A question I am asked most every day now is, “Will [insert tool, process, or person here] stop the next SolarWinds?” We all know the answer to that question: It’s truly nothing new — that tool, or process, or headcount may help reduce risk, but you can never confidently say you are 100% protected from the next breach.
That said, this constant question has helped me dig deeper into how to best communicate what it means to build a security program with a post-breach mindset.
One of the most valuable lessons I learned in college was in a class that wasn’t at all related to computer engineering. It was in a “history of war” class, where I learned about attrition warfare. Attrition warfare is a military strategy in which one side constantly grinds away at its enemy to the point of collapse and defeat; World War I is a well-known example of attrition warfare.
Directly mirroring this, cyberattackers (and especially cybercriminals) use attrition warfare to constantly chip away at defenses and individuals through automation and the sheer number of attacks they can collectively execute until one finally breaks through and causes a breach. On the other side of this, defenders are often manually investigating and responding to the threats that get past prevention, putting them at a disadvantage as they struggle with a constant horde of threats.
To quote US Marine Captain G. I. Wilson on attrition warfare, “The victory goes to the side that has the resilience to replace and repair its losses, or do without. It goes to the side that can use the enemy’s equipment against him and that knows where to strike to destroy the enemy’s will.”
When it comes to attrition warfare in cybersecurity, the attackers are winning right now because we do not have the resilience to go without our poor burnt-out analysts and CISOs — and because attackers are able to use our equipment against us to make this problem worse. We need to change this, and a core part of that is, you guessed it, resilience — the theme of this year’s RSA Conference.
In Developing Cyber Resilient Systems: A Systems Security Engineering Approach, the National Institute of Standards and Technology (NIST) defines cyber resiliency as, “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
This framing is core to how I think about and research security operations. Security analysts are consistently overwhelmed, stressed, and understaffed, leaving the majority pretty much unable to anticipate, recover from, or adapt to new attacks (without reaching burnout, which is common). To build resilience into this process, we need to continue to address the preparation, detection and analysis, containment, eradication, and recovery phases of the incident response lifecycle (which we place a premium on) but also place more emphasis on the actionable steps we can take as part of post-incident activity (which often is overlooked). This is about not only learning what we can do better but also incorporating and executing on opportunities (MITRE Shield) and resilience recommendations in line with the rest of the incident response lifecycle.
There are a few talks at this year’s RSA Conference that relate to resilience — especially future resilience — that I highly recommend every practitioner watch. These include:
- Cybersecurity As A National Imperative — Anne Neuberger
- AI-Powered! Or Is It Just Hype? — Anne Townsend, Dr. Michael Hadjimichael
- Building Trust In Supply Chains — Asahiko Yamada, Shingo Hane
- Cloud Threat Modeling — From Architecture Design To Application Development — Jon-Michael C. Brook, Randall Brooks
- Cybersecurity For Future Extreme Computing — Dr. Anne Fitzpatrick
- Hot Topics In Cybersecurity Law 2021 — Michael Aisenberg, Stephen Wu, Lucy Thomson, Catherine Barrett
And a fun one: UAV Security Research Series — Episode 5, MAVLink Security — Matthew Gaffney
I’ll be writing more about this topic in the coming months, but hopefully this served as a helpful primer on how security operations teams should be thinking about that fourth step of the incident response lifecycle.
Oh, and if you are looking for some great talks to watch (or rewatch!) post-RSAC, check out a few that my colleagues and I gave this year:
- Adapt To The New, Unstable Normal: How To Secure The Roaring Twenties — Laura Koetzle
- End The Battle Between Security And Productivity — Andrew Hewitt, David Holmes
- A “Great Equalizer,” Until It Isn’t: Regional Security In A Global Pandemic — Allie Mellen, Kerissa Varma
- Culture Matters — Put People At The Heart Of Security — Jinan Budge
And two that are not available on demand, so hopefully you caught them the day of:
- SolarWinds: What Really Happened? — Laura Koetzle
- Privacy Metrics: Measuring Privacy Programs — Enza Iannopollo, Naomi Lefkovitz, Robert Waitman, Anna Zeiter, Dave Cohen
As I talked about in my video for RSAC on what resilience means to me, this past year has been incredibly challenging for all of us. We’ve had to show resilience not just in one moment, or two, or even three … but constantly. Let’s incorporate these lessons of resilience — adaptability in the face of adversity, dynamism, and strength — into our security strategies moving forward. Drop me a note via email, Twitter, or LinkedIn if you have any thoughts or questions on this.