There are no participation trophies in security.
Given the loaded nature of the phrase “participation trophies,” I feel I should clarify that this is not meant to be a generational commentary — I am not implying that certain workers expect participation trophies, or that today’s tech workers are soft. What I mean is that simply working hard is not enough. We cannot “Riveter Rosie” our way into good security posture. Cybersecurity is, in general, a thankless and invisible task, and the punishment for mistakes is immediate and ruthless. A leak of any size, large or minuscule, will end up catastrophic when a spacecraft is exposed to that harsh vacuum.
The IT industry has dealt with this outlook for decades, and cybersecurity has its roots there, so this is not a new problem. When IT does their job correctly, it looks like nothing is happening, and when something goes wrong all eyes are on them to fix it. Most IT folks also consider themselves to be more security-conscious than the average bear, and for good reason: They have seen firsthand the consequences for underestimating the importance of a solid security posture.
We now treat IT and Security as two essentially different functions. This is because attackers have continued to develop their practice and innovate new methods of attack, and so the security industry has isolated this battle from the rest of IT in order to more fully concentrate on their adversary. The issue is that attackers will never consider their task complete. They do not have an ideological basis for committing attacks, or at least not one germane to the nature of that attack; they will simply continue to innovate and adapt. Wrestling in this way with an inexhaustible opponent can only end in one of three ways: defeat, indefinite struggle, or complete structural collapse.
There is another way, though, of conceptualizing the work of security: not a battle, but a process. The attacker is not an “enemy.” We build levees and dams not to defeat water, but in order to coexist with it. This outlook is what I am calling “security pessimism” for the simple reason that it requires us to give up the conceit that victory is possible. And it is a conceit. We already use the phrase “not if but when” to talk about security breaches. If such breaches are an inevitability, then much like in the case of natural forces, our struggle is not against the forces themselves, but against our own faults.
Security as an industry has gone through several stages of development. In the previous generation of security (’90s through ’00s), we can imagine the working model as a lock on a door: Your perimeter is the door, and your password and antivirus are the lock. The image of the mechanical lock still dominates search engine results for “cyber security” (including, for irony purposes, on this very post!). This is where the outdated concepts of password complexity and “security by obscurity” (which still rear their heads) come from. We can mark a shift away from this adolescent idea of security as of ~10 years ago, with modern security organizations such as Crowdstrike and eSentire heading the new vanguard.
The current psychological framework of cybersecurity is one of, essentially, battle: a conflict between two parties determined to overcome each other. We can see this in some of the most basic security terminology describing this conflict as the cyber defenders striving against the invading attackers. A major flaw in this viewpoint is that, at some point, a conflict is over. There is an end point, a conclusion where one side becomes the victor: a fundamentally political event expressed through violent means whereby their will is asserted on the loser. In security, however, there is no such victory for the defender. Just like in IT, if they do their job properly, the reward is simply that everything works.
The reality of security is that it is not a war, or a battle. Imagining that one can “win” cybersecurity is a fallacious outlook that only reinforces poor methodology and sloppy problem-solving. If you believe you have “won,” why continue the fight? More correctly, security can be defined as a process. It is the process of constantly re-evaluating the risk surface inherent in every organization and developing a strategy to mitigate it.
Why You Can’t Win
IT systems are unimaginably complex. Most IT professionals do not dive into semiconductor materials science, chip design, antenna theory, or machine code despite these being the foundations of the technology on which we make our livelihoods. However, these foundations still present an attack surface — in fact, new attacks are surfacing regularly. Meltdown and Spectre from 2018 exploit fundamental processor architecture and memory management vulnerabilities. Side-channel attacks are occurring on new and old hardware alike, exploiting power analysis to expose secure data in places that were designed to be physically inaccessible.
