Keys to Working Smarter Not Harder in Cybersecurity Part 3 of 5
Welcome to Part 3 in this series about keys to working smarter not harder in cybersecurity.
In this article we'll look at unrealistic tendencies, how MITRE ATT&CK can help if used correctly, and how the nature of cyberspace has evolved from a prevention-centric approach.
Unrealistic tendencies
Older ways of thinking about cybersecurity and the nature of cyber fail to understand how interconnected threats and attack chains work. Prevention items are often looked at in isolation rather than as links in an attack chain.
As it has been said, defenders often think in lists, and attackers think in graphs. Defenders like to believe doing all things on a checklist will achieve success. But everything on the checklist has a potential bypass.
All it takes is the weakest link in the chain - and there are many - for an attacker to achieve success. This is where defense in depth – the right way – must be achieved. There are some errors of judgment that can be made in this area as well, so one must be careful.
Enter MITRE ATT&CK
Only in the last few years have defenders truly started to gain a better understanding of the nature of cyber defense. This is thanks to models such as the intrusion kill chain, and even more so from frameworks such as MITRE ATT&CK.
Even such insight can cause friction, if one tries to implement all detections of MITRE ATT&CK equally, for example. Not only is that unrealistic, but there should be a more focused approach. This must be based on relevant cyber threat intelligence regarding what’s most likely to occur.
Avoid older ways of "all-or-nothing" thinking and advice that says:
- Apply all security baseline items
- Fully implement app whitelisting
- Fully implement the framework (CIS 20, NIST CSF, MITRE ATT&CK, etc.)
- MFA everything (though as much as possible is advised in this one)
- Patch everything
- Be thorough in all you do
There is a much better way to implement these things in a way that causes less friction. This should never be an all-or-nothing approach, where all = success and none or some = failure. Instead, a more precise focus in necessary. Be selective and precise.
Fallacy of static rather than dynamic view of the nature of cyber defense
Not understanding the nature of cyber is a root issue and challenge that must be overcome. Older thinking assumes the more thorough, the better. Such conventional thinking still believes “prevention is best” because that’s how things work in many other environments, in the kinetic world.
Older environments were much simpler with less issues to address. This is no longer the case, and unlike the kinetic world, cyber interdependencies are much more complex.
The Nature of cyberspace and cybersecurity
Here are some things that seem to characterize the world of cyberspace, as I see it:
- One-to-many complex relationships and interactions that grow daily
- A highly interconnected and interdependent environment beyond measure & growing
- Built on an inherently insecure foundation (insecure languages and coding practices)
- Insecure defaults, protocols, devices and credentials constantly used, found and exposed
- Constant change and ever-expanding dynamics on a massive and exponential scale
- Constant drive for usability and speedy deliverability rather than security
- Old analogies cloud our understanding of the cyber environment (cause, effect, etc.)
- Prevention doesn’t work in most cases - so detection and response are a must
- Single point solutions don’t scale and won’t last (IOCs vs IOAs for example, AV sigs, etc.)
- No framework or solution is a panacea, and may be better in theory than in practice
- Working smarter is a must because scalability is critical and working harder doesn’t scale
- Nothing endures, things can change on a dime, massively and suddenly - game changers rule
- Attackers are highly creative – and – need only one path in, meaning defenses will fail
- Security is always behind considering the scope and scale of growth and attack capabilities
- Elements of surprise and speed favor attackers - and are critical elements of attack success
A failure to understand these things means failure and resource waste regarding cyber priorities.
Prevention-based security and diminishing returns
Diminished returns from too much prevention comes quicker than expected, for various reasons, in cyber. Advice that’s great today can change tomorrow.
This also means that if one requires an entire year of effort to lock things down, and then the OS changes or there are bypasses, a large part of this effort can go to waste. There’s no time for that, resources are scarce enough as it is.
Making the right decisions for what to pursue versus what not pursue in cyber defense is critical. It’s about “doing the right things” not just “doing things right”. Think of architecture vs engineering for example. One seeks to do things right, the other seeks to do the right things. Combining both correctly is key.
Understanding the nature of cyber defense also helps us make the right decisions and consider the trade-offs and risk involved. Also, there may be diminishing returns on investments, so one must actively discover what's no longer worthwhile. In such cases, it’s best to move on, because any extras may require more effort that they're worth.
Stay tuned for Part 4 where we conclude the Keys to Working Smarter Not Harder in Cybersecurity series.
#Cybersecurity #LessIsMore #Infosec #WickedProblems - CYBER Y'ALL! - @CyberYall
Comments
Post a Comment