Security is a fickle business.
We argue about semantics.
We argue over the definitions of terms.
We argue over methods - and each side has their own version of supporting data, mind you.
My recent post, "Defending against the threat, not the adversary," stirred up some of that debate. Specifically, one conversation came down to what I meant by tactics and whether this was a dirty word in the security world.
Let me reassure you, I neither believe "tactics" is a bad thing nor do I seek to disparage the term.
In fact, if you're going to talk 'defense' and you're not talking about tactics, you're missing the boat.
Josh Corman reminded me of a fantastic Sun Tzu quote. (Yes, I know we're all tired of those by now, but this one is very applicable...)
"Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat." -Sun Tzu
I would take one small issue with that quote in today's world which is if you're just playing strategy you won't win.
I like analogies so here's one that's relatively close...
If you're going on a road trip, you set your destination as the point you want to get to and map out with relative certainty the way you're going to go. You map out the highways, the rest stops and food stops. This is strategy
Along the way you encounter traffic jams, road closures and "daddy we want to go see that dinosaur!" detours so you're still headed to your destination, only making small (or sometimes large) adjustments to get to your ultimate destination. This is tactics
One way I explain this all to security professionals and CISOs is that strategic security is the program you put in place once you've defined what you're going to secure, why and how much. Additionally, there is current heavy dispute on whether the who (your adversaries) should be included in the strategy of security organizations. It may be interesting to note that my original enterprise-view didn’t initially include the who in strategy planning discussions. After a few long conversations, and one recent short one, I believe that today this thinking must evolve given the current threat landscape. It may not be possible to determine exactly who your adversaries will be; however corporate CISOs don’t need black magic or a crystal ball to look around their respective industries to understand the threats posed to their colleagues across their specific industry vertical. There are other ways of understanding who is going to come after you and how. As an example, if you’re a CISO of a large US banking organization you’ll likely include specific threat actors in your strategic planning. This both prevents you from spending your organization’s resources fruitlessly defending assets of no value, and completely ignoring things that weren’t important to you but are to your adversaries (once you’ve understood them).
Once you’ve clearly understood and articulated your strategic point of view, you can move on. You can then make some broad-stroke statements about your general approach, industry accepted practices, technologies you'll use, etc. Once you start putting your plan into place you will notice that your adversaries may quickly adapt to your defenses, and adjust their attack patterns. You then utilize tactical security measures to counter-adjust and disrupt the adversary's ability to attack. This is standard adapt and defend thinking if you've got a military background.
Intelligence, strategy, tactics, lions, tigers and bears...
This discussion of strategy and tactics isn't an either/or discussion. It's an AND discussion, full stop. It's ridiculous to develop a strategy and then blindly follow it in the face of adaptive adversaries, changing market conditions, and social and geo-political situations. Any security program worth its implementation accounts for the active feedback loop from the many readily available intelligence feeds out there. You need active intelligence to feed back into your program to adjust course and sometimes even re-write your strategy based on current climate. Whether you're:
- gathering information internally through a research team
- buying feeds and information from firms specializing in such operations
- utilizing built-in capabilities with your security products (one example is network defenses, see TippingPoint as example)
There are so many OSINT (Open-Source Intelligence) sources out there it's enough to keep a large team busy gathering, analyzing and implementing intelligence. But not every organization can do this for themselves. There are also several organizations which actively perform adversary intelligence information gathering and will happily sell it to you so you can defend your organization more ...well, intelligently. Tactical implementation of threat intelligence can be costly depending on how it's packaged. On one end of the spectrum you have the 'box' which will simply implement things for you, and on the other you have the manual effort that requires human resources of a rare capability level.
Speaking of capabilities - this speaks to the heart of the maturity of organizations that can effectively consume intelligence and implement tactics. Without getting too far off on an intelligence tangent, I think it's important to at least understand target audiences here.
I don't believe that the size of an organization matters, nor does the budgetary capabilities, as much as the CMMI maturity level. The less mature an organization is (the more ad-hoc security is) the less likely they are able to effectively consume intelligence into tactics. I've said it before and I'll say it again, if your organization doesn't adequately understand what they're defending and why, the how is almost immaterial. Your defenses will fail. You'll end up in permanent "block & tackle" mode, meaning you'll never take a defensible posture so you'll always be flailing about, following what your vendors and the media scare you into believing. And worst of all you’ll be spending, spending, spending on things that don't make you safer.
A mature security organization understands how its business changes and can consume an intelligence report and adjust instantly based on their adversary’s actions. This also means that they understand who their adversaries are and why they're adversaries in the first place. Organizations in the financial and government sectors are perhaps currently the best at understanding and adapting to their adversaries. The big banks have become the target of overseas attackers who DDoS, hack, and perform acts of misdirection based on what they want to accomplish. If these banks stuck to their laid-out strategy and never adjusted to new threats we'd likely all be wondering why our bank accounts are empty and bank Web sites are unreachable.
Sanity must prevail
In order to have a rational, sane conversation on this topic we must first get on the same page about what all these words mean. These are the general definitions I go by but yours may vary based on your involvement in security.
Strategy is the big-picture, long-term 'goal' of a security program, with the understanding who you're defending against.
Tactics is the adjustments, big or small, that are made to the security program to account for changing conditions and evolving threats.
Strategy without accompanying tactics is a lost cause.
Tactics without a solid footing in strategy is an expensive lost cause.
The maturity of an organization's security team is directly proportional to their ability to have a foundational strategy and be able to implement tactical measures and feedback to adjust to changing conditions in order to defend adequately.
Good luck out there.
Thanks to Josh Corman, John Pirc and Will Gragido for some spirited, intellectually challenging and educational discussions - some of their thoughts are included above.