No More Sucking Chest Wounds

---

Sadly, we are stuck in this time warp. Although Schneier’s book was published in 2000, the world of cybersecurity continues to have a battlefield littered with sucking chest wounds that go untreated. We are too passive. Too afraid of action. Too intimidated to do the right thing for our organization. There are a ton of excuses for this:

Technology isn’t mature enough to proactively stop attacks

This is only true if you are using really old stuff. For the last decade, I’ve worked on dozens of Zero Trust Environments that demonstrably stopped bad things from happening.

Cybersecurity technology, in all of its myriad forms, is getting better on the daily. If you have last century’s network you will get last century’s results.

During the last big ransomware spree, I would get, on the regular, screenshots from organizations showing how their Zero Trust policies stopped ransomware or other attacks before anything was damaged. Cybersecurity technology, in all of its myriad forms, is getting better on the daily. If you have last century’s network you will get last century’s results.

I’m afraid of false positives

Let’s translate this into cyber analyst speak. It really means that “I’m poorly incentivized to properly protect my organization. I’m so afraid of getting in trouble for stopping good traffic that I’ll let lots of bad things through.”

I hear this all the time. And it’s wrong.

False positives were a real problem at the turn of the century. One of my early reports at Forrester Research was called “If You Don’t Have IPS, You Deserve To Be Hacked.”² This report was about the massive advancement that exists between IDS technology and IPS technology.

We made a major error by conflating these two separate technologies into IDS<slash>IPS. IDS is unidirectional, and IPS is bidirectional. IDS is stateless, and IPS is stateful. IDS is signature-based, and IPS (at least the best ones) are packet and content-based. I never saw an IDS vendor successfully add a second interface to their box and function as a proper IPS.

It’s okay to stop the occasional good packet. Yeah, somebody’s boss might get huffy, but it’s a lot better than that person getting fired as a result of a data breach.

I’ve installed both IDS and IPS technology. IDS was illusory. It made you THINK you were making some cybersecurity headway when you weren’t. IPS was revolutionary. It stopped bad stuff on the wire with very few false positives.

IPS became the foundational technology that became Next-Generation Firewalls. With IPS technology we learned to fight attackers at Layer 7. That’s where we are still fighting them and we always will be. It’s okay to stop the occasional good packet. Yeah, somebody’s boss might get huffy, but it’s a lot better than that person getting fired as a result of a data breach. See Target, OPM, Equifax, etc. for context.

Listen up, executives. Change the incentives for your security teams so they are EMPOWERED to stop attacks before they become successful. Your job depends on it!

Security might break my network

So, we have this thing called the “CIA Triangle.” I don’t know where it came from but it’s considered sacrosanct. The idea is that security is an equilateral triangle where the three “pillars” of security – Confidentiality, Integrity, and Availability – are perfectly balanced.

But in reality, all organizations really care about is Availability, Five Nines, and all that. Therefore, we’ve ended up with a right-angle triangle with Availability as the hypotenuse and the other two “pillars” taking a back seat.

The “C” now stands for “Compromise.” This means that we have a ton of highly available, yet compromised networks. In the end, security won’t break your network, attackers will.

Which needle is the important one

DR used to stand for Disaster Recovery. Sometime in the recent past, marketeers bought some vowels and consonants and put an E or N or X in front of it. This became EDR (noisy anti-virus), NDR (noisy network alerts), and XDR (double the noise for double the price).

Of course, the DR was meant to stand for Detection and Response. Detection I get, but Response, hmmm? Response is too noisy as it’s done now. “Here’s a really big stack of needles. See, we give you lots and lots and lots of needles. Aren’t we cool? We a hot vendor according to so and so.” Response in its current form can’t be operationalized. The E/N/X DR vendors expect YOU to grab all those needles and sort through them on your own.

I once asked a CISO of a large organization about the value of all these logs and alerts. He said something like “It’s a bit like looking at the leaves at the bottom of a teacup and trying to tell my future. I know they are supposed to mean something, but I just can’t figure it out.”

Often, in the wake of a big data breach, you hear how the security team of the breached organization had all the alerts sent to them but they didn’t actually “Respond.” Of course, they didn’t because they couldn’t.

We don’t have enough people

The problem with “Response” is there are two responses and both don’t work. First, the <Variable>DR vendor responds with a cacophony of alerts and logs and then they satisfyingly wipe their hands. “We’ve done our job.”

Then the second response is the organization’s security team, and it’s overwhelming. I once asked a CISO of a large organization about the value of all these logs and alerts. He said something like “It’s a bit like looking at the leaves at the bottom of a teacup and trying to tell my future. I know they are supposed to mean something, but I just can’t figure it out.”

It is true that we don’t have enough good people. The lack of people resources is the biggest problem facing Cybersecurity.

