This is the third entry in the “Cybersecurity is…” blog series, so I wanted to discuss the concept of Cybersecurity Competition. There is a lot of discussion around whether we are in a cybersecurity war, or if nations are engaging in activity “just under the threshold of war.” Either way, I believe the debate on this topic takes us away from a fundamental understanding that cybersecurity is a competition, a conflict, between two forces. Them versus us, their tools versus our capabilities, their objectives versus our objectives.
To successfully resolve any conflict, or win a competition, there are three things you must do: You have to successfully plan, bring capabilities to bear, and keep score. Let’s explore this in more detail with a generic sports metaphor.
The Cybersecurity and Sports Parallel:
How Can You Create a Winning Strategy
In any sport, competitors develop a strategy on how they are going to attack the opposing side. For example, in baseball, each team sets a lineup and has to consider which pitcher is best against the opposing team, whether to play more left handed or right handed batters, and plans for different scenarios and contingencies. The objective is to win the game, and they keep score to determine the victor. Playing the game is a tactical exercise, not a strategic exercise.
The Risk of Falling Victim to Security Theater
Organizations that confuse tactical exercises with strategic exercises routinely fall into the trap of Security Theater, which is the idea that a product, procedure or even a compliance framework is generating security. In reality, it’s giving the appearance of security but not actually improving overall security. You know you’ve been fooled by Security Theater when you find your organization ripping and replacing security products, or when employees are actively circumventing security controls. There are elements of Security Theater in compliance frameworks, and we’ll circle back to that when talking about keeping score.
Defining Your Competition
At its core, cybersecurity is a resource battle between opposing forces, and for most organizations, the weakest resource an adversary has is time. With any security incident, the threat actor(s) present their “lineup,” and the security teams do the same. The question remains: Can the adversary develop a sound strategy to beat your team at its own game? If your team can bring enough resources (time, capabilities, money) and develop a sound strategy, you should not have a problem defending your home turf.
Nation-state actors with national level assets present a different type of competition – one where time is not a factor, but money is the issue. The difference in the targeted resource between national level resources (money) and most organizations (time) causes other conflicts in the cybersecurity realm. Organizations that set standards and compliance frameworks do it from a national level perspective. Frameworks are generic, established under “best practices,” and are more defense-in-breadth than defense-in-depth. They are not specific to the adversary that is going to engage you in conflict.
To return to the sports metaphor, national level organizations set the size of the baseball field, how big the strike zone is, what constitutes an out, what uniforms to wear, etc. It does not engage in the tactical execution of pitching, catching and hitting. In baseball, hitting .300 is considered to be very good (for our non-sports folks, that’s 3 hits out of every 10 at-bats). If a compliance framework only protects 30% of attacks, is that good? Well, it depends on my resources and my adversaries’ resources. If I can spend the least amount of money and time to stop the highest number of attacks, then that’s a homerun
Cybersecurity Planning: Preparing for the Competition
To effectively plan, I have to be able to compare the adversaries’ resources against my own. In this case, since we don’t have insight into their time and money, it’s best to focus on their capabilities. We’ll match apples to apples and compare our capabilities to theirs, all while continuing to factor time into the equation.
The way to factor in time is to understand security entropy. Security entropy is the realization that security controls will fail over time. Some companies call this “environmental drift,” but the basic premise is that because networks are dynamic entities, sometimes features and capabilities get turned off or become outdated. Phil Venables discusses this concept in a blog called “Fighting Security Entropy” that is a must read.
Our plan is simple, albeit difficult: Build a threat model of my adversaries (who, what, how) and build a capability model of my defenses, assets and vulnerabilities. Returning once again to the baseball metaphor, we’ve now established the field (our assets) and we’ve fielded the teams – our threat model and capability model. Now we have to build some way to keep score.
Cybersecurity’s Scorekeeper: The Concept of the Exposure Index
Since the conflict is taking place in a dynamic cyber environment, establishing a “home plate” is not realistic. We need a way to measure the relationships between the adversary, our capabilities, our fleet inventory and the vulnerabilities the adversary is going to exploit. This measurement is an “exposure index,” which is the composite score of the threat exposure, defense surface posture and fleet exposure.
This exposure index is a relative score much like a FICO score. It is a measure of your likelihood of winning the competition, or exhausting the adversaries’ resources, before they can overcome your resources.
Eventually, all competitions in sports end, but conflicts end on differing principles. We can defeat one adversary, but another adversary will take its place. On top of that, we can be simultaneously engaged with multiple adversaries. Even though we might exhaust one adversary of their resources, there may already be another one on the way.
This revolving door means we must continuously plan, execute and keep score of the conflict.Analyzing your capabilities against an adversary’s TTPs, prioritizing the actions that will have the biggest effect and optimizing your security controls and stack is key to ensuring that the adversary is burning more resources than they are willing to spend at a cost that is acceptable to your organization. That is the key to winning.
Interpres right-sizes your defensive strategy against the cyber threats that matter most. Our automated, evidence-based platform analyzes the dynamic relationship between your defensive capabilities and adversarial threats, prioritizes recommended actions and optimizes your security ecosystem. We provide an unbiased view of your security posture and continuously measure threat exposure so you can focus resources on the most relevant threats.