People who know me know that I love to ask questions. In fact, people sometimes ask me: “Why do you always answer a question with a question?” To this I reply: “Why not?”
In all seriousness, asking the right questions is one of the most important and fundamental aspects of a successful security program. Time and time again over the course of my career, I’ve seen that the inability to ask the right questions is one of the biggest challenges any organization will face in improving its security posture. Why is this? Allow me to explain.
There are two oft-used phrases that come to mind and help me to illustrate my point. I’m sure we’ve all heard the phrases “garbage in, garbage out” and “ask a stupid question, get a stupid answer”. These couldn’t be truer in the realm of information security.
Questions empower us to move from the problem to the solution. First and foremost, when our goal is to solve a problem, we must first understand the problem – to its core.
Fully grasping the problem is the conception of its solution. From there, we must ask: “What information, technology, knowledge, or otherwise is missing that prevents us from solving this problem?” Understanding the answer to this question subsequently enables us to ask additional, more-detailed questions designed to tease out what we need in order to succeed. As you can see, by asking questions and answering those questions with additional questions, we are working towards solving big problems by breaking them down into smaller, less intractable problems.
If you’ve read my previous pieces, you may notice a theme here. Whether I’ve written on enumerating risks, setting goals and priorities, identifying operational requirements, developing alerting content and logic, analyzing root cause, performing incident response, or any of the other activities that are part of a successful security program, there is a unifying theme. Yes, the topics I have written on are all part of a successful security operations and incident response program. But beyond that, there is a deeper thread that runs through them. They all involve asking the right questions. In my experience, in information security, the question is more important than the answer.
Asking the right questions allows us to approach information security analytically and logically. We need to be able to formulate precise, targeted, incisive queries to hone in on the most relevant data while minimizing time spent with data that are irrelevant. That is the only way to progress towards addressing some of today’s biggest security challenges.
Let’s illustrate this through an example. Say we run a Security Operations Center (SOC) or incident response function that consistently misses intrusions and is almost always notified by a third party. Obviously, at the top of the priority list for this organization is improved detection. But unfortunately, a desire for improved detection alone will not get us to where we need to go. We need to ask the right questions.
The obvious initial question to ask is: “Why are my detection rates so poor?” In order to answer this question, we need to get to the core of the issue. Is it because my signal-to-noise ratio is far too low? Or, is it because I do not have the proper visibility into my network and endpoints? Or, could it be that I do not have the proper expertise to vet, qualify, and investigate alerts? Could it be that I do not have sufficiently intelligent alert logic (spear alerting)? Or, could it be that I do not receive sufficient information and intelligence to assist me with detection? Perhaps it is a combination of some or all of the above factors?
As you can see, each of these questions pokes at drastically different root causes. Only though understanding which question or questions addresses the root cause of our poor detection can we begin to address the issue. Once we are able to ask the right questions, we can begin to progress down the path towards a solution. Without this critical step, we are simply wandering, which does not bring us closer to solving our problem.
Let’s look at a second example as well. Recently, I was fortunate enough to have the opportunity to speak at Suits and Spooks Singapore. I joined the panel discussion on “Nation State Challenges in Securing Critical Infrastructure from Digital Attacks.” For those that know me, it will come as no surprise that I took a question-based approach to the discussion. The angle I took was as follows: “Before we can apply the state-of-the-art in both prevention and detection/response to the challenge of securing critical infrastructure, we need to ask a series of questions.”
This is another great example of where asking the right questions is of the utmost importance to addressing the challenge. Consider these points:
1. Definition. What do we consider critical infrastructure? What do we intend to secure? Casting too narrow a net leaves nation states exposed to unforeseen and unmitigated risks. Casting too wide a net leaves nation states with a never-ending list of assets to secure, many of which may be irrelevant.
2. Inventory. Where are our critical infrastructure assets located? This question is obviously predicated by the answer to the previous question. But beyond that, do we even know where the assets we want to secure are located? In many countries, the answer to this question is, unfortunately, no.
3. Strategic plan. How will we go about securing the assets we enumerate? What mix of policy, legislation, regulation, guidance, and other assistance is the right mix?
4. Implementation. When will we address which issues with what resources (budgetary, technology, expertise, and otherwise)?
As you can see, it is one thing to talk about the need to secure critical infrastructure. It is another thing entirely to try and do something about it.
In some circles, it may be considered gauche to answer a question with a question. In information security, I would argue that it’s actually quite necessary.
The next time someone asks you “What is the state of your security program?” or “What are you doing to improve your security posture?” Will you answer them straight up, or will you ask the question “What questions do I need to ask to properly answer that question?”
