Rethinking The Approach to Cyber Security

Everyone knows that cyber security is a big problem and most of what we hear about in the media is just how big of a problem it truly is: the average cost of a breach is $4M (http://fortune.com/2016/06/15/data-breach-cost-study-ibm); the global economic impact of cyber crime is $450B (http://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html); there were 4B data records stolen in 2016 alone (http://www.nbcnews.com/storyline/hacking-in-america/more-4-billion-data-records-were-stolen-globally-2016-n714066). Those are definitely some big numbers! Now, rather than wringing our hands over the size of the problems and challenges, let’s spend a little time thinking about a solution.

As a starting point, let me say there are a significant number of brilliant people dedicating their careers to fixing the legal and policy issues, developing best practices, creating new, and cutting edge technologies; they should remain focused on their work as it is very important. As a nation, as a global economy, we need a long-term comprehensive cyber security solution, and I am in no way indicating that their work is not necessary.

With that out of the way, I propose we consider two fundamental questions:

1) Given the fact companies are spending more than ever on cyber security, why are we continuing to see cyber incidents occur at an increasing rate? (http://www.networkworld.com/article/3094363/security/cyber-attacks-are-on-the-rise.html)

2) If part of the solution to addressing cyber security is to hire talented technical experts AND there are currently about one million unfilled cyber security positions (https://www.entrepreneur.com/article/292410), how can we ever hope to make progress?

First, when it comes to the increasing amount of money spent on cyber security and the rising number of incidents, we do have a problem. However, using the size of the market and the amount of money spent as an indicator of progress is a fatal assumption.

using the size of the market and the amount of money spent as an indicator of progress is a fatal assumption

It is true that SOME companies are investing more than ever (Google any major financial institution’s name and the term “cyber budget” for some indication of the staggering amount of money being spent). The dark little secret is that most companies have an extremely limited ability to invest in cyber security in any meaningful way by today’s standards; this will likely never change.

To illustrate this point, I collected data on three groups of companies: the fastest growing 5,000 companies from Inc., the Fortune 1000, and the MidMarket 1000. I then made some basic assumptions on IT and cyber security budgets based on SANS, Gartner, and other sources. This analysis revealed some fascinating numbers. While companies like Bank of America and JP Morgan Chase essentially have unlimited budgets for cyber security, the “real” average cyber security budget for companies outside the Fortune 100 (and not including small businesses) is likely less than $400K a year…to include people and technology. From a personnel perspective, these companies tend to have less than three or four people dedicated to cyber security and many only have one or two. This brings up an important discussion on resources, but more on that later.

The second question is a little harder. Retooling a workforce against a rapidly changing technology problem is very, very hard. There certainly has been an increasing focus on STEM within elementary schools, high schools, technical colleges, and traditional higher education institutions, but this may not be enough given the amount of time it takes to push skills through the pipeline. There has also been a focus on retraining the workforce through technical colleges, online curricula, code academies, and social activities such as meetups. This approach certainly has a faster turn around, but may not provide enough volume. The key challenge here is that employment opportunities within the cyber security market have a really long tail. Between the large organizations hiring hundreds — if not thousands — of cyber trained personnel and government contractors hiring another large percentage, there is a severe shortage of trained employees left over for all of the other organizations. It is especially hard to hire the right talent if you can’t match the salaries and benefits of the larger employers AND there is a negative unemployment rate. Again, this indicates a discussion on resources might be worthwhile.

we are thinking completely wrong about how to really solve the cyber security problems faced by almost every company in the world.

This brings us to the meat of my argument. I would like to suggest that we are thinking completely wrong about how to really solve the cyber security problems faced by almost every company in the world. We have been thinking about cyber security as a technology problem and are aligning solutions accordingly. For example, the Cyber Security Framework developed by NIST (https://www.nist.gov/cyberframework) speaks heavily towards helping organizations understand and manage their cyber security risk. However, at the end of the day, this framework is based on the philosophy of “security controls” and the varied implementations thereof. Ultimately, the message comes through loud and clear: good cyber security requires an investment in people, processes, and most importantly, technology. In fact, almost every security standard or best practice has a similar focus. Whether it is COBIT, ISO, or NIST 800–53, they all trace back to the managing risk through implementation of security controls. Implementing security controls require what? Resources: time, money, and people.

