Cyber defense faces a growing disconnect between perception and reality.
There are two main camps in the information security world today, and their arguments can be compared to the recent football debate as to whether Tim Tebow (photo below courtesy of Jeffrey Beall/Wikimedia Commons) can be successful as an NFL quarterback in the long term.
In one camp, we have salespeople, marketers, various security entrepreneurs and "experts" telling executive decision-makers that cybersecurity is straightforward, if you just do it their way. This is strikingly similar to sports pundits who insist that a quarterback with limited passing skills (i.e. Tebow) simply can't cut it against today's sophisticated NFL defenses.
In the other camp, we have self-described pragmatists who in practice often trudge cyber around like Eeyore the donkey, proclaiming that hackers with zero-day exploits not only can get into your systems, but in fact are already there, and will never leave. This group corresponds to Tebow's most ardent supporters. They've made their decision regarding Tebow, and their "he just wins and has a great attitude so ignore the rest" argument seems to trump other measures of success.
[Also see Lohrmann's presentation 7 reasons security pros fail]
I would argue that both camps, in cyber defense as in football, have blind spot--holes in their perception that limit their effectiveness.
Let's look at the Tebow argument a bit more and see what it can teach us about our cyber defense mission.
Team 1: "Cyber Defense is as Easy as Stopping Tim Tebow"
Overheard: "We offer better protection, more peace of mind, and a complete security solution for less money with our new managed 'xyz' product/service." This boilerplate marketing claim makes cyber defense appear as easy as buying a car. All you need to do is hand over the virtual keys to your new trusted security partner!
The more sophisticated members of Team 1 will readily acknowledge past mistakes and security industry product and service failures. In fact, mocking recent tactics by other companies and discussing new global threats facing the cyber defense business is an important part of their intriguing sales pitch.
Nevertheless, they insist that their new offering is somehow different. The pitch goes something like, "We know why that 'their' last product failed to live up to expectations, but we've incorporated a new rigor, new secret sauce, a new approach into our patented solution that are competitors are missing. We've gone back to the basics to uncover the reasons why everyone else lacks what we have."
This group tends to be overconfident with bold victory predictions. "This is really very easy. There is no way that our product or service will fail. We've now figured cybersecurity out."
Why Tebow? Comparing Cyber Defense to NFL Defense
Before we go on, you may be wondering: Why compare corporate cyber defense with the NFL defenses trying to stop the Denver Broncos' quarterback?
It's simple: We more readily see our blind spots--and we all have blind spots--when they are put into another context that is not as threatening to our professional situation.
Since we're heading into the NFL playoffs and since everyone seems to have an opinion on Tim Tebow, this analogy could be helpful. (This comparison is meant to be taken in fun and not viewed literally. Of course, Tim Tebow is not a "bad guy" hacker.)
Tebow's Broncos are both popular and controversial because in mid-season they kept defying logic and winning in unconventional ways. In one game against the Kansas City Chiefs, Tebow completed exactly two forward passes. This is a stat you might expect to see in a college football box score from 1910 or so. And many of the Broncos' wins were accomplished through exciting last-quarter comebacks.
Some say Tebow is leading a high school-style offense that is easy to stop on Sundays. This group, called Tebow-haters by many on Team 2 (see below), insist that the Heisman Trophy winner from the University of Florida will never be a successful NFL quarterback. Even through Denver's winning streak, Team 1 remained defiant, saying that Tebow was lucky. Others said Tebow is statistically flawed and bound to eventually fail. Their slogan: "Tebow can't throw!" Chicago linebacker Brian Urlacher, even after losing to Denver, could only give Tebow a backhanded compliment by calling him "a good running back."
Denver's three end-of-the-season losses have strengthened this viewpoint.
Team 2: "Cyber Defense isn't Working. Look at the Results"
Moving on, we have Team 2 with their proud slogan "The Tebow train moves on." On the football front, this group points to Denver's amazing run as proof that the mockers are flat-out incorrect. Bold mid-season predictions that Denver will definitely lose the next game led to a series of experts eating crow. In fact, Tebow's consistent ability to exploit opposing defenses at the end of games to achieve amazing victories was enough to get Denver into the playoffs for the first time in six years.
In terms of security professionals, Team 2 is a mix of folks.
