Skip to content
11:11 Systems
Rethink Connected
11:11 Systems11:11 Systems
  • Why 11:11
    • Submenu
      • Column 1
        • Cloud Console
          Cloud Console
          Compliance
          Compliance

      • Column 2
        • Global Regions
          Cloud Regions
          Catalyst
          Planning and Assessment

      • WHY CHOOSE 11:11
      • Overview
      • Leadership
      • News & Media
      •  
      • Careers
      • Technology Partners
      • Customer Stories
  • Products & Services
    • Products & Services
      • CLOUD
      • Cloud Overview
      • Public Cloud
      • Private Cloud
      • Object Storage
      • Cloud Labs
      • Colocation/Bare-Metal
      • BACKUP
      • Backup Overview
      • Veeam Backup
      • Microsoft 365 Backup
      • Managed Backup for Cohesity
      • DISASTER RECOVERY
      • DRaaS Overview
      • DRaaS for Veeam
      • DRaaS for Zerto
      • DRaaS for Azure
      • Autopilot
      • SECURITY
      • Security Overview
      • Continuous Risk Scanning
      • Managed SIEM
      • Managed EDR
      • Managed Firewall
      • CONNECTIVITY
      • Connectivity Overview
      • SD-WAN
      • Multi-Cloud Connect
      • Managed IP
  • Solutions
    • Solutions Submenu
      • INDUSTRY
      • Education
      • Financial
      • Government
      • Healthcare
  • Partners
    • Partners Submenu
      • Overview
      • Become a Partner
      • Partner Portals
  • Resources
    • Resources Submenu
      • Events
      • Webinars
      • News & Media
      • White Papers
      • Podcast
      • Data Sheets
      • Customer Stories
      • Innovation Blog
  • Support
    • Support Submenu
      • Contact Support
      • Product Documentation
      • API Documentation
Search:
  • Console Login
  • Contact
Header Right Menu
Free Trial
  • Why 11:11
    • Cloud Console
    • Compliance
    • Cloud Regions
    • Planning and Assessment
    • WHY CHOOSE 11:11
    • Overview
    • Leadership
    • News & Media
    • Careers
    • Technology Partners
    • Customer Stories
    • Blog
  • Products & Services
    • CLOUD
    • Cloud Overview
    • Public Cloud
    • Private Cloud
    • Object Storage
    • Cloud Labs
    • Colocation/Bare-Metal
    • BACKUP
    • Backup Overview
    • Veeam Backup
    • Microsoft 365 Backup
    • Managed Backup for Cohesity
    • DISASTER RECOVERY
    • DRaaS Overview
    • DRaaS for Veeam
    • DRaaS for Zerto
    • DRaaS for Azure
    • Autopilot
    • SECURITY
    • Security Overview
    • Continuous Risk Scanning
    • Managed SIEM
    • Managed EDR
    • Managed Firewall
    • CLOUD CONNECTIVITY
    • Connectivity Overview
    • SD-WAN
    • Multi Cloud Connect
    • Managed IP
  • Solutions
    • INDUSTRY
    • Education
    • Financial
    • Government
    • Healthcare
    • Column 2
  • Partners
    • Overview
    • Become a Partner
    • Partner Portals
  • Resources
    • Events
    • Webinars
    • News & Media
    • Whitepapers
    • Podcast
    • Datasheets
    • Customer Stories
    • Innovation Blog
  • Support
    • Contact Support
    • Success Center
    • API Documentation
  • Contact
  • Console Login
  • Free Trial
Author: Alex Reid
Date: March 13, 2023

You Can’t Win: Learning to Live with Security Pessimism

There are no participation trophies in security.

Given the loaded nature of the phrase “participation trophies,” I feel I should clarify that this is not meant to be a generational commentary — I am not implying that certain workers expect participation trophies, or that today’s tech workers are soft. What I mean is that simply working hard is not enough. We cannot “Riveter Rosie” our way into good security posture. Cybersecurity is, in general, a thankless and invisible task, and the punishment for mistakes is immediate and ruthless. A leak of any size, large or minuscule, will end up catastrophic when a spacecraft is exposed to that harsh vacuum.

The IT industry has dealt with this outlook for decades, and cybersecurity has its roots there, so this is not a new problem. When IT does their job correctly, it looks like nothing is happening, and when something goes wrong all eyes are on them to fix it. Most IT folks also consider themselves to be more security-conscious than the average bear, and for good reason: They have seen firsthand the consequences for underestimating the importance of a solid security posture.

