In a recent conversation with a colleague responsible for national cyber defense, the question of how to get the best equipment and tools into the hands of his investigators and security personnel came up and led to a fascinating conversation. Most of what we do in our industry is identify an ideal reference architecture and then look for the best-of-breed products (or services) to fill every slot. This isn’t what we’d do with a war fighter in the old kinetic theatre because the speed, performance and behavior of the whole person matter more than the point equipment in isolation. You wouldn’t start with a soldier and give them “the best” machine gun (at 40lbs), helmet (at 5 lbs), boots (at 5 lbs), explosives (at 10 lbs), armor (at 40 lbs) and so on. Weighing in at over 200 lbs of equipment, all-in, you would have in fact made them slower and less effective as a war fighter and would be more of a target than anything else!
And yet that’s what we do in security. As another colleague of mine put it “we are in a replacement industry,” by which he meant the best mouse trap will get adopted and deployed if it can prove it’s superiority in a particular situation. The problem of actually reducing the likelihood of an incident and stopping enemies has become so bad that security departments have a lot of trial gear sitting around that has been converted to production and a stack of tools and techniques, but the actual end user is far less effective than they could be if we instead built from the ground up and sought speed,and leverage from each tool and practice. Is all that kit really used or even usable if people spend 90+% of their time in Wireshark?
In the case of my theoretical war fighter, every addition of a new system, no matter how amazing it might be in a given mission scenario (like heavy support or demolition) needs to be balanced to make the person wearing it most effective. And the same holds true for all things cyber.
Today, Arbor is announcing Arbor Networks Spectrum: a network-based platform that is designed from the ground up to make investigators and security personnel faster and more effective. It is a force multiplier for getting ahead of the bad guys. As a CISO, I get tired of hearing “breaches are inevitable” and “there’s those that have been breached and those that don’t know it.” I’ve said it before, and I’ll say it again: infrastructure breach is inevitable because the opponents have asymmetry to their advantage. They can pick the time, place and tool that suits them best to get into the environment. However, information breach is evitable. It can be avoided because at that moment, the defender enjoys the advantage of asymmetry provided they can effectively find and respond to incidents before the clock runs out. I am dedicated, and we are dedicated at Arbor, to making that true for all. We believe that it’s our responsibility to enable security departments able to win these fights.
Hollywood has done us a tremendous disservice by showing hackers as people (usually with an exotic accent) who sit at the keyboard while talking excitedly and then pound the enter key and say “done.” That’s not what this is about. It takes time to infiltrate, expand and own an environment. It’s a cat-and-mouse game that can be won with the right tools applied in the right places and equipping the right people to take advantage of the asymmetry that defenders can and should enjoy.
Our modern world is all about context: facts are cheap and are actually overwhelming. You see it in the news all the time: facts wash over us. What we are starved for is context. We don’t want to know the fact that a plane has had an accident or that a particular nation has cut diplomatic relations with another or that new technology is available. We crave what these things means and to whom.
The problem with SIEM systems is that the event is the atomic unit at the center of everything. It’s largely an academic exercise with theoretical measures of criticality. It’s understood in isolation alone. It’s ingested as rapidly as possible, and the long haul to tie it to other events is painful and grueling to reconstruct. Context is elusive in a SIEM world, and asking a question of a SIEM system is non-trivial. That makes finding attack campaigns hard. Even with end-point instrumentation, the notion of context stretches only as far as a given host being instrumented.
This leads us to the network.
The network is the place to instrument for enterprise-wide context. It is query-able and flexible and available for security folk to ask questions without having to wonder how they ask questions. In other words, done right, it lets investigators work at the speed of thought without hindrance. At the end of the day, we have to put people in a position to enjoy asymmetry if we’re going to start beating attackers on our networks.
I’ll draw on another analogy to wrap up here: the Battle of Britain. I realize this is an oversimplification for so complex a conflict, but a colleague of mine at Arbor (Jerry Skurla) made this parallel two weeks ago, and I think it’s a good one. In the summer and autumn of 1940, a fierce battle waged over England for control of the skies. The Brits brought three things to bear for effect. First, they fully leveraged radar for unmatched visibility. Operational and tactical linking of radar with air command was essential for picking and choosing fights. Second, the new Spitfire airplane was an amazing platform able to put a stunning amount of metal on target in a short period of time due to 8 forward firing machine guns (which required a whole different wing design). Finally, the pilots themselves were often young and relative green. This combination of radar, platform and pilot and a clear strategy of what to shoot at (the bombers, not the fighters protecting them) made the Battle of Britain a decisive victory against overwhelming odds and represented a turning point for Hitler. This was not a quick battle but was a fight for survival and, as Churchill would late put it “never in the field of human conflict was so much owed by so many to so few.”
I’d very much like to think that we are a time when a combination of (1) the right global visibility and perspective (ATLAS and ASERT) with the (2) right tools (Arbor Spectrum) and the (3) right people could have an effect in the long, drawn out fights we see in Enterprise networks. It isn’t by burdening ourselves with a massive set of tools that are over engineered and over architected for all sorts of functions and features. It will be by placing the security incident responders at the center and equipping them with what they need to be most effective and to take advantage of the natural asymmetry that can exist when you can finally home in on the real threats, validate and prove them and enable faster Enterprise response…and then keep getting faster, better and more accurate.