lolloj - Fotolia

Manage Learn to apply best practices and optimize your operations.

Ranum Q&A: Security strategy with Richard Bejtlich

Keeping up to speed on new adversaries may require a change in tactics.

Richard Bejtlich, who began his digital security career as an Air Force intelligence officer, says many security people remind him of fighter pilots.

"They concentrate on their tools and how to use them in direct confrontation with an adversary," he says. "It's more work to step back and consider if fighting a tactical skirmish contributes to the campaign or winning the big picture."

As the chief security strategist at Milpitas-Calif.-based FireEye Inc., Bejtlich knows a bit about strategic security. The network security company has faced constant scrutiny since its $1 billion Mandiant acquisition in December 2013, including reports that its technology detected malicious activity during the Target breach. Not to mention high profile blogs chronicling its efforts to publicly question the methodology of NSS Labs' security researchers, who tested the effectiveness of the company's Malware Protection Systems.

Bejtlich, who needs no introduction among security professionals, joined FireEye by way of Mandiant -- the cybersecurity consultancy that exposed China's alleged cyber espionage of The New York Times and 140 other organizations, carried out by using advanced persistent threats, dubbed APT1. Prior to Mandiant, he was the director of incident response at General Electric and ran his own consultancy, TaoSecurity. Bejtlich is a graduate of Harvard University, the United States Air Force Academy and recently started his doctorate in war studies at King's College London, with Dr. Thomas Rid, professor of security studies.

A nonresident senior fellow at The Brookings Institution, Bejtlich wrote about the speed of technological change and its effects on cybersecurity strategy in a research paper for the institute, "Strategy, Not Speed: What Today's Digital Defenders Must Learn From Cybersecurity's Early Thinkers."

Marcus Ranum: Richard, I just finished reading the paper you wrote for The Brookings Institution. It's a really good summary of the theatrical arc of computer systems' intrusion detection.

I'd like to ask a few questions related to some points you raise in your research, mostly surrounding what you rightly call 'strategic security.' It's always seemed to me that security is a bit 'down in the weeds' when it comes to tactics -- chasing the new threat vector or the promising technology -- but we ignore the strategy far too often. Is it because the strategic problem points toward an unattractive endless struggle, or is it lack of expertise, or something else? I know your background is heavy on consultancy, so I sense a strong 'people, not tools' thread in your article. Is that correct?

Richard Bejtlich: It's natural for most security people to take a tactical focus, because the tactical level changes more often than the operational or strategic levels. Change is more exciting than consistency. Many security people remind me of Air Force fighter pilots. They concentrate on their tools and how to use them in direct confrontation with an adversary. It's more work to step back and consider if fighting a tactical skirmish contributes to the campaign or winning the big picture.

I've done incident responses in the past, and I feel that it distorts a practitioner's view of security, because they tend to be catering to the bottom of the bell curve of expertise: You never walk into an incident that's being handled successfully.

That's a huge piece of the history of computer security as well. We have a great deal of legendary incidents. Do you think that our tactical focus is partly driven by the way the media promotes incidents as being of watershed importance? I know I get a certain amount of media inquiry whenever there's another zillion credit cards leaked -- it must be even worse for you. How do you suggest we maintain a strategic security focus, when it seems as if it's the tactics that are always hitting us in the face?

Bejtlich: Your comment on news is insightful. 'News' implies something new. Tactically, new activities happen every few months or so. Think of Heartbleed, Shellshock, and the like. Much more rarely do we encounter changes in adversary campaign methods or strategic direction. When I encounter news stories, I ask myself: Does this fundamentally affect the strategy I recommend, and the implementation over weeks, months and years, while prosecuting a campaign? Most often the answer is no. The last time we had a significant shift that would affect the operational and strategic levels might be the early 2000s, when intruders incorporated client-side attacks into their campaigns. Prior to that, server-side attacks were a bigger problem.

Reviewing your history of cybersecurity in the Brookings piece, I found myself thinking 'We told you so!' over and over again. At each point in the story arc of security, there have been people doing a pretty fair job of pointing to the dangers and offering strategic design advice. Yet, we wind up where we are today. Do you think things will improve eventually, or are we doomed to security as Nat Howard says, that is 'exactly as bad as it can possibly be without everything breaking'?

Bejtlich: I thought you said security would be 'exactly as bad as it can possibly be without everything breaking.' I give you credit for that.

