How We Look at Cybersecurity Determines the Kind of Cybersecurity We Have
Oren J. Falkowitz — Area 1 Security — Co-Founder and CEO
At the 1968 Olympic Games in Mexico City, a slight civil engineer from the Oregon State University set the high jumping world on its ear. Or more accurately, on its back. Richard Douglas Fosbury cleared 7 feet 4 ¼ inches for a new world record and the gold medal with an unorthodox approach that would come to be known as the “Fosbury Flop.” Fosbury’s backwards approach to the high jump was born of necessity: he wasn’t very good at the conventional high jumping methods then in fashion. But all those techniques, the Western Roll, the Eastern cut-off, even the popular scissors jump required jumpers to land on their feet, usually in a sandpit or on low piles of matting. Substituting a four-foot tall foam mattress, however, practically invites jumpers to land on their back, which is how Dick Fosbury landed, much to everyone’s amazement. Since 1980, no Olympic high jumper has ever used any other method and won.
Solving seemingly insurmountable problems in new ways often begins by refusing to accept the de facto solution or even the standard, accepted definition of the problem. And this “aha moment” thinking begins by looking at the problem differently. The reason this works so well is that by changing our angle of view, we also open ourselves up to opportunities to create solutions we never could have conceived of any other way. Some of the world’s greatest inventions came about in precisely this way.
For example, the engineers and tinkerers in Thomas Edison’s laboratory were laboring mightily over a commercially viable, long-lasting filament material for the light bulb, and they were badly in need of reframing the problem in a way that would lead them to a solution they knew was possible but which they hadn’t been able to grasp as yet. They had tried over 200 different compounds with only minimal success when one of them built a model using tungsten as the filament material. It worked, of course, and still does. “It’s a good thing he wasn’t a metallurgist,” Edison later remarked of his brilliant assistant, “because if he had been, he would have known that tungsten never would have worked.”
Reframing the problem to allow for a new creative solution to present itself even caused the downfall of a country. In the years between the World Wars, France invested heavily in a state of the art fortification along its border with Switzerland, Luxembourg and Germany called the Maginot Line. It was intended to protect them from an invasion from the east, but unfortunately, it was an innovation designed for the last war, not the one to come. When Germany decided to invade, they never bothered to throw themselves against the Ligne Maginot, agreeing with the French that it was indeed impervious, but rather conducted an end run around the Line through the Ardenne Forest in Belgium, cutting French and British forces off from each other, causing the evacuation of hundreds of thousands of troops from Dunkirk, and accomplishing the fall of Paris in about six weeks. Voilá.
The industry’s approach to cybersecurity seems to be stuck in the same kind of “last generation” thinking. CISOs are presented with the same old approaches from cybersecurity companies and experts, and yet we get the same sort of results. Worse still, no matter how many times businesses and government are faced with having to apologize for embarrassing headlines, massive losses of valuable IP and offering free credit monitoring to those who’ve lost their entire digital lives, they don’t seem to realize that they don’t have to settle for what didn’t work in the past, but rather should be searching for, even demanding, breakthroughs and new, innovative technologies and methods.
The cybersecurity equivalent of cutting the Gordian Knot, if you will.
Obviously, what we’re doing isn’t working. Rather than doing the same things over and over and expecting different results , we need to fundamentally change our approach. For instance, instead of throwing up our hands because we think hackers are just too smart for us, what if we took the approach of using their perceived strengths against them? Such an approach might begin by looking at the reality of how hackers really behave rather than how we think of them. What we know about them already reveals a lot of information we can use to construct a more aggressive and certainly more effective response.
For instance, hackers are very patient, and they’re not fancy. In a recent speech at the Enigma Conference in San Francisco, Rob Joyce, the NSA’s chief of Tailored Access Operations (my alma mater) told the assembled security engineers and systems administrators that hackers use the same tried and true methods widely familiar to the entire industry. They’re not using esoteric James Bondian wizardry. They’re just very persistent and keep poking around until they find an opportunity.
They know who they’re dealing with. Attackers know our networks better than we know our networks. And if there is an opening, however small, they’ll find it. They know those openings are going to be there because they also know we are creating them, with inconsistently applied security practices, inaccurate or outdated IT data, and the inevitable lapses in good digital hygiene.
The point is, knowing how attackers work can make it easier for us to strengthen our defenses. Like aggressively plugging our security holes. Enforcing better hygiene. Noticing when we’re being poked and prodded. Instead of diving deeper and deeper into the “big data” we’ve harvested, and drowning in it, maybe we can start looking at small patterns instead. And most importantly, we can start by changing our angle of view about security from a one-and-done event to an every day, every way, long term endeavor.
Let’s abandon the helplessness of our current defensive posture and start being preemptive, actually catching and disarming threats while they’re still only threats. If we can embrace the idea that our attackers put their packets on the Internet the same way we all do (one at a time), and understand that even the most sophisticated attacks start in simple ways, we can identify how and where they start and build a profile of that activity. Once we have that, we can also begin to anticipate and identify the next attack before it starts.
That’s why it’s important for us to begin looking at cybersecurity differently. We’re not getting the kind of cybersecurity we want because we’re looking at it in the same way, over and over again, and as a result, we’re not changing our approach. And of course, we keep getting the same disappointing outcomes. But worse than that, we’re also not seizing the opportunity to protect ourselves in new and better ways.
