Saturday, February 22, 2014

The Limits of Tool- and Tactics-Centric Thinking

Earlier today I read a post by Dave Aitel to his mailing list titled Drinking the Cool-aid. Because it includes a chart you should review, I included a screenshot of it in this blog, below. Basically Dave lists several gross categories of defensive digital security technology and tools, then lists what he perceives as deficiencies and benefits of each. Embedded in these pluses and minuses are several tactical elements as well. Please take a look at the original or my screenshot.

I had three reactions to this post.

First, I recognized that it's written by someone who is not responsible for defending any network of scale or significance. Network defense is more than tools and tactics. It's more often about people and processes. My initial response is unsatisfying and simplistic, however, even though I agree broadly with his critiques of anti-virus, firewalls, WAFs, and some traditional security technology.

Second, staying within the realm of tools and tactics, Dave is just wrong on several counts:
  • He emphasizes the role of encryption to defeat many defensive tools, but ignores that security and information technology architects regularly make deployment decisions to provide visibility in the presence of encryption.
  • He ignores or is ignorant of technology to defeat obfuscation and encryption used by intruders.
  • He says "archiving large amounts of traffic is insanely expensive and requires massive analytics to process," which is wrong on both counts. On a shoestring budget my team deployed hundreds of open source NSM sensors across my previous employer to capture data on gateways of up to multi-Gbps bandwidth. Had we used commercial packet capture platforms we would have needed a much bigger budget, but open source software like Security Onion has put NSM in everyone's hands, cheaply. Regarding "massive analytics," it's easier all the time to get what you need for solid log technology. You can even buy awesome commercial technology to get the job done in ways you never imagined.
I could make other arguments regarding tactics and tools, but you get the idea from the three I listed.

Third, and this is really my biggest issue with Dave's post, is that he demonstrates the all-too-common tendency for security professionals to constrain their thinking to the levels of tactics and tools. What do I mean? Consider this diagram from my O'Reilly Webinar on my newest book:

A strategic security program doesn't start with tools and tactics. Instead, it starts with one or more overall program goals. The strategy-minded CISO gets executive buy-in to those goals; this works at a level understood by technicians and non-technicians alike. Next the CISO develops strategies to implement those goals, organizes and runs campaigns and operations to support the strategies, helps his team use tactics to realize the campaigns and operations, and procures tools and technology to equip his team.

Here is an example of one strategic security approach to minimize loss due to intrusions, using a strategy of rapid detection, response, and containment, and NSM-inspired operations/campaigns, tactics, and tools.

Now I don't want to seem too harsh, because tool- and tactics-centric thinking is not just endemic to the digital security world. I read how it played out during the planning and execution of the air campaign during the first Gulf War.

I read the wonderful John Warden and the Renaissance of American Air Power and learned how the US Air Force at the time suffered the same problems. The Air Force was very tactics- and technology-focused. They cared about how to defeat other aircraft in aerial combat and sought to keep the Army happy by making close air support their main contribution to the "joint" fight. The Air Force managed to quickly deploy planes to Saudi Arabia but had little idea how to use those forces in a campaign, let alone to achieve strategic or policy goals. It took visionaries like John Warden and David Deptula to make the air campaign a reality, and forever change the nature of air warfare.

I was a cadet when this all happened and remember my instructors exhibiting the contemporary obsession with tactics and tech we've seen in the security world for decades. Only later in my Air Force career did I see the strategic viewpoint gain acceptance.

Expect to hear more from me about the need for strategic thinking in digital security. I intend to apply to a PhD program this spring and begin research in the fall. I want to apply strategic thinking to private sector digital defense, because that is where a lot of the action is and where the need is greatest.

For now, I talked about the need for strategy in my O'Reilly Webinar.


Joe Gatt @gattjoe said...

I do not think Dave was constraining his thinking to tools and tactics alone. I think the broader point of his post was to comment on the security community's tendency to purchase point solutions to solve all security problems without first considering their limitations. Additionally, I think he made this observation in the context of RSA, which is full of vendor$ trying to sell you their latest warez as a panacea.

dre said...

Agree with Joe Gatt (Hey Joe!) on the main point.

On the subtle points, NSM is back in style -- but for reasons that some of you may not yet be aware of. No, I'm not giving any hints other than to say that network capture assessments may prove to be a stronger technique than consistent sensor deployment.

For the other Cool-Aids, they basically amount to crap. Surprised that Aitel didn't mention what actual security looks like. Ya know, appsec assurance, security principles, security patterns, fraud detection, risk modeling, cyber insurance, yadda yadda. I won't bore you with the real-deal details because you're not even reading this comment anyways.

Brett Watson said...

Agree with Joe, I have followed Dave, and as well as Richard, for years, and I surely don't think Dave is ignoring strategy, but the focus of his post was certainly strategic, which is also important.

Brett Watson said...

Agree with Joe. I've followed both Dave and Richard for years, and respect them both. I don't think Dave is *ignoring* strategy, which is obviously as important as tactical, but rather just focused on that in that particular post.