Keys to Working Smarter Not Harder in Cybersecurity Part 1 of 5

This is a 5-part series raises critical points regarding crucial modern strategies in cybersecurity.  This involves working smarter not harder and escaping older ways of thinking and doing.  The time has come to stop hitting a brick wall in cyber defense.  

I'll present you with some wisdom based on many years in the field, to help you be more effective in cybersecurity.  This starts with thinking about things in the right way.  It includes things such as the futility of "doubling efforts" and "spending more time" on things - despite what others might tell you and despite hundreds of checklist items that entice you to do so.  Less in more.

The old and out-dated approaches to cybersecurity might have worked for 1999 and maybe even 2009, but they absolutely no longer scale today.  Worse, they will not ever scale in the future, so things much change right now.  Let's first look at:

  • The fallacy of only working hard and how it can now get us into trouble
  • How cybersecurity presents "wicked problems" and must be approached differently
  • The fallacy of "prevention" and the nature of cyberspace today

Let's dive right in...  

Work smart or work hard?

The above scene from Star Wars – Episode 6 is where the General assures Darth Vader that after some failures, he and his team will “double their efforts” to ensure what happened before does not happen again.  The assumption is that “doubling efforts” will achieve a better result.

Darth Vader allows the General to have a second chance, barely.  But let’s think about this for a minute - is “doubling efforts” actually a wise approach that will lead to success?  In cybersecurity, it is not.  Although the lure "work harder" sounds right, in cybersecurity this doesn't scale.

The notion of doubling effort makes it seem as if working harder will cause the universe to reciprocate in kind, with better results.  However, working harder is not necessarily working smarter.  In fact, working harder can bog down resources, and can become detrimental rather than helpful.  

All of this applies to cybersecurity today, so let’s look at how working harder and doubling efforts no longer scales, as it may have in previous times, prior to our cyber world.

Perfectionism, thoroughness and the nature of cyberspace

Older thinking stems from a more static-oriented security approach confined to a box or checklist and thought to apply equally to all contexts.  

Many trained in the old-school ways of cybersecurity may not have transitioned from this highly static-minded and outdated all-or-nothing approach to security that uses one-to-one checklists and strategies.  This results in doing security like it’s 1999, or at best 2009.  

At the root of such thinking are the old-school views of traditional security such as:

  • Use point solutions to address each problem separately and additively
  • Each layer helps everything else, so the more layers the better
  • Work hard to achieve the best results, double efforts when necessary
  • Be as thorough as possible
  • Prevention works best
  • Do it right once and it will endure

Such notions are wrong and will drag down cybersecurity because cyber is different.  Using physical analogies in cyber have failed us.  This failure to understand how cyber is different means that major mistakes in strategy and operations are made.  

Old approaches to cybersecurity don't scale anymore

Cyber is an environment where things evolve rapidly and continuously.  The environment grows rapidly in complexity.  Every day more transactions, code, apps, devices, contexts and users grow exponentially.  

A one-to-one approach or any strategy that does not scale with such massive growth is a losing strategy in an ever-scaling cyber world.

Because things change quickly in cyber - “done right” is very fleeting.  For example, all preventions seem to have bypasses, or they’re discovered along the way.  Software is always buggy and has exploitable possibilities.  None of this has ever changed, nor is it likely to change.  

Prevention is no longer palatable because there's just too much to try to prevent, considering the explosion of malware numbers.  AV scanners must take shortcuts and adversaries know what these are and can slip by.  One-for-one preventions and patches don't scale well considering such growth.  

Cyber is different

The nature of cyber involves different rules from those of the physical world.  The variables and conditions are constantly in flight, and the relationships and inter-dependencies are very different.  

For example, protecting a physical asset might entail protecting against 10-20 types of attack vulnerabilities.  Protecting a cyber system entails millions of vulnerabilities, even if many systems are patched and configured.

As stated, one of the chief differences is in how ineffective prevention is anymore.  One needs to put 100 preventions in place on 1000 systems and all an attacker needs is one opening.  Well guess what, there always will be at least one opening.  

