The (Dis)Illusion of Control

[Editor's note: This post from Michael Tanji of Kyrus-Tech first appeared at the highly respected national security blog Haft of the Spear. Follow Tanji online at  -bg]

Conventional wisdom is telling us that “assumption of breach” is the new normal. Some well-respected names in computer security would have you believe that the appropriate response to such conditions is to increase the cost to the attackers. If you’re too expensive to breach – so the logic goes – the bad guys will go looking for someone else. Maybe someday, when everyone makes hacking too expensive, it will stop.

Maybe I will play power forward for the Celtics.

There are two major problems with “drive up attacker cost” logic. The first is that you have almost no control over how expensive it is to hack your organization. You have no meaningful, granular control over:

  • The hardware you use
  • The operating system you use
  • The applications you use
  • The protocols used by all of the above
  • …and the communications infrastructure all of the above uses to exchange bytes with customers, vendors, etc.

Any one of the aforementioned items, or more than one of them interacting with each other, is ripe with vulnerabilities that will be exploited for fun and profit. For those who are in it for the profit, this is their job. They are good at it to the tune of billions of dollars a year worldwide.

The second problem is that “driving up attacker cost” is a misnomer. What advocates of this particular approach are really saying is: “spend more money” on the same things that failed to keep you secure in the first place.

2012 is not the year corporate (or governmental) enterprises wake up and start to take security seriously. Most corporate victims of cyber crime recently surveyed couldn’t be bothered to do simple things that would have prevented an attack (even more this year than last year), but suddenly they’re going to go from willful ignorance to becoming highly astute with regards to cyber threats now that we’re going to stop pretending there is anyone out there who isn’t or hasn’t been owned? More likely such thinking will have the opposite effect: why fight when I can punt?

Neither are enterprises going to change the way they do business, or otherwise introduce new complexities for the sake of improving security. There is a reason why so many businesses keep feeding and sheltering a cash cow, even when its becoming increasingly clear that milk production is dropping rapidly: security is an expense that does not directly translate into profitability.

There is only one thing you do control, and that is how quickly and effectively you respond to breaches of security. If you’re going to spend time and money on security, stop spending it on things that don’t work (well) and start focusing on things that could actually make a difference:

  • Improve your awareness of what happens on your hosts: that’s where the bad stuff happens.
  • Improve your ability to capture the minimum-meaningful network traffic: for every additional needle full-packet capture provides, it also supplies a thousand pieces of hay.
  • Reduce your attack surface by exposing as little of yourself to external "research" as possible: they can’t eat your fruit if you’ve trimmed all the low-hanging branches

The goal here is not to make it expensive to get hacked, its to make it so cheap to respond you don’t particularly care if you get hacked. That’s basically the position most businesses have today, so why not align your approach to security accordingly?