Now, a quick digression is in order, but stay with me! One of my foundational beliefs in cyber security is “offense always wins and defense always loses.” Why do I believe this? Because an attacker doesn’t have to be good at everything, they just need to be successful one time. Staying on the topic of resources, this represents a huge resource imbalance. Think about the recent phishing attack against Gannett that compromised as many as 18,000 user accounts (https://www.usatoday.com/story/tech/news/2017/05/02/gannett-hit-email-phishing-attack/101200110/). This attack was likely the work of one individual against an organization with an annual revenue of around $800M. As attacks like this prove, we are basically watching a modern day version of David and Goliath everyday. The difference here is that David wins so often that the story is no longer suspenseful. In fact, it is even worse than that! One attacker can target countless networks simultaneously while sitting on the beach drinking a margarita.

On the defensive side of the equation, there is a person or a team of people (hopefully) responsible for stopping every knucklehead trying to break into the network. Unfortunately, today’s network defenders are inundated with false positives and noise produced by their expensive security technologies, prohibiting them from actually finding and stopping real attacks. Or even worse, most of the time, defenders are stuck spending their limited time and energy configuring systems against a set of security controls designed to prevent an incident, but don’t actually work and just create more work for everyone. The result? Even with significant amounts of money spent, a fully trained workforce, and innovative technologies deployed, the most sophisticated defenses are consistently losing the cyber battle.

So, my proposition is as follows. What would happen if we thought about cyber security as a resource problem instead of a technology problem? Taking it one step further, what if we focused on ways to reduce the resources required for defense and increase the resources required for offense before we thought about implementing more security controls? How would this change our behavior? What would we even focus on to make a difference on resources? My answer: speed and scalability.

What would happen if we thought about cyber security as a resource problem instead of a technology problem?

Let’s start with speed. We need to find ways to accelerate the speed at which information is collected, distributed, and acted upon for companies of all sizes. If an attacker targets any organization, the infrastructure utilized for the attack must immediately be rendered useless. While this won’t stop attacks from occuring, it will certainly increase the resources required by the attacker. How would it be rendered useless? Let’s assume a virtual server from a hosting provider is stood up for the express purpose of targeting a network. The attacker kicks off a SSH brute force attack against a company’s server. Today, this is activity is likely not even noticed by the company being targeted. Even worse, this sort of attack works more often than we would like to think.

What if instead, the knowledge of that attack triggered an alarm and that source IP was instantly known by all networks to be malicious at that moment in time and then blocked by all networks. What if this happened over the course of seconds? In this scenario, we didn’t necessarily implement any new security controls. We didn’t require any defense resources to engage the threat, but we did increase the resource requirements on the attacker. The bad guy will now have to stand up a new server or get a new IP address, which will then also get blocked. It is also important to note that there will be an impact on resources for the hosting provider, and this may not be a bad thing. They now have an IP address that is unusable for some period of time (say 24 hours) which will affect their ability to assign it to another user. Wouldn’t that hosting provider now be better incentivized to prevent those activities from occurring in the first place? Now, certainly there is an opportunity here for false positives and manipulation of the system to basically cause a DDOS to occur, but I think we can resolve those concerns if we spend a little time on them.

With respect to scalability, I am talking about horizontal scalability. How can we quickly and easily deploy a safety net to support organizations of all sizes, without imposing significant resource requirements? I don’t have the perfect answer here, but I do have some thoughts. We need to start thinking along the lines of other initiatives that scale capabilities across communities where an imbalance of resources exists. Think about social programs, taxes, and public schools. These are all models for balancing resources for the public good. How could we apply this to cyber security? Well, it might be easier than you think. I am certainly not suggesting we take a Robin Hood-like approach where we have the large companies pick up the tab for the smaller ones and I am not sure that tax incentives would be enough. However, what if we had the ability to distribute learnings of cyber attacks and bad actors at speed (see above) and at scale AND we were able to scale those learnings across all organizations? What if we could deploy a capability across all organizations big and small in a way that didn’t impose a large resource burden on the smaller organizations? What if this system could be designed to protect the privacy and anonymity of all organizations, but still allow us to shut the door on an attacker as soon as their infrastructure is known? Just imagine how a capability such as this could change the landscape in favor of defenses. While this may sound like a far off concept, information sharing is a common theme in public discourse today (see: https://fcw.com/articles/2017/04/06/cyber-info-sharing-rockwell.aspx). Unfortunately, we aren’t yet thinking big enough. We aren’t thinking about a capability that achieves such a speed and scale and will actually be effective given the resources that actually exist in companies today.

In closing, I would like to challenge the cyber security community as a whole to start thinking about how we reorient our thinking around cyber security as a resource problem first, and a technology problem second. Let’s start focusing on how we protect companies of all sizes, not just those with unlimited resources. Gone are the days where individual networks can survive on its own island and leave everyone else to the wolves. If we don’t learn the lesson now that cyber security is not just about implementing new technology, but it is actually about solving for the resource challenge that exists today, we are heading for some very challenging times.