Saturday, June 21, 2014

Information Security as Counterinsurgency

In Information Security, the rapidly escalating and innovating threat actors coupled with the ever changing business technology architecture have changed the security game forever. Preventative controls are increasingly less effective in mitigating threats and they are too cumbersome to keep up with the pace of technology change. This shift necessitates a shifting of balance from preventative control focus to rapid security intelligence and response.

A friend of mine who is a world-class security intelligence engineer, pointed me to a paper - Twenty-Eight Articles - Fundamentals of Company-level Counterinsurgency, by David Kilcullen. He also wrote a book, "Counterinsurgency" that I read. My friend's point in directing me to this article was that Information Security is, in many ways, a counterinsurgency operation.  Stated my Mr. Kilcullen, 
"...counter insurgency is at heart an adaptation battle: a struggle to rapidly develop and learn new techniques and apply them in a fast-moving, high-threat environment, bringing them to bear before the enemy can evolve in response, and rapidly changing them as the the environment shifts." (Counterinsurgency page 2).
The Twenty-Eight Articles was written by Mr Kilcullen at the U.S. State Department and DoD and is based on his extensive experience as a senior advisor on the ground in the Iraq and Afghanistan wars. His Articles are what he observed to be essential to successful counterinsurgency. Here is what I took away. All quotes are from the book, which also contains the 28 Articles.

Article 1: Know your turf.

"Your task is to become the world expert on your district. If you don't know precisely where you will be operating, study the general area. Read the map like a book: study it every night before sleep and redraw it from memory every morning, until you understand its patterns intuitively." (Counterinsurgency page 30).

In Information Security, this is knowing your network and your systems and your applications. What they are, what they store, how they communicate, what their accessibility is, who is accessing them, and so forth. It is Nmap coupled with net flow data coupled with the asset risk catalog coupled with vuln scan information coupled with firewall logs and security event logs and fraud activity.

Article 2: Diagnose the problem

"Who are the insurgents? What drives them?....This means you need to know your real enemy." (Counterinsurgencey page 31)
This is threat analysis based on real data and reliable intelligence. It isn't a physics class, hypothetical, assume a vacuum scenario. It is real and the decisions are made in the real world. It is the root of good security decisions. It is the process of deterring the likelihood of harmful things occurring to your assets - who will do what to the systems. This information, coupled with the value of each of your systems, forms the basis for making sound security decisions.

Article 3: Organize for intelligence

"Your operations will be intelligence driven, but intelligence will come mostly from your own operations, not as a produce prepared and served up by higher headquarters. So you must organize for intelligence."
In post earlier this year, I wrote that your environment has all the data you need to answer your security questions.

Mixed together properly, the DNS logs, web logs, firewall logs, endpoint events, malware events, AD data, and net flow holds rich treasures to finding your weaknesses and ferreting out your enemy.

Article 4: Organize for interagency operations
"Almost everything in counterinsurgency is interagency." David continues, "Train the company in interagency operations -- get a briefing from the State Department, aid agency, and the local police or fire brigade. Train point me in each squad to deal with the interagency." (Counterinsurgency page 32)
In InfoSec, the interagency is the business and your IT associates to support the business objectives. It is being able to work effectively across organizational boundaries to secure and collect data from networking infrastructure and systems, working with the development team to write secure code and integrating security test cases in the QA cycle. It is working with all of these organizations and Public Relations to effectively respond to events.

It is working with product teams to understand their objectives and to quickly develop security solutions to enable them to move quickly. It is being solution-ready for emerging technologies that will enable the company to more efficiently and effectively serve the customer.

Article 5: Travel light and harden your Combat Service Support

"Unless you ruthlessly lighten your load and enforce a culture of speed and mobility, the insurgents will consistently outrun and outmaneuver you." (Counterinsurgency page 33)
This is about having an adaptable security architecture that can be quickly adjusted to address threat. These are inherently solutions that are intelligence centric systems that can learn themselves and learn from the engineer operating them.

Article 6: Find a political/cultural adviser

Be "able to speak the language and navigate the intricacies of local politics." (Counterinsurgency page 33)
Information Security serves the organization that employs it. This is about being connected to the business and enabling the business strategy. It is about bringing the Executive team to the proper level of understanding of threats and risks to their organization in their language.

Article 7: Train squad leaders, the trust them

"Ruthlessly replace leaders who do not make the grade." (Counterinsurgency page 34)

Article 8: Rank is nothing: talent is everything

"Rank matters far less than talent - a few good men under a smart junior NCO can succeed in counterinsurgency, where hundreds of well-armed soldiers under a mediocre senior office will fail." (Counterinsurgency page 34)
This applies to vendors as much as it does people. I've seen talented small teams dramatically cut costs because the commercial software solutions were really just a poor patch for lack of talent. This video illustrates it well....

Article 10: Be there

"If you are not present when an incident happens, there is usually little you can do about it. So your first order of business is to establish presence." (Counterinsurgency page 35)
This is security intelligence and event monitoring so that you can minimize the gap between the time of the initial incident and the response. Wait too long, and the data or the money is gone. Sadly, Mandiant reported that for incidents they were involved in handling the threat groups were present on the systems a median of 229 days.

This is also about being integrated in to the businesses plan, build, operate cycle so that you can influence direction early in the process rather than complaining and scrambling after the products are built.

Article 16: Practice deterrent patrolling

"Establish patrolling methods that deter the enemy from attacking you." (Counterinsurgency page 39)
I've seen it done so well, that banking trojan campaigns and associated fraud has fallen off for weeks because the best proactively lure and take down the miscreants. This is also about advanced threat intelligence so that you are resilient to even the newest attack campaigns. This means being in the enemy camp gathering intel and being trusted professionals with your business competitors such that you can share information quickly and without friction of legal qualifications.

Article 17: Be prepared for setbacks

Compromises happen. Projects fail. Managers make mistakes. It happens. It is human. Diagnose. Learn. And move forward.

Article 20: Take stock regularly

"Use metrics intelligently to form an overall impression of progress - not in a mechanistic "traffic light" fashion. (Counterinsurgency page 41)
Metrics that matter. The metrics that matter here are those that inform you about the enemy and your capability in resisting them and where controls are worth it and where they are not. They also measure how well you are serving the business. I'll do a post on this in the near future.