A query I’m requested most daily now could be, “Will [insert tool, process, or person here] cease the next SolarWinds?” Everyone knows the reply to that query: It’s really nothing new — that instrument, or course of, or headcount could assist cut back danger, however you’ll be able to by no means confidently say you might be 100% protected against the subsequent breach.
That stated, this fixed query has helped me dig deeper into easy methods to greatest talk what it means to construct a safety program with a post-breach mindset.
One of the vital worthwhile classes I realized in faculty was in a category that wasn’t in any respect associated to pc engineering. It was in a “historical past of conflict” class, the place I realized about attrition warfare. Attrition warfare is a navy technique by which one facet continually grinds away at its enemy to the purpose of collapse and defeat; World Battle I is a widely known instance of attrition warfare.
Straight mirroring this, cyberattackers (and particularly cybercriminals) use attrition warfare to continually chip away at defenses and people by automation and the sheer variety of assaults they will collectively execute till one lastly breaks by and causes a breach. On the opposite facet of this, defenders are sometimes manually investigating and responding to the threats that get previous prevention, placing them at a drawback as they battle with a relentless horde of threats.
To cite US Marine Captain G. I. Wilson on attrition warfare, “The victory goes to the facet that has the resilience to switch and restore its losses, or do with out. It goes to the facet that may use the enemy’s tools towards him and that is aware of the place to strike to destroy the enemy’s will.”
Relating to attrition warfare in cybersecurity, the attackers are profitable proper now as a result of we don’t have the resilience to go with out our poor burnt-out analysts and CISOs — and since attackers are ready to make use of our tools towards us to make this drawback worse. We have to change this, and a core a part of that’s, you guessed it, resilience — the theme of this 12 months’s RSA Convention.
In Developing Cyber Resilient Systems: A Systems Security Engineering Approach, the Nationwide Institute of Requirements and Expertise (NIST) defines cyber resiliency as, “the flexibility to anticipate, stand up to, recuperate from, and adapt to adversarial circumstances, stresses, assaults, or compromises on programs that use or are enabled by cyber sources.”
This framing is core to how I take into consideration and analysis safety operations. Safety analysts are constantly overwhelmed, burdened, and understaffed, leaving the bulk just about unable to anticipate, recuperate from, or adapt to new assaults (with out reaching burnout, which is widespread). To construct resilience into this course of, we have to proceed to deal with the preparation, detection and analysis, containment, eradication, and recovery phases of the incident response lifecycle (which we place a premium on) but in addition place extra emphasis on the actionable steps we are able to take as a part of post-incident exercise (which frequently is neglected). That is about not solely studying what we are able to do higher but in addition incorporating and executing on opportunities (MITRE Shield) and resilience recommendations in line with the remainder of the incident response lifecycle.
There are a number of talks at this 12 months’s RSA Convention that relate to resilience — particularly future resilience — that I extremely advocate each practitioner watch. These embody:
And a enjoyable one: UAV Security Research Series — Episode 5, MAVLink Security — Matthew Gaffney
I’ll be writing extra about this subject within the coming months, however hopefully this served as a useful primer on how safety operations groups ought to be fascinated by that fourth step of the incident response lifecycle.
Oh, and in case you are searching for some nice talks to observe (or rewatch!) post-RSAC, take a look at a number of that my colleagues and I gave this 12 months:
And two that aren’t out there on demand, so hopefully you caught them the day of:
As I talked about in my video for RSAC on what resilience means to me, this previous 12 months has been extremely difficult for all of us. We’ve needed to present resilience not simply in a single second, or two, and even three … however continually. Let’s incorporate these classes of resilience — adaptability within the face of adversity, dynamism, and power — into our safety methods transferring ahead. Drop me a notice through email, Twitter, or LinkedIn you probably have any ideas or questions on this.