Picture this: Tom Brady and the New England Patriots offense are about to run a critical play against the Denver Broncos. A trip to the Championship Game is on the line. New England is on Denver’s 1-yard line, down by 5 points, and it’s 4th down with only 2 seconds remaining in the game. Yeah, it’s a big play.
In the huddle moments ago, Brady got the play from the sideline coaches: Power run up the middle. As Brady surveys the defense, he sees the entire Denver defense forming a brick wall at the line, in a position of strength to stop the exact play the Patriots are about to run.
Brady, as any good quarterback would, calls an audible. The New England offense quickly changes and is now showing that the quarterback will throw a pass. But Denver doesn’t move. The defense remains frozen—11 players crammed together waiting for a run. They don’t change their defensive positions.
The ball is snapped, and Brady completes a game-winning touchdown pass to a wide-open receiver—one of five wide-open receivers from which he had to choose.
This seems a bit ridiculous, doesn’t it? I mean, why would Denver NOT make the appropriate changes to defend against New England’s play change from run to pass—especially considering there’s a championship on the line?
The reality is, of course, Denver would make the change! No team would be so inept, especially at such a critical moment. And if you were coaching Denver, I’m certain you would make sure the defensive players responded to the change in the New England offense.
So why must security professionals put up with this “defensive paralysis” when so much is at stake with the information that must be protected? The battle between enterprise IT security teams, who defend against dynamically changing cyber threats, and cyber attackers, who relentlessly try to get around those defenses, is unfortunately just like this hypothetical American football scenario if the enterprise has no visibility or no way to respond to a threat.
Cyber attackers inherently move faster than the enterprise. For starters, the cyber attackers are always on the offense, leaving the enterprise no choice but to be in a constant state of response, always playing defense. Any offense has one universal advantage: The offense KNOWS what will happen next, and the defense does not. Consequently, the key to success for any defense depends upon how quickly it understands (gains visibility) and counteracts (responds to) what the offense attempts to do.
In addition to the offensive advantage, bad actors need not spend time plodding through a rigorous process to select and purchase a security solution. Unless some critical extenuating circumstance exists, justifying the need to expedite parts of the process, acquisition activities typically take upward of 6-12 months.
This process typically includes investigation meetings, presentations, demonstrations, proof-of-concepts, justification write-ups, decision meetings, contract reviews, price negotiations, executive approvals, identification of resources, training, possible hardware and software builds to support the solution, solution design meetings, installation and implementation efforts, and Quality Assurance testing. And this is the process if you HAD actually budgeted for the solution you’re trying to acquire.
All the while, cyber-criminals around the world understand this. They know you run an uphill Spartan Race in the mud with a 75-pound backpack and ankle weights. They don’t write up a business case, present it to a committee, or ask to use next year’s budget early. Nope. Their job description is this: #1-Figure out where you have no visibility and no ability to respond. #2-Attack.
By the time you start to plan a 60-day proof-of-concept, cyber-criminals have already siphoned off a fair amount of whatever they targeted to steal from you.
Now, I’m not suggesting enterprises scrap their due diligence and acquisition process. That’s foolish. However, it is imperative that all organizations rethink how to optimize and expedite their purchasing process, especially for IT security solutions, and to do so without compromising the risk of purchasing a solution that fails to live up to the expectations promised in PowerPoint slides.
In addition to creating acquisition efficiencies to speed up your defense, you need to effectively prioritize when and where to make your next security investment. To do this, you need to completely understand how the cyber attackers view your organization, and what THEY view as your organization’s weaknesses. In essence, you must build a copy of their playbook.
Here are three initial steps you can take to catch up to cyber attackers’ offense and quickly fill in new security gaps as they occur:
Information about zero-day attacks, attack trends, and overall cyber-attack alerts is at your fingertips. Take full advantage of this information. Leverage the experts’ knowledge, which is posted daily on social media, along with the numerous industry quarterly and monthly reports. Reports and feeds from Mandiant, Fireeye, McAfee and even Venafi’s Threat Center cover the latest on all threats, from evolving Advanced Persistent Threats (APTs) to the alarming growth of attacks on certificates and keys.
