Security Experts:

Security Superstition

Why doesn’t Everyone have Security Intelligence? One of the Reasons is Superstition.

“Step on a crack, break your mother’s back.” Not just lyrics by Devo, but an actual superstition. While it’s mostly just practiced by kids who don’t yet know they’re nascent Parkour enthusiasts, you can observe adults today taking that extra half step occasionally to avoid lines in the sidewalk. You may even catch yourself doing it subconsciously.

Bowlers are said to wear lucky shirts during tournaments. Some people start sweating when they break a mirror in anticipation of the imminent seven years of bad luck. At least walking under a ladder invites only one instance of bad luck, although the myth isn’t quite clear on the timing and duration.

Security IntelligenceSome superstitions are based on empirical evidence and not just old wives’ tales or the occult. In the late 1990s, the Denver Broncos redesigned their uniforms and went on to win every game they played in their new outfits, 21 games in total. The only losses suffered were when they wore their white shirts in road games. As they entered Super Bowl XXXIII, playing in Miami where they had previously been defeated wearing their white jerseys, there was much talk of how their uniforms might affect the outcome of the game. Ultimately the Broncos ended up victorious, a blow for superstition—or perhaps statistics?

It turns out that, as humans, we tend toward superstitious habits to try and influence the outcome of some pursuit; a trait, incidentally, also observed in animals. There may be some link between superstitious habits and results in the form of self-fulfilling prophecy, or SFP. The ability to exert this type of influence is more manifest in activities we have a fair measure of control over, such as sports. It’s probably not as useful in preventing lumbar spine injuries in our moms.

Another area where superstitious habits aren’t effectively influenced through SFP is information security. And yet we continue to spend a good part of our security technology budget on the latest iteration of firewall technology--application firewalls, UTM gateways, data diodes--and anti-virus, the perennial favorite, even though conservative figures estimate that A/V protects endpoints from less than 50% of current malware. Granted, much of this spend is aimed at preventing data leakage, which is a positive shift from the perimeter defense strategy, designed primarily to keep out external threats.

Yet we’re surprised by the number of successful compromises over the last couple of years. 2010 will go down as the year that marked the turning point of targets of opportunity into targets of choice, and drove home the point that a determined--persistent--attacker will eventually find a way to access your systems.

The perpetrators no longer stop at a strong firewall. Like any determined attacker, they’ll rattle the door knob and move on. Maybe they’ll social engineer their way in and install a rogue wireless access point or pocket some backup media. The smartest firewall is no match for the human condition: people will click on email attachments that look like they come from someone they trust or succumb to curiosity about the latest celebrity scandal, which is why phishing is effective, particularly now that social networking sites provide an abundance of background information to use as pretext.

Security Intelligence In one case, the target company had such a strong security program in place the attacker was forced to go off the ranch. They compromised the provider of a utility software and Trojaned the software to only activate when used by the target, whose strong security posture included immediate and thorough application of patches, which was spectacularly effective in ensuring the Trojaned software was distributed to all systems. The attack was planned over six months in advance.

The days are gone when disenfranchised 14 year olds wrote viruses for bragging rights over how many machines they infected, touting the news sound bites like Boy Scout badges. Botnets gave rise to organized internet crime, but the bot army was largely recruited through random targeting. Now the enemy landscape has morphed yet again to attackers who have resources and money on their side, and an axe to grind: cyber warfare and espionage, corporate intellectual property theft, hacktivism, and electronic extortion.

Warfare is an ongoing struggle between two factions with changing tactics, weapons, and intelligence gathering techniques. All of us in information security are combatants engaged in cyber warfare. The adversaries may not be the Soviets and the US, but they’re your enterprise and your competitor, a cyber Mafia, or just someone you really irritated. You need to setup your security program like a military operation; you’re in it for the long haul.

Look, I get it: we’re all overburdened and have a to-do list that covers two walls of white boards. We want to put a solution in place and move on to the next problem, but that’s no longer possible. No more erecting a wall and walking away only to check it once every so often. No more relying on door locks and motion sensors. I’m speaking figuratively, of course. The point is, a winning security program has to incorporate people, process, and technology--and they all need to be planned to interoperate. People need to be trained in security, how to use the tools, and how to follow the process in dynamic and time-critical situations. The processes have to be clear and directive, but allow for some flexibility to accommodate unusual circumstances. The tools need to not only support the processes and be easy to use, but cross-feed information to gain the power of the combined total and not operate independently.

If the defensive tools are the soldiers of the cyber army, the humans are the field officers marshalling them, and the processes are the battle plans, the espionage and communications interception (SIGINT and HUMINT, and to some extent, special reconnaissance) are provided by Security Intelligence, the cornerstone of which is SIEM.

So why doesn’t everyone have Security Intelligence? One of the reasons is superstition: SIEM has gotten a bad rap as difficult to deploy and maintain. Like most old wives’ tales, there is some truth at the root. Implementing early SIEMs and gaining value from them was as painful as home dentistry; however, all technology evolves, and today’s SIEMs have been designed to be easier to deploy and maintain than those of your ancestors, those same people who had to pump water out of the ground into a bucket and crank-start their Model T in their Sunday-go-to-meeting duds.

Einstein said the definition of insanity is doing the same thing over and over again and expecting different results. So doing more of the same and adding yet more defense-in-depth technology--firewalls, IPS, anti-virus, and endpoint protection--without Security Intelligence, and expecting to stave off the next attack and the next is insane. Or maybe it’s just superstition. Let me consult my Magic 8 Ball.

Related Reading: Security Intelligence - A Spy Story

Chris Poulin brings a balance of management experience and technical skills encompassing his 25 years in IT, information security, and software development to his role as Chief Security Officer at Q1 Labs. Prior to joining Q1 Labs in July 2009, Poulin spent eight years in the U.S. Air Force managing global intelligence networks and developing software. He left the Department of Defense to leverage his leadership and technical skills to found and build FireTower, Inc., an information security consulting practice.