Reaching into the history books to find just the right quote to encapsulate why the process of proactive security assessment makes far more sense than simply throwing up new IT defenses or creating additional choke points aimed at stopping individual classes of threats often leads me back to one of my favorite historical figures, and one often quoted in the many worlds of battle, including cybercrime, that being, the great Chinese warrior strategist Sun Tzu.
Everyone who has read the world famous “Art of War” likely has a quote or two from the tome that sticks in their head based on its relevance to their own personal philosophy, and for me the words that I most often return to are Tzu’s: “If you know the enemy and know yourself you need not fear the results of a hundred battles.”
Despite the fact that the great military strategist was actually speaking within the context of a world that could never imagine the technological tools at our fingertips today, to me that quote applies more accurately to the current state of IT security than do the musings and predictions of many CISOs and industry experts.
Simply put, Tzu is advocating for other leaders to understand their own vulnerabilities before being exploited by adversaries. Even though the world has seen countless battles fought since the time Tzu made his observations, the words could not ring truer today.
All of the defensive mechanisms in the world can’t protect us from today’s attacks, or from the new cyber-threats sure to appear tomorrow, because we don’t understand the gaps that exist between these solutions, in some cases because they can’t cover every potential vulnerability, and in many other cases because they weren’t designed to effectively interface with each other.
Layering various types of security controls on top of each other certainly makes it more difficult for the average attacker to compromise out IT environments, but the fact remains that there will always be cracks and fissures through which the smartest cybercriminals shall be able to pass; to deny this is simply sheer folly.
Only by actively assessing our own weaknesses on a frequent and comprehensive basis will we ever know exactly where the biggest gaps in our organizations’ defenses exist, and allow us to respond before we get exploited by our adversaries.
When we turn our own swords on ourselves, and use the same techniques utilized by attackers in the wild to test our resiliency, we can truly be prepared for the inevitable when it happens because we’ve already been scoping all the worst-case scenarios.
Another famous stratagem espoused by Sun Tzu readily applies to the cyber-environment, such as: “To win 100 victories in 100 battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.”
In most cases, our adversaries do not want to disrupt our service through DDOS attacks. The threats that are most pernicious in today’s environment relate to the covert colonization of our infrastructure and “low and slow” data theft. Steeling ourselves for the fight before it ever shows up on our doorstep, or more specifically at the firewall, is the only way to avoid hand-to-hand combat, or even worse after-the-fact soul searching and reactionary scrambling.
Steeling ourselves for the fight before it ever shows up on our doorstep, or more specifically at our firewall, is the only way to avoid hand-to-hand combat, or even worse, after-the-fact soul searching and reactionary scrambling.
Coping with today’s cyber-reality can only be achieved through greater cyber-situational awareness. Organizations must embrace the paradigm of advanced vulnerability management and automated security testing and measurement to understand where their critical exposures are today and eliminate potential points of ingress, and egress, to prevent attackers from retaining the upper hand.
Reading the thoughts of a great warrior and strategist who lived centuries ago may not sound like the best method for dealing with an ever-evolving array of threats as technically advanced and sophisticated as anything that we have ever seen before in world history. But…Everyone knows if we fail to observe history, then we will be doomed to make the same mistakes over and over again.
– Tom Kellermann, Vice President of Security Awareness