He went on to say that at the end of the day all of this “Response” wasn’t very useful. I then asked him if he regretted buying the technology, given its obvious lack of efficacy. He replied, “Of course not, I’d buy it again because if I didn’t have it, I would not look like a mature organization.”

It is true that we don’t have enough good people. The lack of people resources is the biggest problem facing Cybersecurity. And the <Variable>DR trend assumes that you, the customer, have an unlimited number of trained individuals swirling little bits of tea at the bottom of an infinite line of porcelain cups looking to divine the future. I have often said that all cybersecurity analysts become colorblind – they are overwhelmed with so many red alerts that they all turn green on the screen.

Your Next Steps

So how do we move beyond the excuses so that we can focus on our Cybersecurity mission? Here are three suggestions that might help.

1. Work on designing a Zero Trust Environment for all of your sensitive data and assets

I’ve written extensively on this over the years of course, starting with the report that launched it all in 2010, “No More Chewy Centers: The Zero Trust Model Of Information Security.”³ More recently, President Biden issued an Executive Order mandating that all Federal agencies “advance toward Zero Trust Architecture.”⁴

For decades, we’ve underspent on cybersecurity because it was seen as a cost center, not a business enabler. Guess what? If your IT systems – cloud, on-premise, mobile, you name it – are down then you are losing money.

Then, last fall, I had the honor of serving on the NSTAC subcommittee for Zero Trust. The report that we wrote was a synthesis of ideas from agencies such as CISA, NIST, DISA, DoD, the NSA, and industry leaders, including myself. I consider the report we wrote to be the authoritative document on Zero Trust.⁵

Zero Trust isn’t hard, but it may require some rewiring of both your network and your thinking.

2. Upgrade to modern security technology

Too many folks have too much legacy and rather useless technology because they are psychologically locked into using legacy vendors who don’t offer the best technology. Don’t be a <insert vendor> shop, be a <insert name of your organization> shop. You don’t owe any vendor a living. They need to earn your business daily. The old saying “penny wise and pound foolish” plays well here.

Have a theory, anecdotally validated by several lawyer friends, that every single data breach or significant cyber event could be mitigated for less than the cost of the initial legal fees.

For decades, we’ve underspent on cybersecurity because it was seen as a cost center, not a business enabler. Guess what? If your IT systems – cloud, on-premise, mobile, you name it – are down then you are losing money.

I have a theory, anecdotally validated by several lawyer friends, that every single data breach or significant cyber event could be mitigated for less than the cost of the initial legal fees.

I recently had a client who called up. They had just gotten a new CFO – a role that I used to call CFNO – and that individual was horrified by the lack of security spend, especially given their business sector and potential exposure.

3. Leverage managed services

Yes, Zero Trust can be confusing, but it’s not difficult at all for those of us with experience. I joined ON2IT in 2021 because I saw the lack of people resources as the biggest hurdle in overcoming Zero Trust adoption pushback.

Yes, we take in <Variable>DR alerts, but we automate and operationalize them so that they are abstracted from our customers. We also create Zero Trust policies for the client technologies that we manage that are proactive and preventative by design.

In this way, we can begin to deliver Zero Trust as a Service. This is the next evolution of Zero Trust, it is the next step in my personal Zero Trust Journey, and it’s why I joined this amazing organization.

Times have changed

For the last two decades, organizations have been lying on the battlefield with sucking chest wounds while the security vendor industry calmly strode past saying “that’s a nasty wound, you’d better take a look at that.” But times have changed.

Our ability to prevent cyber-attacks from being successful has skyrocketed in those 20 years, but we’ve not yet widely adopted these new strategies, tools, and methodologies.

Let this be cybersecurity’s new mantra: “No More Sucking Chest Wounds!”

---

1. Secrets & Lies: Digital Security in a Networked World – August 2000. Author: Bruce Schneier. Publisher: John Wiley & Sons, Inc.605 Third Ave. New York, NY United States
   ISBN:978-0-471-25311-2
   Pages:194-195
2. If You Don’t Have IPS, You Deserve To Be Hacked – April 8th, 2009
   https://www.forrester.com/report/if-you-don-t-have-ips-you-deserve-to-be-hacked/RES46812?ref_search=0_1654118987603
3. No More Chewy Centers: The Zero Trust Model Of Information Security – March 23rd, 2016
   https://www.forrester.com/report/no-more-chewy-centers-the-zero-trust-model-of-information-security/RES56682?ref_search=0_1654118987603 – The original report was published in September 2010. The current version is my last update in 2016.
4. Executive Order on Improving the Nation’s Cybersecurity – MAY 12, 2021
   https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
5. DRAFT REPORT TO THE PRESIDENT – Zero Trust and Trusted Identity Management
   https://www.cisa.gov/sites/default/files/publications/Final%20Draft%20NSTAC%20Report%20to%20the%20President%20on%20Zero%20Trust%20and%20Trusted%20Identity%20Management.pdf