Tuesday, June 30, 2015

My Security Strategy: The "Third Way"

Over the last two weeks I listened to and watched all of the hearings related to the OPM breach. During the exchanges between the witnesses and legislators, I noticed several themes. One presented the situation facing OPM (and other Federal agencies) as confronting the following choice:

You can either 1) "secure your network," which is very difficult and going to "take years," due to "years of insufficient investment," or 2) suffer intrusions and breaches, which is what happened to OPM.

This struck me as an odd dichotomy. The reasoning appeared to be that because OPM did not make "sufficient investment" in security, a breach was the result.

In other words, if OPM had "sufficiently invested" in security, they would not have suffered a breach.

I do not see the situation in this way, for two main reasons.

First, there is a difference between an "intrusion" and a "breach." An intrusion is unauthorized access to a computing resource. A breach is the theft, alteration, or destruction of that computing resource, following an intrusion.

It therefore follows that one can suffer an intrusion, but not suffer a breach.

One can avoid a breach following an intrusion if the security team can stop the adversary before he accomplishes his mission.

Second, there is no point at which any network is "secure," i.e., intrusion-proof. It is more likely one could operate a breach-proof network, but that is not completely attainable, either.

Still, the most effective strategy is a combination of preventing as many intrusions as possible, complemented by an aggressive detection and response operation that improves the chances of avoiding a breach, or at least minimizes the impact of a breach.

This is why I call "detection and response" the "third way" strategy. The first way, "secure your network" by making it "intrusion-proof," is not possible. The second way, suffer intrusions and breaches, is not acceptable. Therefore, organizations should implement a third way strategy that stops as many intrusions as possible, but detects and responds to those intrusions that do occur, prior to their progression to breach status.


Sylvain Gil said...

I'm not sure the hearings had an audience that would have been receptive to the prevention vs. detection and response debate. "secure your network" is generic enough to include both types of solutions, as well as the relevant personnel.

In any case the part that has me cringing is the consolidation of intelligence agencies' records into an infrastructure that clearly was not designed or funded to keep them safe. There was apparently some push back against this initiative, someone just made the wrong decision.

Austin Bharadwaja said...

I agree with this approach to network security. We should not only focus on preventing intrusions, but identifying them as well so that we may avoid the "breaches".

Ryan G. said...

I want to print this out and leave a copy on my CISO's desk.

Perullo said...

I enjoyed your talk on Tuesday and read this blog entry while following up on some notes. You assert definitions for intrusion and breach here. Are those based on some external standard, just asserted for the sake of the article, or are you trying to sneakily fool us all into accepting them moving forward? If it is the latter, I am totally on board and will sign up right away. We could use some definitions of many of the terms we float around so loosely. "Breach" has been especially abused in British English where it is attached to the most insignificant event. "Yes I wanted to follow up about the spellcheck breach". I like your definitions and will happily sign up, but I just wanted to confirm they are yours.
If successful, I'll try your approach to creating a definition for "cyber" next.

Richard Bejtlich said...

Thanks for your comment. I haven't checked my breach - intrusion definitions against anything already out there, yet.