I was reading Ender's Game to my son several months ago…probably my fifth time through the book. I came across a passage that really resonated with me. Ender is at Command School and he just got the crap kicked out of him by Mazer Rackham for no reason that Ender could discern.
Ender was angry now, and made no attempt to control or conceal it. "I've had too many teachers, how was I supposed to know you'd turn out to be a--"
“An enemy, Ender Wiggin,”
whispered the old man. “I am your enemy, the first one you’ve ever had who was
smarter than you. There is no teacher but the enemy. No one but the enemy will tell
you what the enemy is going to do. No one but the enemy will ever teach you how
to destroy and conquer. Only the enemy shows you where you are weak. Only the
enemy tells you where he is strong. And the rules of the game are what you can
do to him and what you can stop him from doing to you. I am your enemy from now
on. From now on I am your teacher.”[1]
This is threat analysis - understanding your assets; understanding your enemy. Predicting what they going to go after and how they are going to do it. For intended, malicious threats, the adversary chooses his
target assets and which attack methods he will use to compromise each asset –
no one else. He chooses the battles that protectors of infrastructure will
fight. He chooses the attack methods and, ultimately, he chooses the defenses
that must be implemented to protect the infrastructure. Which enemies will
attack your systems? Which of your systems will each enemy attack? What
compromise methods will each enemy employ?
Securing an organization’s assets efficiently and
effectively requires knowing the answers to these questions. Organizations that
know the answers to these questions deploy the right controls to the right
assets at the right time. They are flexible in their approach, changing their
control structure to match the threat – adding new controls, enhancing existing
controls, and scraping controls that no longer provide value. Every control in
the environment provides a good return on investment. The security controls for
each asset match the risk specific to each asset. They are ready when threats
act upon them. Ultimately, their security risk profile is correct and the
financial statements prove it.
Organizations that do not know the answers to these
questions do not have the right controls deployed to the right assets at the
right time. They are often in fire drill mode, reacting to successful attacks
against themselves or to attacks that are pervasive among their peers. Their
datacenter racks are littered with the blinking lights of security appliances
that aren’t worth the power to run them. They are not ready when threats act
upon them. Ultimately, their security risk profile is not correct and the
financial statements prove it either due to money wasted on unnecessary
controls or due to the costs of recovering from a compromise. Think TJ Maxx,
Heartland Payment Systems, RBS WorldPay, and CardSystems Solutions.
Most of us operate somewhere in between these two
extremes. Regardless of where you are at
on this continuum, the closer to correctly matching the threat for your
environment and your assets is where you want to be. Knowing which enemies will
attack your systems, which of your systems they will attack, and what
compromise methods they will employ will help get you to a more efficient and
effective risk posture.
Defend against attacks that will occur. Don’t defend against
attacks that will never occur. Choose your battles wisely and fight them well.
[1] Orson Scott Card, Ender’s Game, pages 262-263, TOR Science Fiction