We now treat IT and Security as two essentially different functions. This is because attackers have continued to develop their practice and innovate new methods of attack, and so the security industry has isolated this battle from the rest of IT in order to more fully concentrate on their adversary. The issue is that attackers will never consider their task complete. They do not have an ideological basis for committing attacks, or at least not one germane to the nature of that attack; they will simply continue to innovate and adapt. Wrestling in this way with an inexhaustible opponent can only end in one of three ways: defeat, indefinite struggle, or complete structural collapse.

There is another way, though, of conceptualizing the work of security: not a battle, but a process. The attacker is not an “enemy.” We build levees and dams not to defeat water, but in order to coexist with it. This outlook is what I am calling “security pessimism” for the simple reason that it requires us to give up the conceit that victory is possible. And it is a conceit. We already use the phrase “not if but when” to talk about security breaches. If such breaches are an inevitability, then much like in the case of natural forces, our struggle is not against the forces themselves, but against our own faults.

Psycho-Security

Security as an industry has gone through several stages of development. In the previous generation of security (’90s through ’00s), we can imagine the working model as a lock on a door: Your perimeter is the door, and your password and antivirus are the lock. The image of the mechanical lock still dominates search engine results for “cyber security” (including, for irony purposes, on this very post!). This is where the outdated concepts of password complexity and “security by obscurity” (which still rear their heads) come from. We can mark a shift away from this adolescent idea of security as of ~10 years ago, with modern security organizations such as Crowdstrike and eSentire heading the new vanguard.

The current psychological framework of cybersecurity is one of, essentially, battle: a conflict between two parties determined to overcome each other. We can see this in some of the most basic security terminology describing this conflict as the cyber defenders striving against the invading attackers. A major flaw in this viewpoint is that, at some point, a conflict is over. There is an end point, a conclusion where one side becomes the victor: a fundamentally political event expressed through violent means whereby their will is asserted on the loser. In security, however, there is no such victory for the defender. Just like in IT, if they do their job properly, the reward is simply that everything works.

The reality of security is that it is not a war, or a battle. Imagining that one can “win” cybersecurity is a fallacious outlook that only reinforces poor methodology and sloppy problem-solving. If you believe you have “won,” why continue the fight? More correctly, security can be defined as a process. It is the process of constantly re-evaluating the risk surface inherent in every organization and developing a strategy to mitigate it.

Why You Can’t Win

IT systems are unimaginably complex. Most IT professionals do not dive into semiconductor materials science, chip design, antenna theory, or machine code despite these being the foundations of the technology on which we make our livelihoods. However, these foundations still present an attack surface — in fact, new attacks are surfacing regularly. Meltdown and Spectre from 2018 exploit fundamental processor architecture and memory management vulnerabilities. Side-channel attacks are occurring on new and old hardware alike, exploiting power analysis to expose secure data in places that were designed to be physically inaccessible.

I focus on hardware- and firmware-level exploits here for the simple reason that hardware cannot be patched once deployed. Software and OS vulnerabilities are fixable, assuming the affected devices are capable of over-the-air updates. Once a hardware vulnerability is discovered, the only recourse is decommission or mitigation. These vulnerabilities are only going to keep coming. Modern hardware hackers can already gain root access to most consumer-grade routing devices with 30 minutes and $50 in equipment.

Hardware aside, even though software can be patched, the struggle to secure software can be as expensive and time-consuming. Security experts in development deal with the hydra of not only maintaining and validating their own code, but also with their supply chain. The SolarWinds breach occurred because a library they included in their code was compromised, layers up their supply chain. Even open-source software has been implicated in vulnerabilities (see Lodash or HTTP-proxy).

The user is a key fixture in all of this. Any support technician will confirm that users are able to come up with the most incredibly creative ways to break computers. Security is the same way, and has the additional challenge of users simply not caring as much. MFA is an extra obstacle to logging in for work. Antivirus is the thing that prevents them from opening important documents. We do have measures to counteract this (awareness training and zero-trust architecture come to mind), but a user who is determined to simply plug in a USB drive they found on the street will always find a way to do so.

This all means that as security professionals, we must assume that our data — the ever-touted “most crucial asset” — is captured by platforms that are:

  • On vulnerable hardware,

  • Running vulnerable software,

  • Serving vulnerable users.

And, that none of these things has a patch or CVE. So, what do we do?

Towards Security Pessimism

One of the driving reasons behind writing this piece for me was that security folks can become incredibly focused on minutiae. The day-to-day process of a security analyst is full of trawling through logs, responding to incidents, and analyzing software – all of this, of course, in an attempt to keep data from getting somewhere it shouldn’t. At ground level, security looks like continuously patching cracks and painting tar in the hull of a ship that’s taking on water. If we extend our metaphor, I think the more important questions are, where are the cracks coming from? Can we avoid them altogether or are they simply part of the ship?

