POSTED: March 26, 2021
Article originally published in the ISSA Journal (March 2021 issue).
Information security practitioners have much to learn from the mature sciences of physical security and fire protection.
Whether it’s defense against a fire or defense against a physical attacker, these mature defensive systems are all built to (1) detect unwanted/hostile activity quickly and reliably; (2) alert the cavalry; and (3) maintain some level of defensibility until the cavalry arrives. We’ve all seen the depressing statistics: IBM, Verizon, and CrowdStrike all report that we grant an adversary days, weeks, or months to operate within our networks before detection. The “dwell time” is decreasing (due in part to the increase of self-detecting events like ransomware) but remains entirely too high and too unpredictable to create a reliable defense.
No Defense is Impervious
Walk into your favorite big-box hardware store and you’ll see that physical safes describe their defensive capabilities in terms of a specific hazard and a time frame. “Waterproof for 24 hours in 8 inches of water” and “Fireproof for 1 hour at 1700°F.” The unsaid epilogue is “you have 1 hour for the fire department to get there and put out the fire or all bets are off!” What “proof” actually means is also carefully described; if you’re storing gold, the internal temperature of the safe during the aforementioned 1700°F isn’t much of a concern; however, specialized physical safes are required for temperature-sensitive items like electronics and celluloid film. The beautiful city of Chicago where I reside has a particular sensitivity to fire and as such has highly developed fire building codes particularly for our large downtown buildings. Like physical safes, Chicago fire building codes are described in terms of time (distance to the nearest fire station with appropriate equipment) and the structure’s defensibility in the meantime. A large residential building next door to the fire station has fewer defensibility requirements (sprinklers, protected stairwells, two-way communication systems, etc.) than the same building 10 miles from the nearest fire station. As the cavalry may be a few minutes away, the building (and the occupants) must be more defensible in the meantime.
Understand the Adversary
Defending against chemical reactions is one thing, but what about defending against human actors? The General Services Administration (GSA) is the US government agency that manages the requirements for containers that store classified material. A “GSA Class 5 Container” is defined to provide protection for 30 person-minutes against covert entry, 20 person-hours against surreptitious entry, and 10 person-minutes against forced entry.
Reliable, Scientific Detection
Fire and physical protection are mature sciences that have evolved over hundreds of years. Information security is in its infancy. In IT environments, most “detections” rely in some part on luck: the right person picked up the right log at the right time and had the right instinct. The vast majority of IT security events are detected by some externality: a partner, a heads-up from law enforcement, or sadly, a ransom note.
Testing and Validation
One advantage of specific security requirements is that they can be tested. Throw the safe in a 1700°F oven and take out your stopwatch. Use an offensive “red team” test to verify the resistance to surreptitious entry of your GSA Container. Time how long it takes for the fire department to get to the building. These validation tests reveal an evolving threat landscape, resistance to the latest attacker tools and techniques, and even whether assumptions about response time (a change in road traffic patterns for example) are still valid. We must also test and validate IT detection and response capabilities through red team exercises. Take out your stopwatch and measure detection and response timelines. Are they compatible with the firm’s risk posture and the current threat environment?
Evolution of IT Risk Management
Like fire and physical security, IT Risk Management must evolve to a detect, defend, and respond mindset. The purpose of your defenses (controls together with detection and response capability) is to reliably detect unwanted events, alert the cavalry to take appropriate defensive actions, and buy time through defensibility measures to limit the damage until the cavalry arrives!
Protect your business against an evolving threat landscape and become a smarter cyber risk-taker.