CSO, Timothy Paul Coderre
September 13, 2016

Finding Balance Between Meeting Mission Imperatives and Acceptable Risk

As a former military commander, I will be the first to say that any pursuit has inherent risk, and leaders must routinely accept risk in order to move their operation forward. Perfect and complete information is rarely available to make decisions, so a balance must be struck between meeting mission imperatives and acceptable risk. Finding this balance is dynamic and requires a constant re-evaluation of the situation. This skill set is established by training and conditioned through practice over years throughout a military career, and indeed is a leadership requirement not exclusive to the military.

Much has been written and spoken about on the topic of cyber threat, and yet within government and industry today the prevailing leadership habit is one of risk acceptance without understanding or even appreciating the risk that is being accepted. Tragically, this risk acceptance is often perceived be these leaders as ‘not taking unnecessary risk’ and characterized by inaction in the face of significant actual risk. They simply do not appreciate their organization’s exposure to cyber threat or the impact to their operations it could have.

So it begs the question: why?

At its fundamental level cyber defense is a contest between humans, with each party attempting to gain advantage by imposing their will upon the other. The attacker looks to exploit vulnerability while the defender arrays himself to both raise the level of difficulty for the attacker and position himself to respond when his defenses are overcome. This reality shines a light on the need to look beyond pure technology solutions and calls for adopting an approach to cyber defense that considers the human element as a critical factor.

Recognizing and then accepting that all defenses can and eventually will be overcome is vital to forming an effective cyber defense strategy.

So why does the prevailing position remain one of inaction?

I believe that the reticence to take decisive cyber defense action that characterizes the leadership of most organizations today stems from a lack of understanding of the environment and a lack of awareness of actual threat activity.

This is a highly technical and rapidly evolving domain. Networks were created for openness and sharing and we weren’t designing networks or computers with security in mind until very recently. Formal education quickly becomes overtaken by technological advances and if knowledge is not reinforced by experience and continually developed, skill fade has a very real impact on the ability to competently describe the situation and often shakes the confidence of advisors to the point where they are reluctant to advise. Because of the technical complexity and the historically poor ability of technical staffs to effectively translate technical impact into operational implications, the leadership echelons in public and private institutions typically have not been presented with decision-quality information.

Awareness of actual cyber threat activity is overwhelmingly kept sequestered behind closed doors and classified beyond usefulness by governments and is therefore not shared with the public. Those responsible for security within organizations are often embarrassed by what they fear will be perceived as a failure to do their job, and so are less likely to proactively expose breaches or intrusions to their leadership for fear of the consequences and being seen as failing.

There are two distinct but compounding challenges: education and awareness. Often the one is confused for the other, and when highly educated and intelligent people are presented with cyber threat information they were not aware of they dismiss it as untrue or exaggerated fear mongering.

As a result, we’ve grown a leadership culture that assumes away risk without understanding, and a public that is not empowered to make wise choices for themselves or their organizations because they quite simply don’t know they need to – a very dangerous reality. I believe that leaders want and the public deserve to know what is happening on their networks so that they can understand the actual risks of both their actions and their decision not to act. We must empower technical staffs with the education, training and the tools that make it possible for them to support decision-making and effectively defend their networks.

So why do I wish I had a Counter-Advanced Persistent Threat (APT) Hunt capability when I was directing cyber operations in the military?

A Hunt capability pairs sophisticated detection and response technology with expert operators to actively seek out APT presence within a supported network.

With the fidelity that telemetry from a host-based covert agent provides, I can detect those APTs that my traditional defensive technologies miss; I can know with precision where a threat on my network is; and I can take immediate action remotely through the agent to render that threat ineffective across my network with no impact to ongoing operations. This means I gain time and save costs directly by not having to deploy teams physically to remote locations to address cyber security breaches – often with significant impact to operations.

With expert human operators and analysts manning this over watch capability and synthesizing adversary activity information for me, I can now quickly and confidently present to my leadership: my considered subjective judgement on what risks they should accept or reject; a detailed understanding of the costs of both the threat and the cure; and I can relay it to them in terms of their ongoing operation.

In short: I can regain the initiative and preserve my freedom of action because I now know exactly what is happening on every host and can respond surgically to threats within minutes.

I’ll say it again: recognizing and then accepting that all defenses can and eventually will be overcome is vital to forming an effective cyber defense strategy. Proper usage policies, architectures, configuration and monitoring are each important and should be designed, established and maintained for best effect. That said, without a dedicated manned capability positioned to monitor and then rapidly respond when defenses are overcome, your resilience to cyber attack is limited to patching schedules and update priorities that are beyond your control and simply too slow to keep pace with advanced cyber attackers’ tools and methods.

In this volatile and complex environment, a Counter-APT Hunt capability gives leaders the ability to assure the integrity of their networks at the speed of attack. Freedom of action within your own network is a pre-condition for all operations and business activities, and this freedom starts with quality situational information and an understanding of the actual risk you face.

A tale about the NSS Labs 2018 Endpoint Detection and…

When actively monitoring endpoints to detect signs of cyber attacks,…

Following a webinar hosted by my colleague Justin Seitz two…

As ISO, CIO, CSO, CTO, we need to secure our…

We live in the business world where more and more…

In addition to its main use of extending Java programs…