Security? Defense, Offense, Both?
Boy the world has gotten complicated to defend hasn’t it? The old adage, “information security is very basic” turns out not to be true after all! As a youthful entrant into this industry I can remember my CISSP instructors telling me that “at the end of the day all you are doing is protecting the Confidentiality, Integrity and Availability of the enterprise you support”, how hard can that be after all? Wow, if it were only that simple!
The last twelve months will go down in the record books. These past months are shattering all sorts of ‘norms’ from the size and scope of security attacks, to the effectiveness of the attack types to the egregiousness of the motives – – it’s safe to say that today’s environment isn’t your father’s internet! Now, as the world witnesses all of these attacks and fervently begins asking themselves questions of what to do and how to protect themselves we, as security professionals, must join in asking these questions and dig deeper at asking even more. One of these questions might be to investigate the noteworthy lessons from these attacks and corresponding architecture changes required. Afterall, isn’t it true that some companies have been able to withstand the attack while others went down? Why? Who had the better defense? Was Defense enough? Was ‘offense’ required?
As you can tell, one of the deep unanswered questions being asked is whether or not enterprise information security includes only provisions for defense? You see, as it turns out most of the recent DDoS / SQL-Injection related attacks fell into one of the following three categories:
- Category #1: They were EFFECTIVE – – They caused the intended outage set out to do
- Category #2: They were Partially Effective – – Caused the victim company dramatic problems, but short of outage
- Category #3: They were Ineffective – – No real effect on victim
Most of us would desire to be in the last category after going through attacks like these – – but do our programs mimic the strategies and tactics leveraged by successful organizations? Now, this is where we need quick after-action analyiss to figure out what are the common denominators which define success.
As it turns out, Category #3 organizations, in almost all cases, had not relied on pure defense alone, but rather had internally developed or partnered with companies to assist them to essentially ‘fight back’ or produce a counter-attack capability to thrust the attackers into a mode of operation which caused them to abandon their fight.
Wow! How about that analysis!! So, let’s dig deeper into this concept.
As we know, in a real armed conflict, defensive forces are never designed or reasonably considered to be able to withstand an attack indefinitely. The idea is so obvious it almost defies explanation, however, among the reasons whereby a long-term defensive operation is a losing strategy are as follows:
- Limited Resources: the amount of resources required to absorb an attack & resupply
- Maintaining Performance Levels: In a war of attrition, endurance is king
- Morale and “Espirit-de-corps:” People can be demoralizing with no progress to show.
Most successful military strategists are long aware that in order to beat an enemy you must take the battle to them.
So, the whole point in our new lessons learned, is that the information security professional is beginning the process of integrating tried-and-tested physical defense and fighting strategies into the cyber world! Yes, it makes sense that in an organization has the ability to defend against persistent and sustained attacks, however, only so long as to absorb or “hold” the attacker/enemy until such time whereby you can launch a sustained offensive operation – if need be. As a matter of fact, most military strategists agree that the front line of defense in every real battlefield will eventually be breached. This assumption is also true in the realm of the information security battle of defense.
Bottomline: Defense alone is no longer a winning strategy and some form of offensive self-protection must be integrated into future information security operations to ensure adequate enterprise protection. Defense and attack ‘absorbtion’ alone will fail the best programs.