I focus on hardware- and firmware-level exploits here for the simple reason that hardware cannot be patched once deployed. Software and OS vulnerabilities are fixable, assuming the affected devices are capable of over-the-air updates. Once a hardware vulnerability is discovered, the only recourse is decommission or mitigation. These vulnerabilities are only going to keep coming. Modern hardware hackers can already gain root access to most consumer-grade routing devices with 30 minutes and $50 in equipment.
Hardware aside, even though software can be patched, the struggle to secure software can be as expensive and time-consuming. Security experts in development deal with the hydra of not only maintaining and validating their own code, but also with their supply chain. The SolarWinds breach occurred because a library they included in their code was compromised, layers up their supply chain. Even open-source software has been implicated in vulnerabilities (see Lodash or HTTP-proxy).
The user is a key fixture in all of this. Any support technician will confirm that users are able to come up with the most incredibly creative ways to break computers. Security is the same way, and has the additional challenge of users simply not caring as much. MFA is an extra obstacle to logging in for work. Antivirus is the thing that prevents them from opening important documents. We do have measures to counteract this (awareness training and zero-trust architecture come to mind), but a user who is determined to simply plug in a USB drive they found on the street will always find a way to do so.
This all means that as security professionals, we must assume that our data — the ever-touted “most crucial asset” — is captured by platforms that are:
On vulnerable hardware,
Running vulnerable software,
Serving vulnerable users.
And, that none of these things has a patch or CVE. So, what do we do?
Towards Security Pessimism
One of the driving reasons behind writing this piece for me was that security folks can become incredibly focused on minutiae. The day-to-day process of a security analyst is full of trawling through logs, responding to incidents, and analyzing software – all of this, of course, in an attempt to keep data from getting somewhere it shouldn’t. At ground level, security looks like continuously patching cracks and painting tar in the hull of a ship that’s taking on water. If we extend our metaphor, I think the more important questions are, where are the cracks coming from? Can we avoid them altogether or are they simply part of the ship?
The only way to fully encircle all of these vulnerabilities into our security plan is to accept them. When we acknowledge that our platforms are imperfect from top to bottom, only then will we have an accurate scope of the problem that is in front of us. In a world where nation-states regularly participate in security breaches, there is always a bigger fish, an attacker that has access to tools we can’t even imagine. I will maintain this idea in the face of piles of evidence to the contrary, simply because of the fact that while we can cover the vulnerabilities we know, it would be hubris to imagine these ships as un-sinkable.
When we view security as the sum of all of the tiny battles that take place between “attackers” and cyber “defenders,” we lose context and long-term perspective. Instead, when we take several steps — long steps — back, we start to see the motion of history. The contradictions between cyber defense and offense sharpen over time, and observing those contradictions is the only way to achieve insight into how to improve our process. We see that breaches are a natural consequence of the complex systems we have erected, and over time, cyber attacks erode at the foundations we have built. We need to shore those foundations up through better processes, new technology, and critical observation of their failings so we don’t repeat our mistakes. That is the only way to “win” the battle of security.
There Is No Alternative
I think that, as an industry, we are moving towards a more holistic view of security — overall a very good thing. Security as point solutions is a thing of the past, and it deserves to stay there. XDR, SIEM/SOAR, and the various types of security integration are all good news. What’s missing to me is the underpinning philosophy I’ve outlined above. Customers and Service Providers are still viewing security as a reactionary area: we only move forward or innovate when forced by our material circumstances. Even though I believe the practice of cyber-insurance has set us back years by funneling billions of dollars to ransomware groups, I will begrudgingly admit that it has also advanced security posture by placing a monetary incentive on top of better practices.
Ultimately, I believe we will have no other option than to accept these premises as part of our security plans. Remember, though, that since security is a process, we do not have to do this all at once. We can sneak up on it by slowly integrating more and more of our hardware stack, supply chain, and user base into our security policy with each iteration. If you’re unsure of where to start, the security professionals at your company or your MSSP will almost certainly have some strong opinions. The best time to make your security policy better was before your breach. The next best time is right now. We have a lot to do — let’s get to work.