speed at which we can isolate a server or desktop from the network, assess what other assets it has been accessing in an out-of-the-ordinary way, and then isolate those from the network.

The good news is that we have all the technology needed to do this right now, we just need the procedures to leverage off them.

Our obsession with chasing better detection models of the individuals or groups that are targeting us only marginally helps to deduce the risk rating of our environments.

I am not saying that we should forget about prevention by extension detection models of security.

I think that we are doing quite well on that front because we all have the tools and technology to detect anything that could happen on our networks.

But if we are not geared towards reducing the possible business impact of incidents that we do detect, we still run the risk of being the next victim of a data breach.