Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Bears, Hikers and Security Analogies

Having spent a considerable portion of time in the security industry, I’ve learned a thing or two along the way including that some of the lessons I took for granted earlier in my career are just wrong. Take, for example, the old analogy about the hikers and the bear. You’ve likely heard it, and odds are if you’re a security professional you’ve told it. I know I have.

Having spent a considerable portion of time in the security industry, I’ve learned a thing or two along the way including that some of the lessons I took for granted earlier in my career are just wrong. Take, for example, the old analogy about the hikers and the bear. You’ve likely heard it, and odds are if you’re a security professional you’ve told it. I know I have.

The story goes like this: there are two hikers and a bear is chasing them. The first hiker is running for his life and looks back at the second hiker who is tying his shoe. The first hiker yells back “What are you doing, we have to outrun the bear!” The second shouts to him, “Not really, I just have to outrun you!” This is meant to illustrate that in the enterprise world, you don’t have to have perfect security, but security that is better than the next company. The understanding is that the bear (the threat) will give up on chasing you and will go for the easier target.

BearThat analogy is partially right, but mostly terribly wrong. Let me explain.

First, this analogy is predicated on the fact that there is only one type of threat. The bear represents a specific, singular threat actor or, more broadly, a category. While this was possibly true 15 years ago, it is most certainly not true in today’s world. Today we have the full spectrum of attacker types from generic and opportunistic all the way to persistent. While I believe the bear represents the most basic type of opportunistic threat that is prone to seeking out the easy prey, there is a good chance that bear will focus on you when it realizes you’re the one with the pocket-full of bacon.

On the other end of the spectrum of threats you have the most specific type of threat – easily represented by a sniper. The sniper is focused on you, and whether you run or not is entirely immaterial. As one of my friends would say, “You can run, but you will only die tired.”

I write about this now because in recent conversations with savvy security executives, I’ve discovered that these misconceptions still persist.

As long as the “hikers and bear” analogy is told in boardrooms we will have difficulty communicating the value of a proportionate security model where we design security measures for different types of adversaries with different types of objectives. The most common perception here is that all adversaries can simply be made to give up and move on to the next target. Those of you who fight bad guys every day know that there are those that will move on if properly annoyed and frustrated. The rest will try again. And again. And again. And again until they’re successful at achieving their objective.

The reality is that while many things you see on your dashboards and alerting systems are opportunistic or moderately determined (let’s estimate 80 percent) the rest are the type that won’t give up. There isn’t anything you can do to make that adversary go away. They’re better armed, they’re betted funded and they (typically) have the luxury of manpower that you don’t. Sometimes the enemy is an adversary, and sometimes it’s just malware. Knowing the difference is key to understanding how to design truly effective and proportional security.

So why does this matter? That’s a completely valid question. To me, getting knowledge doesn’t matter if it doesn’t drive some sort of different behavior. So, with this newfound knowledge that what you haven isn’t really opportunistic malware but rather an adversary. So what? What new behaviors will that drive?

Advertisement. Scroll to continue reading.

I believe there are three things that change when you come to that realization based on sound knowledge. First and foremost, the definition of win and lose change. To many CISOs in the game, having malware infect an endpoint or being successfully exploited means they’ve lost. I couldn’t possibly disagree with that more.

If you’re fighting an adversary your defensive operations and goals change slightly. Rather than preventing any kind of infiltration you will now focus on frustrating the enemy to keep them from achieving their objective.

Knowing that someone can beat you and get in makes you change how you play the game. Now organizations that have taken the time to identify their critical assets can understand what that particular adversary is after and stack their defenses around that target and make sure the adversary isn’t able to successfully take it. This shift in defensive mentality allows your team to set the goal of frustrating the adversary, wasting their resources, and keeping them working while preventing them from achieving their mission objectives.

Second, this knowledge forces us to stop thinking of each incident as a discrete event and start thinking of adversaries’ campaigns against us. Again, adversaries are persistent and will use the tactics and techniques that help them achieve their goals. Only when they are pressed will they change their modus operandi, if they can. So knowing an adversary by name and profile you can better understand what tactics they will use against you – phishing attacks, for example. By knowing that you can identify, track and remove more effectively and efficiently.

Finally, this knowledge helps us determine the adequacy of our security programs. If you can successfully play against a single adversary and frustrate them you may have a sound security program…until another adversary shows up. Proper scaling is crucial, and that means processes, people, and appropriate technology. I’m willing to bet that more than once this type of analysis yielded a result that the program was perfectly adequate. It wasn’t necessarily world-class, but it kept the adversary from achieving an objective, and kept the damage from the skirmishes manageable. Call that a win.

So you see, the analogy of the two hikers running away from the bear doesn’t work anymore. Not only because there isn’t just one bear, but because sometimes the bear is hiding in the bushes and has you in the crosshairs because it wants what only you have. At that point you’d better hope that when the rounds start coming you’re able to block and tackle effectively enough so that they get frustrated, keep the damage manageable, and know when to declare a victory.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.