Football and Security: Defense is Not a Strategy
(Note: I grew up in a European colonized country. Football to me is European football, soccer to most Americans. I love American football too, but Europeans were calling it football long before we were.)
You would never man a football team with just a goaltender and backs. But in security that’s exactly what we do: deploy defensive technology such as firewalls, IPSes, and endpoint security. As the bad guys attack us, the best we can hope for is a draw.
Football and information security differ in offensive tactics. Our opponents’ (the bad guys) objectives, whether stealing intellectual property, conducting cyber espionage or cyber war, destroying manufacturing capability by controlling our SCADA systems, or just vandalizing our data, starts with invading our side of the field; whereas, our goal as information security professionals is simply to conduct business on our own side of the field.
Or perhaps a more apt metaphor is that our game of football is conducted on a field occupied by our business and our competitors, and the threats are from the stands. Whereas in real life football, we endure the taunts and jeers of the crowd, and occasionally an overzealous fan racing through the field naked, we’re being attacked with gunfire and bombs in the cyber arena.
Ethically we can’t fire back: that’s the job of law enforcement. But we can’t turn turtle either. Our best strategy is to identify the bad guys as they enter the stadium, or arrest them in their flats.
In fact, Scotland Yard did just that with the 24 men who had planned to take down a number of airplanes with liquid explosives. Through old fashioned intelligence gathering, they correlated suspicious purchases to a potential terrorist plot and stopped the men before they even got to the airport.
When it comes to information security, it’s unlikely that any of us has the resources or jurisdiction to conduct covert operations on the open internet. However, every one of our information infrastructures contains a wealth of data that, if mined and analyzed, equates to information security intelligence. The defense-in-depth technology we invested in years ago, and even operational technology that may not be employed in a security context—web, email, and database services, operating system audit logs, switches, and even printers—shed light into all corners of our information infrastructure and paint a complete security intelligence picture. There’s an opportunity to take advantage of our technology infrastructure toward an offensive end.
One benefit of an offensive play is gaining an advantage through early detection. If we can catch an exploit in the discovery and footprinting phase, we can defend ourselves from the imminent compromise. Or we can detect anomalous user behavior that precedes data theft. But that’s only part of the benefit. Security intelligence also provides advance context about our own environments—what are the assets and are they vulnerable? how is my infrastructure segmented and defended? what kind of information normally flows across my network?—and is critical in prioritizing defense and response efforts, as well as determining the potential consequences of attacks and the impact of a compromise.
For the more civic-minded, there are forums to share information between organizations and gain a wider view of the threat landscape, going beyond the borders of our individual perimeters. Those organizations include ISSA, ISACA, and InfraGard. Joining and sharing gets closer to changing the game and creating an offensive strategy.
We cannot continue to do what we’re currently doing: if the entire game is played on our side of the field, the opposition will quickly discover the weaknesses in our defenses and exploit them. Our strategy needs to shift to repelling attackers before they rush our goal en-masse.