Security Experts:

Bears, Hikers and Security Analogies

Having spent a considerable portion of time in the security industry, I’ve learned a thing or two along the way including that some of the lessons I took for granted earlier in my career are just wrong. Take, for example, the old analogy about the hikers and the bear. You’ve likely heard it, and odds are if you’re a security professional you’ve told it. I know I have.

The story goes like this: there are two hikers and a bear is chasing them. The first hiker is running for his life and looks back at the second hiker who is tying his shoe. The first hiker yells back “What are you doing, we have to outrun the bear!” The second shouts to him, “Not really, I just have to outrun you!” This is meant to illustrate that in the enterprise world, you don’t have to have perfect security, but security that is better than the next company. The understanding is that the bear (the threat) will give up on chasing you and will go for the easier target.

BearThat analogy is partially right, but mostly terribly wrong. Let me explain.

First, this analogy is predicated on the fact that there is only one type of threat. The bear represents a specific, singular threat actor or, more broadly, a category. While this was possibly true 15 years ago, it is most certainly not true in today’s world. Today we have the full spectrum of attacker types from generic and opportunistic all the way to persistent. While I believe the bear represents the most basic type of opportunistic threat that is prone to seeking out the easy prey, there is a good chance that bear will focus on you when it realizes you’re the one with the pocket-full of bacon.

On the other end of the spectrum of threats you have the most specific type of threat – easily represented by a sniper. The sniper is focused on you, and whether you run or not is entirely immaterial. As one of my friends would say, “You can run, but you will only die tired.”

I write about this now because in recent conversations with savvy security executives, I’ve discovered that these misconceptions still persist.

As long as the “hikers and bear” analogy is told in boardrooms we will have difficulty communicating the value of a proportionate security model where we design security measures for different types of adversaries with different types of objectives. The most common perception here is that all adversaries can simply be made to give up and move on to the next target. Those of you who fight bad guys every day know that there are those that will move on if properly annoyed and frustrated. The rest will try again. And again. And again. And again until they’re successful at achieving their objective.

The reality is that while many things you see on your dashboards and alerting systems are opportunistic or moderately determined (let’s estimate 80 percent) the rest are the type that won’t give up. There isn’t anything you can do to make that adversary go away. They’re better armed, they’re betted funded and they (typically) have the luxury of manpower that you don’t. Sometimes the enemy is an adversary, and sometimes it’s just malware. Knowing the difference is key to understanding how to design truly effective and proportional security.

So why does this matter? That’s a completely valid question. To me, getting knowledge doesn’t matter if it doesn’t drive some sort of different behavior. So, with this newfound knowledge that what you haven isn’t really opportunistic malware but rather an adversary. So what? What new behaviors will that drive?

I believe there are three things that change when you come to that realization based on sound knowledge. First and foremost, the definition of win and lose change. To many CISOs in the game, having malware infect an endpoint or being successfully exploited means they’ve lost. I couldn’t possibly disagree with that more.

If you’re fighting an adversary your defensive operations and goals change slightly. Rather than preventing any kind of infiltration you will now focus on frustrating the enemy to keep them from achieving their objective.

Knowing that someone can beat you and get in makes you change how you play the game. Now organizations that have taken the time to identify their critical assets can understand what that particular adversary is after and stack their defenses around that target and make sure the adversary isn’t able to successfully take it. This shift in defensive mentality allows your team to set the goal of frustrating the adversary, wasting their resources, and keeping them working while preventing them from achieving their mission objectives.

Second, this knowledge forces us to stop thinking of each incident as a discrete event and start thinking of adversaries’ campaigns against us. Again, adversaries are persistent and will use the tactics and techniques that help them achieve their goals. Only when they are pressed will they change their modus operandi, if they can. So knowing an adversary by name and profile you can better understand what tactics they will use against you – phishing attacks, for example. By knowing that you can identify, track and remove more effectively and efficiently.

Finally, this knowledge helps us determine the adequacy of our security programs. If you can successfully play against a single adversary and frustrate them you may have a sound security program…until another adversary shows up. Proper scaling is crucial, and that means processes, people, and appropriate technology. I’m willing to bet that more than once this type of analysis yielded a result that the program was perfectly adequate. It wasn’t necessarily world-class, but it kept the adversary from achieving an objective, and kept the damage from the skirmishes manageable. Call that a win.

So you see, the analogy of the two hikers running away from the bear doesn’t work anymore. Not only because there isn’t just one bear, but because sometimes the bear is hiding in the bushes and has you in the crosshairs because it wants what only you have. At that point you’d better hope that when the rounds start coming you’re able to block and tackle effectively enough so that they get frustrated, keep the damage manageable, and know when to declare a victory.

view counter
Rafal Los is an industry innovator, strategist, and personality. Currently Rafal is the Vice President of Security Strategy at Lightstream Managed Services where he is responsible for strategy and design of the security practice. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Rafal's strengths include strategic leadership, developing and refining market strategies, business process optimization, and bringing people together to solve complex problems. Most recent achievements include assisting a company in its pivot from infrastructure provider to security-as-a-service by developing a pre-sales strategy and developing a professional services framework; implementing significant changes in business process that led to the company's ability to measure the impacts of various efforts on the sales cycle. Follow Rafal on Twitter: @Wh1t3rabbit.