The only way to fully encircle all of these vulnerabilities into our security plan is to accept them. When we acknowledge that our platforms are imperfect from top to bottom, only then will we have an accurate scope of the problem that is in front of us. In a world where nation-states regularly participate in security breaches, there is always a bigger fish, an attacker that has access to tools we can’t even imagine. I will maintain this idea in the face of piles of evidence to the contrary, simply because of the fact that while we can cover the vulnerabilities we know, it would be hubris to imagine these ships as un-sinkable.

When we view security as the sum of all of the tiny battles that take place between “attackers” and cyber “defenders,” we lose context and long-term perspective. Instead, when we take several steps — long steps — back, we start to see the motion of history. The contradictions between cyber defense and offense sharpen over time, and observing those contradictions is the only way to achieve insight into how to improve our process. We see that breaches are a natural consequence of the complex systems we have erected, and over time, cyber attacks erode at the foundations we have built. We need to shore those foundations up through better processes, new technology, and critical observation of their failings so we don’t repeat our mistakes. That is the only way to “win” the battle of security.

There Is No Alternative

I think that, as an industry, we are moving towards a more holistic view of security — overall a very good thing. Security as point solutions is a thing of the past, and it deserves to stay there. XDR, SIEM/SOAR, and the various types of security integration are all good news. What’s missing to me is the underpinning philosophy I’ve outlined above. Customers and Service Providers are still viewing security as a reactionary area: we only move forward or innovate when forced by our material circumstances. Even though I believe the practice of cyber-insurance has set us back years by funneling billions of dollars to ransomware groups, I will begrudgingly admit that it has also advanced security posture by placing a monetary incentive on top of better practices.

Ultimately, I believe we will have no other option than to accept these premises as part of our security plans. Remember, though, that since security is a process, we do not have to do this all at once. We can sneak up on it by slowly integrating more and more of our hardware stack, supply chain, and user base into our security policy with each iteration. If you’re unsure of where to start, the security professionals at your company or your MSSP will almost certainly have some strong opinions. The best time to make your security policy better was before your breach. The next best time is right now. We have a lot to do — let’s get to work.

Categories: Ransomware, SecurityBy Alex ReidMarch 13, 2023
Alex Reid

Author: Alex Reid

Alex Reid is a Product Architect with 11:11 Systems. He's a lifelong technologist, hardware enthusiast, and security paranoiac. For the past decade, he's been working officially in IT, picking up additional background in virtualization platforms and experience in a variety of technical cloud roles at Cirrity, Green Cloud Defense, and now on the product innovation team at 11:11. Alex holds a degree in Computer Engineering.

Post navigation

PreviousPrevious post:Veeam 12: Appropriate Direct to Object Storage Use CasesNextNext post:Protecting Microsoft Teams Channel Chat Data: Are You Prepared?

Related Posts

Building a Championship-Caliber Data Security Strategy
February 15, 2023
Veeam 12
Veeam 12 Preview: Multi-Factor Authentication
February 7, 2023
Preparing for 2023 with 11:11 Systems: IT Trends in Security, Cloud, and More
February 1, 2023
What is 11:11 Systems?
What is 11:11 Systems? A company built on cloud, connectivity, and security
January 30, 2023
11:11 Systems Wins 2022 Backup and Disaster Recovery Award from Cloud Computing Magazine
January 25, 2023
Why Staying Connected to the Cloud Can Be Simple, Secure, and Seamless
Why Staying Connected to the Cloud Can Be Simple, Secure, and Seamless
January 24, 2023
PRODUCTS & SERVICES
  • Cloud
  • Backup
  • Disaster Recovery
  • Managed Security
  • Connectivity Solutions
  • Compliance
COMPANY
  • Why 11:11
  • Customer Stories
  • Careers
  • Leadership
  • Technology Partners
  • News & Media
  • Contact Support
CLOUD REGIONS
  • North America
  • EMEA
  • APAC
CONNECT
  • LinkedIn
  • Twitter
  • Facebook
  • Youtube

© 2023 11:11 Systems Inc., All Rights Reserved | Privacy Notice

Go to Top
PRIVACY POLICY AND COOKIE CONSENT
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
PRIVACY POLICY AND COOKIE CONSENT
To provide the best experiences, we use technologies like cookies to store and/or access device information that allows us to process data such as browsing behavior. Not consenting or withdrawing consent, may adversely affect certain features and functions. By clicking Accept, closing this message, or continuing to browse, you consent to these technologies and accept our Privacy Notice.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}