I recently attended
Robotex 18 in Tallinn, Estonia, and watched a very interesting talk given by Koen Maris, CTO of Cyber Security at Atos. His talk seemed mildly inspired by Donald Rumsfeld’s quote, “There are known knowns; there are things we know we know. We also know there
are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don't know we don't know.” Of course, it’s
towards the end of that quote where the concern lies, so how do we defend against the unknown unknowns?
Mr. Maris spoke of the good, the bad, and the unknown, and how our goal should be to reduce the unknown by learning as much as we can about the good and the bad. We can defend ourselves far better against what we know. He explained how classic cyber security
defenses are perimeter-based; focusing on the prevention of attacker entry, while focusing less on the detection and mitigation of attacks taking place. A perfect example of why this is important surfaced just last week (Nov ’18) in the
Marriott Hotel data breach which involved attackers being present in the system of Starwood Hotels and Resorts (bought by Marriott in 2016)
for four years before being detected and releasing 500M customers’ details.
No doubt there was investment in stopping attackers getting in, and some effort was made to encrypt credit card information, but one must assume there was little focus when it came to detecting attackers
in the system. The latest thinking appears to be
Zero Trust security/architecture. The idea being to assume your databases
have been breached and there are attackers on your network. If you assume this, you should be spending some time and money finding anomalies and identifying the intruders.
Zero trust reminds me of something I came across when working in Oil and Gas operations. I was told by a client I should have “chronic unease”, which to me, seemed a lot like anxiety, but anxiety with a purpose. We were told we should all have chronic unease;
the feeling that we might kill someone at any minute due to a mistake we’ve made on the oil rig. Zero trust – the feeling that someone is already inside the house, and by not looking for them, we’re at fault.
Maris suggests, as does NIST for the most part, that cyber security investment should be split almost equally between
prevention, detection, and remediation, which fits well with Zero Trust. Another idea to consider is that data is “radioactive”; it should be treated with extreme care, only
by those suitably trained to handle it, and you should keep as little of it around as you can. This point appears contradictory to another school of thought that sees data as the “new oil”. Ten years ago, five of the
top ten largest companies were Oil and Gas, with just one being digital tech (MS). Now, there isn’t an Oil and Gas company in the top ten, and the list now contains seven tech giants.
Assuming Capitalism is alive and well, data, like oil, will be drilled as much as possible. That’s unavoidable for now. But we should still see it as “radioactive”; once leaked, impossible to clean up. The relevant steps should be taken to make things difficult
for attackers already on the system, for example, using strong two factor authentication that keeps the keys off the system, making movement within the network strained.
There are many kinds of technologies that can limit the damage done by someone already in the system, but as Bruce Schneier said, “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the
technology”. Technology is just one piece. The right tech can help protect our data, but without the right attitude towards that data and how we actually secure it, we’re going to struggle.