There once was a big, big, company who had many powerful subsidiary companies, some of which were acquired and some of which were part of the big, big company’s heritage product lines.
This big, big company made many meaningful products and services which were both adored and deeply needed by their many customers, and whose name was known to nearly all in the land.
However, there came a time when not all adored them and not all wanted them. In fact, there came a time when some even wanted to leverage them or use them for their own personal gain. One of these was an Anonymous person who always wore a black and pearly white mask with white facial features drawn upon it. In fact, this Anonymous person was a ruse, as in the end it was not a single person, but many who dressed the same and fought the big, big company nearly as one. However, the many were indistinguishable from the one.
As stories grew of successful attacks on neighbors, the big, big company grew fearful of this Anonymous creature and began to implement security throughout the organization. The security responsibility was gifted to three very trustworthy employees who divided the organization into three constructs, and each had their own model they would employ against these Anonymous creatures.
The first employee was named Alpha. He was strong and determined not to let any nefarious actor into his domain as his was the first. His brawn convinced everyone that in order to accomplish this goal, he would need to have control over nearly every security device and all surveillance. He employed a security model which required zero tolerance for risks. This model was very tight and very intrusive. He used many tools and systems and set forth building an enormous infrastructure to see, review, escalate and mitigate any and all threats. Nothing entered, transited or exited his domain without his knowledge and express permission.
The second employee was named Beta. Beta was known for his intellect and ability to get along with others. He believed that in order for great security to occur that oppression need not be implemented, and the environment needed to live with ‘some’ risks. The
idea was to have superior coding, sourcing, and training processes and policies. Through the living heartbeat of security, there was less of a need for a lot of tools and more reliance on people and process. Beta set forth in his domain to attempt to secure nearly 90% of the environment as the rest was either achievable or too costly to control, however he used process and policy to rule his roost and kept a watchful eye for Anonymous.
The last employee was called Omega. He protected the last domain of the organization. He was neither particularly strong nor intelligent, but he was physically agile and amicable and made lasting friends easily. The idea was to have a jovial and open environment where people felt free to alert him to issues which either were occurring or have occurred and deal with them mostly after the fact. Like Beta, Omega set forth in his domain to attempt to secure nearly 90% of the environment as the rest was either achievable or too costly to control, however he placed his security fundamentally with people convinced they were best suited for Anonymous.
Then one day, Anonymous came to Alpha. He huffed and puffed as he powered his new hacking tool, which exploited unknown vulnerabilities within the vendor community entrusted with his defense. In the end, the unknowns were more numerous than the knowns and unknowns and took his domain down.
A day later, Beta came under attack. Although his system of processes, policies and procedures was working well, they just didn’t anticipate the speed in which Mr. Anonymous could attack. He was like a machine with lightning-fast tactics and inhuman type of adjustments. Having never witnessed a robot (or bot- like) attack, Beta was no match with human processes against bot-like attacks.
Finally Omega came under attack, and he was the last hope for the whole big, big company. At first Omega’s plan worked like a charm, where people were ‘on their game’, positive, attentive and effective. However as Mr. Anonymous’ attack lasted much, much, much longer than anyone ever imagined, Omega’s team began to tire, mental acuity and dexterity diminished and emotions running high. Eventually Omega’s teams of powerful people were victimized also.
In the end, the CEO of the big, big, company capitulated and asked Mr. Anonymous what he could have done to have put up an effective defense. Mr. Anonymous replied that security isn’t about technology alone, or process alone, or people alone, but it’s about all three acting together. Mr. Anonymous continued that should Alpha, Beta and Omega have resided in all three domains – he would never have been able to match the challenge. However, lucky for him, the world is filled with either Alphas, Betas or Omegas alone!
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.