Security is Dead — Long Live Resilience.
Security is a farce because “security” is neither the objective nor a value in itself. And in any case, it’s not a game you can “win.”
Any non-trivial organization has unknowns: unknown assets, unknown weaknesses, unknown adversaries, unknown changes. Beyond that, mistakes happen, and sometimes exploits happen long before patches. That’s life. Compromise is inevitable. So if you define any compromise as “losing,” then you’ve doomed yourself to loss by definition, you’re a bad defender, and you should find a different line of work.
The harsh reality is that s*%t happens, and sometimes the bad guy “wins.” That’s to be expected. But not-so-secretly, your compliance program has known this for a long time (that there will always be risk), which is why you don’t lose your accreditation when someone hacks you. Instead, you lose it because a pattern of mistakes or a mismanaged response leads to a readily preventable breach.
But when the hacks and breaches keep coming, and you know that you’ve got unknowns, it can feel overwhelmingly difficult to be optimistic about your security prognosis.
As a person responsible for a security program who also spent a career breaking into things, how do I ever sleep? Honestly, I usually sleep pretty well because I know that I’m not *secure*, but I think the things I care about are *resilient*.
Daniel Miessler once wrote that software is insecure because the benefits of keeping it so outweigh the costs. His statements have caused a stir, but I actually think he doesn’t go far enough. Systems, companies, organizations are insecure because the benefits outweigh the costs. In fact, this is obvious when you think about it: shoplifting at grocery stores could be wildly reduced if we frisked everyone going in and out, but we let people in and out of the wide-open front door without molestation because it’s ultimately a better experience, and better for business. The benefit of running a business with some “insecurity” (i.e., shoplifting/theft) clearly outweighs the costs.
To extend this line of thinking, the grocery store isn’t “secure” in the binary sense that cyber-practitioners commonly apply: there are dozens of “obvious weaknesses.” But generally speaking, the grocery store is remarkably resilient. No doubt, shoplifting occurs regularly. But between a little pinch of loss-prevention and a skosh of moving costly merchandise away from the doors and to visible spots, losses are kept manageable and the business can keep booming.
Let’s be resiliency practitioners, not security practitioners
So why do so many CISOs and SOC Analysts repeat the refrain that they have to win everywhere all the time to be secure? I’ve seldom encountered a business or a business unit within one that got *everything* they ever wanted or succeeded in 100% of their objectives. Everyone is always making tradeoffs and is always deciding what to keep and what to give up. Loss, risk, insecurity are part of everyday life, so why should “cyber” be somehow special?
The answer is obvious: Cyber isn’t special. We’re not fundamentally different, better or superior. We’re people with a job, trying to do our part to help our institutions endure. We shouldn’t even *be* cybersecurity practitioners; we should be cyber resiliency practitioners.
I gave a talk recently, and as an offhand remark, I opined that cyber isn’t a zero-sum game. I claimed that an adversary could derive value from me without causing me meaningful harm. And I went further to say that there are certainly tradeoffs that I’d make because I try to focus on the stuff that really matters most, even at the potential cost of less important things. In the specific example, I said that if someone hacks my marketing website and runs a crypto-miner, I don’t really care, whereas if someone is in my production database, that’s a five-alarm fire. Popping my database is meaningful harm, whereas someone making some bucks behind the scenes on a standalone website is hard for me to get too worked up about.
“Well, *I* care that someone is crypto-mining on my website, and I’d run that down immediately,” remarked an audience member.
While I’m certain they’d agree that the production database was *more* important, the remark stuck with me. It’s representative of a problem I’ve seen for a long time in cybersecurity: the belief that any insecurity is a critical issue. We cyber folk love to fight fires. We love to design and build and execute perfect security. But this behavior drives insanity: because we know that every issue isn’t equal, and we know that everything is at least a little bit insecure. Yet we proclaim defeat if we’re hacked anywhere and view the system as failed if it has weaknesses.
Being okay with secure enough
I think this boils down to a problem of language. The idea of a state of being free from danger or threat sure sounds nice, but it makes us think in binary terms: I’m secure, or I’m not. And language is exactly why I love the idea of resiliency: a system can have weaknesses but still have the capacity to recover quickly from difficulties. I’ve spent a lot of time yammering about “secure enough,” but we’ve never quite escaped the pull of “I’m either secure, or I’m not.”
When I think about “cybersecurity,” I think about resiliency. I think about how hard of a hit we can take and still recover. I accept that compromise is inevitable, and I accept that I can’t and won’t know everything. I accept that there’s always more work to do than can be done. That all sounds scary, but it really reduces to blocking and tackling type responses. I try hard to keep my most valuable resources behind layered defenses — so that it takes multiple individual failures to really do damage. I try my damndest to prioritize smartly in making our investments, which means extra focus on valuable stuff, and knowing where we can afford to let it go if needed. I put a lot of monitoring around that extra valuable stuff, so I’m alerted if anything is amiss.
You may be thinking this sounds a bit too simplistic — just know where all your valuable stuff is and put the most defenses around those areas? At any scale, but especially a large scale, it’s important to remember that this game isn’t all-or-nothing. Managing some of your important assets well is infinitely better than managing none of them well.