Also, unknown and undocumented things can have unknown vulnerabilities that span decades of being exploited by an attacker without being detected.  There are many examples of this, whether they are supply-chain oriented or backwards-compatibility related weaknesses.

It is dangerous to not see how things differ in cyber, because unlike the physical world.  Cyber is highly interconnected in a way where one thing can affect too many things, rather than an isolated few.  The supply chain alone means one issue can affect thousands of companies. Think SolarWinds, Kaseya, and Log4Shell for example.

This is a key difference and I will talk about it more later in another article regarding “how a threat to one can easily become a threat to all in cyberspace” so stay tuned for that.  Next we will look more at the nature of cyberspace to understand cybersecurity and possible solutions.

Stay tuned for Part 2 of Keys to Working Smarter Not Harder in Cybersecurity

#Cybersecurity #LessIsMore #Infosec #WickedProblems - CYBER Y'ALL! - @CyberYall

Comments

Post a Comment

Popular posts from this blog

Slay the Log4Shell Dragon TEAM 2 - Hunt and Detect Attacks Playbook

Image
Slay the Log4Shell Dragon Playbook TEAM 2 – Hunt and Respond Playbook Struggling with how to tackle the Log4J / Log4Shell Dragon and low on resources? First, as I've said before, start with my “ RAPID LOG4SHELL RESPONSE 1-PAGE CHECKLIST ” to begin immediate actions to tackle this issue.  In that 1-pager, I provide concise guidance to get started quickly.   However, for medium and larger sized companies, this approach might not be enough , although it is a great and immediate start.   Simply patching alone will likely not meet the expectations in the case of the Log4J / Log4Shell vulnerabilities, if there is a breach.  A more comprehensive approach is required to reduce risk.  I’ve therefore put this playbook together to help go above and beyond just a patching-based approach and hope it proves useful.   My goal was to provide something that would help ensure a high enough level of due diligence for risk reduction of this issue.   In this article I’ll provide a TEAM 2 PLAYBOOK o
Read more

Slay the Log4Shell Dragon TEAM 1 - Protect and Detect Vulns Playbook

Image
Slay the Log4Shell Dragon Part 2A - TEAM 1 -  Immediate Protection and Detection Struggling with how to tackle the Log4J / Log4Shell Dragon and low on resources? First, start with my “ RAPID LOG4SHELL RESPONSE 1-PAGER - 8 STEP CHECKLIST ” to begin immediate actions to tackle this issue.  In that 1-pager, I provide concise guidance to get started quickly.  However, for medium and larger sized companies, this approach might not be enough, although it is a great and immediate start.   Simply patching alone will likely not meet the expectations in the case of the Log4J / Log4Shell vulnerabilities, if there is a breach.  A more comprehensive approach is required to reduce risk.  I’ve therefore put this playbook together to help go above and beyond just a patching-based approach and hope it proves useful.   My goal was to provide something that would help ensure a high enough level of due diligence for risk reduction of this issue.   In this article I’ll provide a TEAM 1 PLAYBOOK of recomm
Read more

Keys to Working Smarter Not Harder in Cybersecurity Part 5 of 5

Image
Welcome to the last in the series - part 5 of a  discussion about working smarter not harder in cybersecurity.   We'll look at: How to tackle the huge tasks with bite-sized chunks and baby steps  What to do instead of trying to defend everything despite competing priorities Baby Steps and less is more  It’s been said that a long journey begins with a single step.  It’s also been said that to eat a large steak, you have to do it one bite at a time.  Remember the movie “What About Bob?”  Baby steps folks.  Small incremental progress in important things like low-hanging fruit is key.   A “Less is More” philosophy should be a basis of a better approach in cybersecurity.  Also, “try softer” rather than “try harder” is another important strategy.  Trying too hard usually ends up backfiring and causes too much friction.  All of these things are behavioral patterns on the human and process side of things.   For example, why try to implement 30 items in a  STIG checklist  when the attack to
Read more