In Network Security We are Always in a Battle of Wits Against the Attackers…
This week marks the official start of a new school year and all that comes with it. Personally, I was always in that strange group of kids that looked forward to the beginning of school.
Of course a new year always presented an opportunity for a fresh start, but more than that, the beginning of school brought that unique blend of excitement and apprehension that comes when you are forced to learn something completely new. It may not always be fun, but we all recognize as a culture that education is critical to our success, and as individuals we emerged more prepared and capable of handling new challenges.
This is why I think it is particularly ironic that education and training has gotten short-shrift in many IT security organizations. Needless to say information technology is one of the most rapidly evolving disciplines on the planet where new devices, applications, networks and technologies seemingly spring up over night. IT security has the Sisyphean task of making sure all that new technology actually works, without putting the enterprise at risk. It seems pretty clear that the professionals responsible for security are continually learning and have some of the greatest need for ongoing education and training, and yet in many cases its an area that simply doesn’t get the attention it deserves.
It’s easy to understand how this happens. For more than a decade, IT security teams have been constantly tasked to “do more with less”, which has led to reductions in security staff and a reliance on automated processes. Obviously, being efficient is a good thing, and many of the gains in this area are very real. Yet at the same time, without the human skill and intelligence, those automated systems can simply generate massive amounts of data in lieu of actual understanding.
This is a good time to note that last year’s Verizon Data Breach Report found that 86% of breaches showed evidence of the attack in the security logs, yet only 5% of breaches were detected this way. Data and intelligence are obviously different things and it takes well-trained security professionals to understand and get the real value out of security solutions. Those professionals also need to understand the underlying technologies so that they can make informed product decisions and keep security vendors honest.
It’s also important to remember just how the threat landscape has changed in the past few years. While security teams have learned to run lean and automate, attackers have become well-funded, targeted, and patient. Targeted attacks have become somewhat mainstream, affecting organizations from all industries. Trade secrets, intellectual property or even customer or partner data have all been targeted by attackers. What these attacks all share in common is that they are driven by focused attackers, who go to great lengths to avoid detection. And this is the crux of the problem. On the attacker side, you have flesh and blood human intelligence focused on avoiding detection, and on the IT security side you have fewer humans who are typically overworked and undertrained. This is an asymmetric conflict where the bad-guys hold the advantage.
Ultimately, enterprises can only stem this tide by once again incorporating training and ongoing education into their defense in depth model. Most organizations invest heavily in defense in depth with multiple layers of security controls that each provide additive and complementary value. However human intelligence and skill is still the thing that makes those layers greater than the sum of the parts, and arguably the most important aspect of defense in depth.
It’s also important to remember that investing in people doesn’t just mean getting a certification. It also means that we need to ensure security professionals have the time to actually put those hard-earned skills to use. They need to investigate, dig into anomalies, and piece together multiple sources of data in order to see the big picture. Simply knowing how to play chess doesn’t help if you aren’t afforded the time to play the game, and the same is true for security.
Organizations will never have enough people to do all the things that would want in an ideal world, and operating efficiency will always be at a premium. However, we have to remember that in network security we are always in a battle of wits against the attackers, and today the best counter-measure for an intelligent attacker is still an intelligent defender. All in all, focusing on the human layer of defense in depth requires CIOs and CISOs to find the right balance.