No, that was Nat. I repeated it in my homeland security book and everyone mistakes me for the smart guy.

Bejtlich: Anyway, I'm contemplating the effect of several government agencies on the security picture. The FTC, SEC and FCC all seem to see 'cyber' as a way to extend their authority and budgets. I believe we will continue to see these agencies exert pressure to introduce more compliance schemes. Whether that introduces change for the better remains to be seen.

Strategic security seems to me to be what a CSO or CISO's job is -- keeping the rest of the business focused on the important parts of the process and out of the weeds. Yet, all too often, it seems that the CSOs are in the weeds, too. Are there any changes you suggest for keeping that from happening? Is this a corporate governance issue at the board level?

Bejtlich: In my five levels -- goal, strategy, operations/campaigns, tactics and tools -- I see CSOs as the bridge, usually working at the operational level, between the CXOs and board members and the security teams and vendors. I am not a fan of CSOs who 'speak the language of the business' or who calculate return on security investment or risk. I prefer to see CSOs speak policy and strategy to the CXOs and board members, and tactics and tools to the security teams and vendors, while running operations from the CSO office. This is a shift in mindset and approach, but I am seeing signs that it is welcome and effective.

Yes! One place I think we fail miserably is cost/benefit analysis. I talk to execs who say, 'Whitelisting is too hard and takes too much time.' And then I ask them. 'What, exactly, is efficient about having to clean malware off of your machines?' What can we do to help improve management's ability to make strategic decisions when it seems as if the tactical decisions are always too distracting?

Bejtlich: I don't think you're suggesting that top-level executives worry about tactical issues like whitelisting applications. Decisions about tools and tactics should be made at the security team level, with CISO approval. However, the C-level executives should hold the CISO and team accountable via metrics. [See his article "Measure Like You Mean It" for more on that topic.] As part of the management team at a publicly traded company, I witness very detailed and complicated discussions based on financial metrics. C-level executives are very capable of metrics-driven discussions if they have real numbers to consider.

I'm sure your feelings about compliance are as mixed as mine. It seems to me that compliance usually mandates 'stuff that anyone in their right mind is already doing.' That means we are bringing the industry up to a baseline of adequacy. In your work with malware reduction and incident response, I'm sure you've formed an opinion: Has compliance helped?

Bejtlich: Compliance is helpful up to a point. I'm not sure if we've met or exceeded the point of diminishing returns. For example, I just heard a report on the radio that a global bank commits one out of 10 employees -- something like 25,000 people, out of 250,000 in total -- to the financial compliance mission. That strikes me as excessive.

I don't think we are in the same league with digital security compliance programs. Anecdotal evidence suggests that compliance-focused security programs cannot stop intruders with mid- to high-level resources and motivation. I doubt they can stop intruders with lower levels of resources and motivation. This needs to be researched further, but I believe most, if not all, of the retailers breached in 2014 were PCI-DSS compliant. If true, that compliance regime does not seem to be making any difference.

I've always been frustrated when security people talk about an active defense, by which they mean offense. Especially, when the military idea of active defense is really maneuver warfare: husbanding one's forces and being prepared to respond nimbly to enemy attacks and be everywhere at once, in a Napoleonic style of fighting rather than 'the best defense is a strong offense.' In keeping with that model, if you agree with it, what would you tell executives about how to defend actively?

Bejtlich: Active defense has different definitions, in my opinion. When I spend time talking to Department of Defense computer network defenders, they call any activity that is more than passive defense active defense. A passive defense involves configuring defensive systems like firewalls or antivirus and expecting them to stop intruders.

The DoD uses the term active defense when they mean activities taken by defenders in response to intruder activity, or to identify intruder activity. Log analysis, 'hunting missions,' automated or human reconfiguration of defenses in response to intruder activity -- this is all active defense.

Those actions all occur on the defender's turf. When you talk to civilian network defenders, they assume that active defense means counter-force activities taking place on the intruder's turf. I call that offense.

I recommend organizations spend time using 'matching' and 'hunting' campaigns against intruders. Matching can be done by algorithms, but hunting is generally done by people. I talk more about these approaches in my newest book, The Practice of Network Security Monitoring (Chapter 9).

About the author:
Marcus J. Ranum, chief security officer of Tenable Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.

This was last published in December 2014

Dig Deeper on Information Security Incident Response-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.