My Security Strategy: The "Third Way"

Over the last two weeks I listened to and watched all of the hearings related to the OPM breach. During the exchanges between the witnesses and legislators, I noticed several themes. One presented the situation facing OPM (and other Federal agencies) as confronting the following choice:

You can either 1) "secure your network," which is very difficult and going to "take years," due to "years of insufficient investment," or 2) suffer intrusions and breaches, which is what happened to OPM.

This struck me as an odd dichotomy. The reasoning appeared to be that because OPM did not make "sufficient investment" in security, a breach was the result.

In other words, if OPM had "sufficiently invested" in security, they would not have suffered a breach.

I do not see the situation in this way, for two main reasons.

First, there is a difference between an "intrusion" and a "breach." An intrusion is unauthorized access to a computing resource. A breach is the theft, alteration, or destruction of that computing resource, following an intrusion.

It therefore follows that one can suffer an intrusion, but not suffer a breach.

One can avoid a breach following an intrusion if the security team can stop the adversary before he accomplishes his mission.

Second, there is no point at which any network is "secure," i.e., intrusion-proof. It is more likely one could operate a breach-proof network, but that is not completely attainable, either.

Still, the most effective strategy is a combination of preventing as many intrusions as possible, complemented by an aggressive detection and response operation that improves the chances of avoiding a breach, or at least minimizes the impact of a breach.

This is why I call "detection and response" the "third way" strategy. The first way, "secure your network" by making it "intrusion-proof," is not possible. The second way, suffer intrusions and breaches, is not acceptable. Therefore, organizations should implement a third way strategy that stops as many intrusions as possible, but detects and responds to those intrusions that do occur, prior to their progression to breach status.

Comments

Sylvain Gil said…
I'm not sure the hearings had an audience that would have been receptive to the prevention vs. detection and response debate. "secure your network" is generic enough to include both types of solutions, as well as the relevant personnel.

In any case the part that has me cringing is the consolidation of intelligence agencies' records into an infrastructure that clearly was not designed or funded to keep them safe. There was apparently some push back against this initiative, someone just made the wrong decision.
3:45 PM
Ryan G. said…
I want to print this out and leave a copy on my CISO's desk.
11:48 AM
Perullo said…
I enjoyed your talk on Tuesday and read this blog entry while following up on some notes. You assert definitions for intrusion and breach here. Are those based on some external standard, just asserted for the sake of the article, or are you trying to sneakily fool us all into accepting them moving forward? If it is the latter, I am totally on board and will sign up right away. We could use some definitions of many of the terms we float around so loosely. "Breach" has been especially abused in British English where it is attached to the most insignificant event. "Yes I wanted to follow up about the spellcheck breach". I like your definitions and will happily sign up, but I just wanted to confirm they are yours.
If successful, I'll try your approach to creating a definition for "cyber" next.
1:59 PM
Richard Bejtlich said…
Thanks for your comment. I haven't checked my breach - intrusion definitions against anything already out there, yet.
10:36 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more