Some just believe that hackers are way out in front to stay and won't be stopped anytime soon. They immediately find flaws in whatever product or service is being offered by the security industry. Some in this group believe that the only way to stop hackers is to go on the cyber offensive and hit them first (analogous to beating Tebow by outscoring him, rather than actually stopping his offense).
Others in this group have moved over from Team 1. They have reluctantly admitted that their security systems aren't measuring-up to expectations. Various security products seemed to work and gained traction initially, but eventually their hopes were dashed by some problem that emerged as a significant weakness. Just as Tebow was often stopped for three quarters by a supposedly impregnable defense, only to exploit holes at game end, these cyber pros have seen initial successes turn to security lapses.
Team 2 sees themselves as industry pragmatists. They tend to say, "Really? Are you sure these attacks are so simple to stop? Hold on a minute, you can't possibly mitigate these cyber attacks this way in the long run." They deftly point out the flaws to previous security offerings. Their proof is that the hackers (like Tebow) somehow stay in the headlines for good or bad.
What is their pitch? Perhaps you've suffered breaches or been burned trying to implement various products that turned out to be fool's gold. You no longer have enough qualified staff to get the job done, since the new product eliminated positions. Now the risks seem much worse than originally anticipated. Were vendor claims exaggerated?
As pressure builds to move more solutions into the cloud, buy more managed services or even outsource core security functions, vendor sales staff pound hard until executives hand over the car keys. Team 2 security professionals are worried that enterprises are buying snake oil. They worry about vendor bait-and-switch tactics. They ask tough questions like: Have we really thought this through? How can we get out of this cloud contract, if it doesn't work? Can we trust really that offshore vendor?
So Who's Right?
While it may seem as if I am advocating for Team 2, I actually believe that both professional groups have blind spots that need to be corrected.
Clearly, those on Team 1 need a large helping of humble pie. One would think that previous lapses in security protections and/or deficiencies in product offerings would keep the overconfident crowd fairly small--but this is not the case. Everyone knows that pride comes before a fall, and yet we repeatedly underestimate the challenges before us (as individual companies and as the security industry).
Keep in mind that the bad guys are always getting better and refining their offense. Take away one threat vector, and they'll often find another way to exploit your cyber defense. Effective solutions must address people, process and technology challenges during implementation and ongoing operations and maintenance phases.
So here's a critical message to security marketers: Simplistic marketing that highlights how "easy" it is to implement cybersecurity widens the gap between these two security groups.
Another message to the vendor sales staff: get the chip off your shoulder and respect the pragmatic questions.
Meanwhile, Team 2 has different blind spots. While stopping hackers, disabling the bad guys, providing effective security solutions and enabling new secure enterprise protections is not easy, the goal is achievable. Team 2 needs to give Team 1 more credit for trying to solve difficult cyber problems. The bad guys can be stopped with defense-in-depth and a more resilient, consistent, yet flexible approach.
Who Wins? Team 3
Implied in this analysis is a third approach. Team 3 recognizes that an effective cyber defense is achievable--but hard work.
Successful defense requires good products, humility, perseverance and staff discipline. This team's football slogan might be: "Tebow is an NFL quarterback--and stopping him is difficult." This is the kind of respectful approach that the New England Patriots, Buffalo Bills and even Kansas City Chiefs displayed (after having lost to Denver the first time around) when they beat Tebow's Broncos late in the season. They didn't mock him like so many others, but rather acknowledged his ability and the challenges they faced. They built successful game plans based on their teams' strengths.
Pragmatic security professionals know that we need to work together. They go out of their way to build partnerships with vendor teams and industry coalitions to find a middle way through the difficult conversation. Efforts like TechAmerica Foundation's Cloud Commission seek to answer the tough questions that need to be answered without demonizing the people asking the questions. They offer case studies highlighting workable security solutions.
Another way to uncover and correct blind spots is to participate in organizations like the National Association of State CIOs (NASCIO) working groups which address peer-group cyber issues with state governments. Those in the private sector can to address sector-specific security challenges via Information Sharing and Analysis Centers (ISACs) or other professional organizations offering cybersecurity dialogue.
Back to sports and the final question: Can Tebow succeed long-term as an NFL quarterback? Can he learn to be more accurate throwing the football? Can Denver adapt and succeed in the playoffs? Just as in cyber defense, I suspect that we'll be asking these questions well beyond 2012. And we'll find out more this weekend&
Dan Lohrmann is CSO of the State of Michigan.