At the beginning of WWI, battlefield tactics had not advanced much since the U.S. Civil War. The general goal was to continually advance on the enemy with waves of infantry attacks and eventually break through the lines by overwhelming enemy defenses.
It didn't take long until both sides realized that things had changed. With the invention of the water-cooled machine gun and pill box fortification, human waves were not only ineffective, but also resulted in mass casualties. The sides adapted to this new reality with trench warfare, long-range munitions, and a battlefield stalemate for much of the war.
There are countless examples like this in the history of warfare where technology advancement forced tactical changes for both offense and defense. In theory, cybersecurity should behave in a similar way where new threats lead to new defenses and tactics. Unfortunately, however, things don't always progress so quickly. Take Advanced Persistent Threats (APTs) for example. APTs have been in the mainstream since the Aurora attack was first exposed by Google in January 2010 but many organizations haven't adapted defenses or tactics accordingly. Why? Several reasons:
- Executives don't get it. CISOs who lobby executives for more money tend to be faced with a rather cynical question: Why do you need to invest in new security technologies when we've already invested millions? This is like a WWI general asking why the troops needed shovels to dig trenches when they were already trained to charge the enemy.
- Security staff wants a canned solution. In the past, each new type of threat (i.e., SPAM, spyware, DOS attacks, etc.) was addressed with a discrete threat management solution but this no longer works. APTs exploit the gaps between security defenses with 0-day vulnerabilities, credentials harvesting, DDNS, and homegrown encryption algorithms and transport protocols. Rather than a one-size-fits-all APT solution, enterprises need defenses for each stage of an attack.
- If you can't see the enemy, you can't defeat the enemy. I'm sure Sun Tzu said something along these lines and it is certainly true in cybersecurity. The situational awareness tools in use today typically capture and analyze a fraction of the data needed. Many of these platforms also need custom coding and must be managed by highly-skilled security analysts. As a result, security intelligence remains an exclusive and elitist club.
In WWI, the military adapted quickly for two main reasons. First, they faced a life or death situation so there was a real sense of urgency. Second, armies are hierarchical organizations so when generals mandate changes in training and tactics, everyone else falls into line.
Like WWI weapons advances, we've reached a new era where our enemies are embracing new technologies and offensive tactics. We need to respond with appropriate changes in defense skills, and situational awareness.
Like it or not, we are engaged in a cybersecurity arms race, and our adversaries show no sign of fatigue. If your organization isn't willing to recognize this, understand the enemy, and adapt accordingly, you may as well disconnect from the Internet before an inevitable attack.
You can read Jon's other blog entries at Insecure About Security.