Cyber Security: Method or Madness?
“There is nothing so useless as doing efficiently that which should not be done at all.” - Peter Drucker
Cyber security used to be straightforward. You set up a firewall, installed antivirus, added a SIEM, and you were pretty much protected. Now, security teams face far more sophisticated and frequent attacks, cybercrime as a business, and intense media and public scrutiny.
The din from the vendor and consultant chorus is deafening. Add in the burden of regulatory compliance, and the resulting pressures increase bureaucracy, expense and work, without improving security that much. It’s no wonder CISOs and security teams are getting better and better at their jobs but sometimes question if their efficiency is missing the point of usefulness.
More Isn’t Always Better
Some voices in the industry argue for doing MORE. Cyber practitioners hear that breaches occur because they are not doing enough. They should install more security technology, hire more analysts, and patch more frequently. This may seem simple; merely a matter of budget and execution. But the technology is not up to the task of stopping sophisticated attacks, analysts are scarce and expensive, and the cost of following this advice would force some enterprises to spend themselves out of existence.
Is There a Method to the Madness?
When asked how to handle the fact that zero-day attacks defeat all defenses some of the time and some defenses all of the time, the response is often: add another layer of malware detection, and another one, and hire people to tune them, and manage them, and…
But it’s madness to perfect a method that doesn’t deliver. All the world’s AV and HIPS/HIDS and next gen products crammed into one top-heavy stack would still let attacks through. The incremental benefit of each layer is minimal. They are all detection tools and all detection tools have the same limitation – they must be able to identify an attack based on some known signature or behavior. They are not much good at catching the unknowns that characterize sophisticated attacks.
So if the problem is an unknown attack, and the defensive layer you employ doesn’t and can’t detect it, where is the benefit of the defensive layer? It doesn’t matter how well you use a tool that can’t detect the attacks you are worried about.
Except that it can cost you a lot of money and time. The cost to computational power and resources is enormous. Each layer adds to CPU drain, can cause system conflicts and requires maintenance and/or monitoring. The investment outweighs the benefits.
Can’t Buy Me Manpower
Let’s say for a moment that money is no object. You install all those layers of detection only to find they generate more telemetry than your security operations center can handle. That’s a rather likely scenario. According to a report by Verizon, 84% of breached organizations missed evidence in their logs of the breach.
The advice you get? Build bigger SOCs and staff them by paying higher salaries or outsourcing. But there are 300,000 too few cyber professionals for industry demand and the shortfall will grow to 1,500,000 by 2020. Banking on a ghost workforce is a dubious strategy.
Practitioners are also told they should patch more frequently. Another Verizon investigation found that the top 10 known vulnerabilities accounted for 85 percent of successful exploits and the other 15% originated from over 900 vulnerabilities. Which brings us to a new question – what is the cost of patching 910 vulnerabilities? How frequently? Is that a good use of resources?
Diagnose the Problem
Your defenses are static. They are known and knowable to attackers, who evade them using ingenious techniques and the assurance that you will remain static and predictable. Your cost of modifying these defenses is high; even just maintaining them is high. Attackers’ cost of designing a new or unknowable variant of an attack is close to zero. Polymorphism and unpredictability are their friends. That’s why there are three billion attacks per year. How many times per year do you change your defenses?
Less is More
Drucker is right: Efficiency is no good without usefulness. It doesn’t make sense to add technology and manage it efficiently if it doesn’t help and bankrupts you into the bargain.
Rather than add more layers of technologies with nearly identical strengths and weaknesses, it’s time for a change in paradigm.
In military strategy, where the stakes are existential, the Moving Target Defense paradigm is a staple. The stakes are just as high on the cyber battlefield, and Moving Target Defense concepts work there too. Moving Target Defense uses counter-deception techniques to change the attack surface—memory in particular—so that attackers can’t find their target.
In this simple and elegant paradigm, polymorphism and unpredictability are now friends of the defender. The target is constantly changing and unknowable. Without a target, attacks can’t succeed. So as attackers try to understand the unpredictable attack surface, their cost of an attack ascends past the point of economic and technical viability at the same time its likelihood of success heads for zero. Their business model breaks and they go away.
The Final Score
It does not make sense to get better at doing more of what already isn’t working. Moving Target Defense solves the problem of sophisticated attacks by making the attackers’ targets unfindable. Without the need to detect an attack, the cost and effort of defense plummet at the same time success rockets up. And without a target, attacks evaporate. For the defenders, it’s a game changer. For the attackers, it’s game over. Method 100%. Madness 0%.
About the Author
Arthur Braunstein is Morphisec’s Vice President of Strategic Accounts. He has more than 25 years of executive management and sales leadership experience, including over 10 years in the data and cyber security industry.
Edited by Peter Bernstein