If You Can't Beat The Breachers? Emulate Them.

I'm getting to the point where I feel I should be adding a daily recurring calendar item, "sit down, get coffee, research the high-profile breach of the day." It's appropriate given the seeming torrent of news of late, with the victim du jour, Citi, disclosing today that somewhere around 200,000 customers has been compromised. 

Is it fair to call Citi a victim, though? Isn't it more accurate to say that any company which experiences a breach has, at some level, itself to blame? True and not at the same time. While firms like Lockheed Martin and General Dynamics clearly have the apparatus in place to respond to threats, tamp down the hatches and ensure nothing is exfiltrated, many, many more organizations that don't spend their workdays surrounded by folks that prefer a black helicopter as their primary mode of transportation are not as well equipped nor as vigilant in their monitoring and response to these threats. 

It's not hard to see why, as coverage of these breaches bring forth many well informed, and some less well informed, discussions of the reasons behind and implications of these situations. I've seen few pieces dealing with the "now what" aspect of them, focused on how companies can respond. 

The best defense is to modernize policies, strategy and overall thinking around security as it pertains to monitoring and protecting your assets. The new way of thinking about security, preparedness and response is to model behaviors around personas. Understanding the persona of your likely attacker - and it's different for every business - and the personas you can create through training and tools inside the organization will provide a real-time view of what your risk is and what your ability is to manage that risk. It's a nascent approach, but we're beginning to see organizations favor persona-based emulation over traditional, passive protection in response to breaches. How so? It takes shape in a couple of ways:

• Create strategies around people, not technology: Training and empowering employees to correlate events will always be more useful than relying on the AI capabilities of a tool, but it doesn't scale. Employees need to know what sources of information yield insight, not simply generate data (critical system access logs vs all access logs, anyone?) is a small, first step on the road to allowing your organization to predict, not just respond to a threat. 

• Think like your adversary: The old saw around the APT campfire these days - debate aside around the merits of the term itself - centers on "this attacker isn't your neighbor's script kiddie teenager." While tiresome, it's true that the adversaries causing the most damage today are well trained, well funded and, bottom line, do this full time with distinct gains in mind. They won't quit until they get what they want. Are your users or systems the weakest link? Test it and find out. Phising some executives of your firm will yield some interesting results on "readiness" and training, guaranteed.

• Change: The result of this new thinking should be the creation of new roles, roles within the organization that are charged with identifying the threat profile facing the organization. Understanding the elements inside the organization that raise or lower that risk means constantly reinventing what it means to be aware, and what it means to be prepared. 

Take a look at the report released today (client registration required) where we discuss, in much more depth, the way in which using personas to identify your threats as well as your resources to prepare and defend against those threats can change informaton security for the better. I'm interested in your thoughts, comments and experiences here. If you'd like to learn more about what we're doing in this area, and want to get a copy of the report, please contact us.