Invite vendors to your site on a quarterly basis and ask them to educate you on the latest threats they see across their customer base. We at Venafi do this for our customers whenever they need us, and it’s very powerful. Collect and correlate all of this knowledge and maintain a comprehensive threat landscape (ThreatScape) model for your organization. Ask yourself, if my company is attacked today by one of these emerging threats, can I detect it? Can I respond and remediate? If the answer to any of these questions is no, you have a new gap.
Prepare to add brand new categories to your ThreatScape. Complex new attack methodologies, as we witnessed in 2011 with Stuxnet and Flame, provided the blueprint for the next-generation cyber attacks on trust we are seeing today. Now only two years later, it’s commonplace for APTs to forge, steal, and misuse certificates and keys as a general practice.
Earlier this year, Scott Charney, Microsoft Corporate Vice President of Trustworthy Computing, emphasized this in his popular keynote presentation at RSA Conference 2013 (Fast forward to 19:30 for his comments on Public Key Infrastructure [PKI] under attack).
There are many examples of trust being attacked and manipulated. These attacks range from insider methods, such as how Edward Snowden used unprotected and unsecured Secure Shell (SSH) keys to gradually elevate his privileges at the National Security Agency (NSA), to the evolution of known attacks, such as malicious browser extensions. These attacks now typically involve the silent installation of a rogue root CA certificate, allowing man-in-the-middle attacks to be more successful, while completely circumventing other security technologies designed to detect and prevent attacks.
Attacks on trust work well for cyber attackers and improve their success rate when combined with other known attack strategies. Unless securing and protecting certificates and keys are part of your evolving ThreatScape, according to Forrester, you’re a sitting duck.
Again, you should never purchase a solution without solid due diligence, but the fact remains that today’s purchasing processes include a fair amount of excess. Challenge your own purchasing process every step of the way.
For example, do you really need to complete a proof-of-concept for a product that is mature and is used in production by hundreds or thousands of other companies? Proof-of-concepts are time consuming, and although many people think they are “free,” they’re actually costly because they keep internal resources from completing other responsibilities.
Instead, if a technology is already “proven” because you know it works for many other companies, why not insist the vendor simply provide references and agree to a contract that allows you to walk away if you are not satisfied?
This easy exercise makes it very clear where you should make your next security investments. This is your security solution priority roadmap. It’s a simple quadrant analysis to maintain, and it should be updated at least once a month based upon your understanding of your ThreatScape (see #1).
Take the fast-evolving threats against certificates and keys as an example. Certificates and keys are pervasive throughout the enterprise, from servers to laptops, tablets to phones. Pretty much the entire infrastructure relies upon certificates and keys for trust. Ponemon Institute’s research from earlier this year found that the average Global 2000 organization has more than 17,000 certificates and keys, yet 51% of the 2,300 respondents were unable to confirm how many they really have. Cyber-criminals know thatSecure Sockets Layer (SSL) is vulnerable, and they know full well that a majority of organizations do not yet secure and protect certificates and keys. In other words: No visibility, no ability to respond. This is exactly what cyber attackers seek, and thus, Certificate and Key Protection would rank low in the ThreatScape coverage quadrant.
Now, if you were a cyber attacker, where would you attack?
With end-of-year, “use-or-lose” funds possibly available, you can employ this type of analysis right now to quickly understand which solution(s) address your highest priority (areas of low visibility and low ability to respond).
Bad actors around the world already perform this analysis on your organization. They actively seek to find the perfect attack formula for any target, and once they find it, they call an audible and get ready to throw the winning pass, while you stand with a defense that is blinded and unable to respond to the play. The good news here is that by gaining and continually updating your ThreatScape intelligence and by implementing a smarter acquisition and purchasing process, you may just be able to draw up a copy of the cyber attackers’ playbook from across the field and call your own audible in time to intercept that pass.