Shifting The Cybersecurity Model: From Cops to Spies

By Jamison Utter

Some time ago, we shifted our cyber criminal culture to something akin to being cops. Yes, cops are important, but take them away and you get bedlam. Cops, for the most part, investigate crimes that have already happened. Similar to most cybersecurity teams, they investigate breaches or violations after they happen. Why do incident response teams and companies charge so much? Why wouldn’t we pay more for people to prevent it in the first place? Maybe there needs to be some sort of front line cyber defense group watching your IP and your users and names. Wait -- we do have some of those? Do they work?

Thinking about this differently, shift the cybersecurity model from one of being a cop to one of being a spy. Not only is it ‘cooler’ but it’s also more productive. Let machines do the cop part; enforce policy and limit user interaction. Humans need to make the hard call; fuzzy logic stuff. Let’s get to a culture where Philip K. Dick is our role model in security and products are ‘Minority Reporting’ rather than ‘piles of reporting?’

I think it is by security automation, we demand (not ask) that security vendors stop selling us point solutions that meet a specific need but are part of a greater solution. Today you probably have 7, maybe even 10, point products to manage.

For the security products that can actually talk to each other, how do they meet up in the SEIM? And, how is that working for you? Is it lots of swivel chair administration? Seriously, why can’t my IDS trigger a scan from my vulnerability scanner, which then triggers an endpoint remediation? STIX and TAXI promise some of this, but I fail to see how they can at all deliver specific solutions from generic protocol. Ask a hacker how to compromise STIX and get back to me.

If security professionals continue to accept things as they are, we will be in worse shape in 5 years. Today, even the most secure networks work as if compromised... continually. Why is that? Because we cannot even detect most compromises until long after they happen. How long is the average breach-to-detection? (it’s 146 days, down from 205 days last year - PDF) Seriously? How long is the average remediation? (at least 7 days, if not up to30 days or more - PDF) Seriously?

So let's consider not waiting for the breach; stop-playing cop. Lets dig into our data, know what is valuable in our network. Stop playing cop at the edge and remember that, like the Matrix,  ‘there is no spoon’ (or in this case there is no edge); the user is the endpoint, not the device.

Let's build a culture of security, secure applications by design, build secure networks, and secure data. Stop thinking ‘encrypt it all’ and start thinking ‘why do we have this in the first place.’

Ask your application developers ‘why do we need the social security number’ or ‘why do we store that data’ and not ‘how are we encrypting it’. See where tokenization and just plain anonymity for our users is possible. A breach response is really different when you can report “we don’t have any PII, we don’t store it.”


About Jamison Utter

Natural curiosity has taken Jamison beyond the technical hack into the workings of the criminal industry; how and why malware is written, how people make money at it (why do they keep doing it) and what are the motivations.

More About Jamison