Thursday, April 15, 2010

Response to Dan Geer Article on APT

A few people sent me a link to Dan Geer's article Advanced Persistent Threat. Dan is one of my Three Wise Men, along with Ross Anderson and Gene Spafford. I'll reproduce a few excerpts and respond.

Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute.

That describes APT's methodology, but APT is not an effort -- it's a proper noun, i.e., a specific party.

Given that the offense has the advantage of no legacy drag, the offense's ability to insert innovation into its product mix is unconstrained. By contrast, the CIO who does the least that can be gotten away with only increases the frequency of having to do something, not the net total work deficit pending.

In other words, the offense expends work whenever innovation is needed; the defense expends work each day and never catches up.

This "least expensive defense" is not insane, just ineffective because the offense is a sentient being with a strategic advantage.


I love the characterization of offense as having "no legacy drag," and "defense expends work each day and never catches up." That perfectly describes the advantage of offense over defense.

Even if you don't think the advanced persistent threat is all that advanced, realize that if this is so, it is only because it doesn't have to be when your defenses don't require it to be. Even more central, do not think that the supplier of defensive weapons will ever have weapons to thwart (the deployment of) offensive weapons that are sufficiently well targeted to hit only some people, some computers, some data.

Dan nicely counters the argument that some make, namely "APT doesn't sound so 'advanced.'"

The advanced persistent threat, which is to say the offense that enjoys a permanent advantage and is already funding its R&D out of revenue, will win as long as you try to block what he does. You have to change the rules. You have to block his success from even being possible, not exchange volleys of ever better tools designed in response to his. You have to concentrate on outcomes, you have to pre-empt, you have to be your own intelligence agency, you have to instrument your enterprise, you have to instrument your data.

In one paragraph Dan reminds us to change the plane, be field-assessed, not control-compliant (outcomes over inputs), and build intelligence and instrumentation.

With data, not networks or infrastructure, as the unit of surveillance and action, an adaptable approach to data security is possible. Not another shield for every arrow, but a comprehensive fortress of information control and risk management -- a unifying framework that can best be described as Enterprise Information Protection (EIP).

EIP unifies data-leak prevention, network access control, encryption policy and enforcement, audit and forensics, and all the other wayward data protection technologies from their present state of functional silos into an extensible platform supported by policy and operational practices.


Dan's conclusion seems too short, which is probably the result of the constraints imposed by writing for NetworkWorld. I don't think an enterprise that adopts his approach will beat APT. Stopping this threat requires direct and indirect pressure in a threat-centric approach, not a vulnerability-centric approach.

1 comment:

Keydet89 said...

...you have to be your own intelligence agency...

And who's really gonna do that? I mean...really?

As a responder, most (if not all) of the organizations I have responded to have been victims simply because they had power, computers, and people, and weren't really all that concerned with protecting data.

You're talking about taking steps that go beyond just having a defensive posture when most organizations aren't even doing that. Yes, as you say, those organizations that are doing that are still behind the power curve...but most aren't.

Instrumenting your data and becoming your own intel agency are further along the continuum than simply taking a defensive posture and attempting to protect your data. Most organizations aren't even doing that. Some are struggling with what to do about compliance regulations...others are simply ignoring them, banking on the cost of fines over the cost of paying for a breach of some kind.

Even if you don't think the advanced persistent threat is all that advanced, realize that if this is so, it is only because it doesn't have to be when your defenses don't require it to be.

Exactly! How sophisticated to you have to be when the remote access password is "password"? How 'l33t do you have to be when someone knows about a SQL injection hole and leaves it open?