Reducing the Cost of Cyber Defense
In an age of “assumption of breach” the conventional wisdom is that you should focus on “raising the cost of attacks.” The only problem with that mindset is that you don’t know how expensive it may be to hack your enterprise. You have no in-depth knowledge of:
- The hardware you use
- The operating systems you use
- The applications you use
- The protocols used by all of the above
…and the communications infrastructure all of the above uses to exchange bytes with customers, vendors, etc.
Any one of the aforementioned items, or more than one of them interacting with each other, is ripe with vulnerabilities that are being exploited for fun and profit. For those who are in it for the profit, this is their job. They are good at it to the tune of billions of dollars a year worldwide. If you are an SMB who doesn’t have the latest defenses, or a large enterprise that isn’t doing basic cybersecurity blocking and tackling, a successful hack might not cost much at all, but your losses are going to be significant.
What most proponents of “driving up attacker cost” are really saying is “buy this new thing and ignore that the thing I sold you last year didn’t live up to the hype.” Did you buy so-called threat intelligence this year from the guy who sold you next-generation something-something two years ago? Then you know what I mean.
Shift Your Mindset
You cannot exercise a great deal of control over how much it costs to hack you, but you can do a variety of things to reduce the cost of defending yourself. Put another way: you need to recognize that as a defender you are in a much better position than conventional wisdom would have you believe.
Start by recognizing that the cliché of attackers only having to be successful once is nonsense. A successful compromise is the result of a series of wins, not all of which may be trivial to execute, and many of which may be noisy enough to attract the attention of a detection mechanism or an attentive defender. You cannot avoid being attacked, but you can reduce the likelihood of being surprised.
You should also acknowledge that while a defender may not have in-depth knowledge of any discrete technology, they should have superior knowledge of the operational environment. To an attacker every new enterprise they attack is opaque to some degree. That is why, in the immortal words of Dr. RAID:
“The first step to owning a target is recon.”
It takes time for a stranger to figure out what’s what and what’s where, whereas you should know it by heart and be able to position yourself and your resources accordingly.
A good defensive team that builds strong relationships with corporate IT and enterprise business units, can also influence what data flows through an enterprise, how data flows through an enterprise, how well-protected flowing data is, and who has access to it all. Flat networks and not using tech like 2FA makes both administration and pwnage equally easy: a bit of complexity, structure and compartmentalization comes with some overhead, but it also makes making off with your precious considerably more difficult.
Fail Often, Fail Fast
The goal of reducing the cost of defense is to get to a point where you are not overly concerned about a successful hack. That sounds ridiculous, but if you are able to detect and respond at combat speed, you can mitigate a great deal of the negative effects. The benefit to finding out you’ve been owned in 2 minutes versus 200 days is self-evident. You never ‘don’t care’ but if you can reach a point where breach response is an expense that can be captured in your annual budget, and not a seven-figure unexpected expenditure, you’ve accomplished far more than any single defensive technology ever has.
Is reducing the cost of defense versus raising attacker costs merely a distinction without a difference? What I recommend is not cost-free, but it is also not perpetuating stereotypes or supporting questionable acquisition practices. A solid defense is as much about outlook or frame of reference as it is any given technology or skill set. To pile on my friend Ben Johnson, attitude can be a powerful tool.