Security = Fundamentals + Innovation

Every security professional knows that the adversary has the advantage. Security professionals have to find every vulnerability (good luck with that) and remediate it, and the enemy only needs to find one vulnerability and exploit it. This asymmetry underlies their economic advantage: finding one vulnerability gives access to a huge number of systems. In addition, for those willing to forego their conscience and risk jail, it is possible to make large sums of money in a short time, even with a minimum of technical expertise.

Most successful intrusions involve exploitation of well-known vulnerabilities, typically documented as “CVEs”. Even so, bad actors are constantly innovating, using the best technology for the worst purposes, such as leveraging cloud resources (their own or others’) to amplify attacks or mine bitcoins or abusing e-mail to promulgate spam and phishing attacks.

To fight known attacks requires scrupulous attention to the “boring” fundamentals of security: patching and software updates, policy enforcement, identity management, password policies, proper inventory, and other seemingly mundane practices.

To stress the importance of the fundamentals, consider the famous speech by Admiral McRaven at the University of Texas graduation ceremony in 2014 ( McRaven, a former SEAL, emphasizes that SEALS have to make their bed every morning, and are subject to inspection of the task. Why such a seemingly trivial requirement for those carrying spectacularly dangerous and intricate operations?  McRaven’s reply:  because if a SEAL fails on the little things, they will surely fail on the big things.

Cybersecurity is no different. If systems are unpatched, or the IDs of former employees are still valid, it makes no sense to implement a high-end behavioral analysis system based using the latest artificial intelligence techniques. If log collection, storage, and correlation are deficient, high-end machine-learning systems will provide little value:  “garbage in, garbage out” still applies.

Still, it is essential to keep pace with the enemy, who innovate constantly. Defenders must also innovate, or deploy innovative technology, but only if they can rest on, or amplify, a sound security posture. Keep a close eye on new technology and the benefits it can provide, but make sure you are not attempting to compensate for simple weaknesses with complex solutions.