Pre-Script - It should be noted that the outcome of this discussion - in the last paragraph - is one smart way you can approach the “We need to reduce your budget” discussion (if that discussion hasn’t come already).
I’ve often read people who say that we (security, risk management) need to “think like the attacker”. And when you read this sort of article, that usually alludes to trying to anticipate the tactics an attacker might use to mess with your C, I, or A. Smart stuff, that, and very useful when architecting security solutions. But as I was training some folks Monday, I was thinking in the back of my head about Threat Capability (TCap) in FAIR. As you might know, we like to estimate the capability of a threat to apply some level of “force” against our assets. This ability to apply force is a byproduct of the attacker’s skills and resources. And thinking of how an attacker applies skills and resources, I came across another way we might “think” like an attacker.
Traditionally, I’ve thought of “skills” as being a byproduct of the toolset an attacker has. This mindset probably stems from my time with Penetration Testing teams, where in the process of scoping the PenTest I would ask our clients to select the level of effort that they wanted us to throw at them. If a client chose “high” we’d throw every ‘spoit we had at them. If they chose “low” we’d limit ourselves to a more commonly available toolset.
But while the resources part of TCap is time & materials (money) - the skills are really more than just the toolset. Skills would include the ability of the attacker to be creative and innovative. As an example of that innovation from those PenTesting days - when we got a “high” effort request, we would always try to couple that with some “social engineering”-type of attack, or some unique means of delivering an existing exploit. Our creativity was not necessarily a byproduct of a unique exploit or tool we had, but the process by which we might deliver pre-existing or commonly available exploits. I remember when we first got ahold of a handful of 32mb thumb drives (hey, 32mb was huge back then) and “dropped” a few in the lobby of a client’s retail space. The keystroke loggers and phone-home script weren’t new, but using the thumb drive as delivery vehicle certainly was.
So I’ve started to really think about this concept of innovation, and how if “thinking like an attacker” means to be innovative, we ought to do the same. I’ve been thinking of two main categories of innovation this morning.
INNOVATION
The first I’ll call Technology Innovation. And by Technology Innovation, I mean some new, unique, “ahead of the curve” technology that an attacker can use against us. The obvious example of which is a zero-day. It’s that “high” tool set our PenTesters would use against the clients. For security departments, this might be the latest security product designed to enhance our ability to P, D, and/or R.
Alternately, we can be creative in the way we deliver (manage) existing technology. I think of this as Process Innovation. It’s doing more with what we already have, just like the PenTest team would be creative in the delivery of an existing exploit.
Unfortunately for us - attackers have traditionally had quite a leg up on us in terms of Process Innovation. It is much easier fro them to be creative, as they are free of political constraints and bureaucracy. In contrast, when the security industry tries Process Innovation, the results are checklists and “standards”. It’s committees and consensus. An extreme example of which might be something like SABSA - a great work if you want to understand some very smart people’s comprehensive understanding of organizational security - but the “adoption”of which will do very little to help you be innovative in P/D/R.
It’s worth noting that ultimately, this is one reason I don’t like regulatory compliance efforts - they simply serve to prove how mundane your security department is, wasting valuable resources that could be spent on creating ways to be more effective.
PROCESS INNOVATION AS A SUBSTITUTE FOR TECHNOLOGY INNOVATION
As we come to the close of 2009, some surveys suggest that security spending isn’t horribly impacted yet by the economy (the latest from E&Y points to only 5% of their respondents getting budget cuts). But if this is a protracted downturn, and because InfoSec is an operational expense, I would expect cash to become more and more difficult to keep. And regardless if technology spends do slow, I believe it makes sense to think about Process Innovation because I see Process Innovation as a means to increase effectiveness without significant capital expenditures (effectiveness increases because our ability to manage risk has a direct correlation to the amount of risk we have).
The bad news is, of course, that great innovation is hard. It is R & D. Failure is usually a pre-requisite to success.
The good news is, our current state is so bad that many of us don’t need to come up with a whizbang new way of reducing software defects in the SDLC as innovation. Simply inserting a risk analyst into the PMO’s processes might count as a big enough victory. Be cautioned, though, that if we’re substituting the risk reductions provided by technology acquisition - Process Innovation might actually be even more “expensive” as it requires us to expend political capital. But there are (forgive the term) innovative ways to spend this political capital.
For example, by taking a second now and figuring out the 3 things that the rest of the organization can do to make your life easier, when that “I need to reduce your budget” talk comes, you can be prepared to negotiate. Get a political capital “loan” or “investment” from the C-Suite reducing your budget. Something to the effect of: “I expected this, and am happy to give up my budget. But if our tolerance for risk hasn’t changed, what I’d like to do is get you to personally back my office on three projects I’ve identified that can reduce our risk without requiring significant capital expenditure.”
