RSS

Schrodingers Security

Here is a scenario, completely hypothetical. A new start-up in the area of AI, that is revolutionizing not just their field, but the impact of AI on the everyman, has exploded in size and popularity overnight. As they rapidly expand their technological footprint to meet demand, they stop and think. “Oh you know what, we should maybe look into that security stuff.”

So they do some head hunting, looking for who best to lead their security team. At this point, they have tens of thousands of assets, an extensive and rapidly developed API, and one of the largest user bases in existence. They obviously want the best. Doing some looking around from a non-security professional perspective, they find nearly unlimited articles on aligning to business objectives, how to effectively communicate, and compliance with regulatory requirements. And go figure a number of elevated members of the community who have spoken far and wide about these topics.

The choose , lauded as a thought leader in the space, and someone they felt they could easily understand, they didn’t get into the weeds with the details of the cyber security stuff but instead talked about ISO standards, fedramp and data protection strategies. A few months have passed, and this fledgling company finally gets someone hired. Now, in those few months, they have been experiencing thousands of cyber attacks. All with varying degrees of success, but they just don’t know it; they don’t have detection capabilties in place to know, or really do much about it. Hint: Rate limiting, though helpful, is not a primary security control.

Now, this new CISO acts just as advertised. “People are the weakest link, have to focus on the human.” And the very first thing they do is get a 3rd party to come in and perform phishing trials on the company’s staff, and begin a company-wide security awareness program. This, afterall is a massive, and well-understood compliance checkbox for many frameworks. And, a few more months pass. As well as a few more thousand cyber-attacks going unnoticed. The more advanced of which come from advanced foreign actors. It is easy for them to realize that the IP contained within this company’s systems, along with the opportunity to spy on millions of user’s requests, potentially influencing the answers, is too great to pass up. Leveraging a weakness in one of the rapidly released API updates, they exploit one of the nodes, gain remote access., and then lay and wait. Clearly unaffected by the increased level of security culture that the new CISO has ushered in.

At this point, this world class CISO is getting down to business, it is finally time for them to implement their “Risk managment at a global scale” talking points from their 2019 RSAC main stager. Time to bring in their classmate from their alma mater who started up a Strategic level tabletop exercise consultancy, all the rage right now. After another few months of planning, and aligning C suite schedules the entire group gets tother in a room to answer deep cyber security conundrums like what if a hurricane hits the east coast cloud service provider, while a recently fired employee threatens to release stolen source code and media has picked up the story. The outcomes ended up being things like….“call legal”, and “let’s get our PR firm on the line”. After a couple more hours, they dig into real serious risk issues like, what if everyone is on the same flight and the plane goes down in the Bermuda triangle! I guess they shouldn’t fly together all the time….thanks old classmate. And, with those life mysteries solved. A whole room of C suite salary is burned. And, a couple thousand more cyber attacks go unnoticed. A criminal organization leverages a few month old vulnerability that went unpatched, and with no protective or detective capabilities in place, gains access to internal cloud resources.

A few weeks later, they have a ransomware incident, and are being threatened with the release of all their data.

CISO calls a premiere incident response team to help clean it up for an insane sum. After a thorough investigation, they make a statement that sounds something like " There is no indication the threat actors had access to any customer data, they exploited a zero day vulnerability in a exposed confluence server, it has been fully mitigated", And a few months pass.

Guess what? Those foriegn national APTs still have access, and have been leveraging the R&D fueled by billions of dollars of investment to build their own services. Significantly degrading the unique advantage of the company. Much worse, other groups are still maintaining access, to leverage the massive amounts of data collected for even more dangerous purposes.

All the while, the CISO builds a world-class security culture, answrs questions about ISO compliance, builds the security team to deal with abuse, and goes on to speak about his massive contribution to novel AI security set problems.

I won’t belabor the point anymore, but this is a bit all too real, right? The easily understood false successes in our industry lead to a self-supporting tidal wave of initiatives, and affirmation for leaders, processes, and technologies that DO NOT approach the actual problem. The actual problem is hard, it is technical, and it is not well understood by laymen. But the solutions and thought leadership that saturate the industry don’t move the needle. We have to focus on implementing defenses. Detections and protections that can be shown to actively mitigate the success of attackers. Threat hunting by extremely technical practitioners to look for the advanced persistent threats that we know are there, but just don’t have a mature enough security organization to detect. The next headline on every neon light-filled mainstage needs to be “cyber security, actually do it, don’t just talk about it.” Your security operations center, is the actual technical center of excellence that protects your organization. The document that accurately reflects all of the processors of data for your compliance does not. Make sure you invest in the right places.