What Black Hat and the NFL Have in Common: Strategy

Posted on by Eric Cowperthwaite

This time of year is a merging of two of my favorite things, Hacker Summer Camp aka BSidesLV, Black Hat and DefCon, and the beginning of the football season. On the surface it might not appear that these things have a lot in common. However, a bit deeper analysis tells us that the strategies employed by your security team and your favorite football team revolve around many of the same principles in order to achieve success. 

If we learned one thing at Black Hat 2015 it’s that our current playbook is not working. Simply put, the bad guys are soundly beating us at our own game and we’ve done a terrible job in responding to the threat. I realize that threats have become more sophisticated and targeted over time and that hacking has become a well-funded business with high stakes. However, the security industry hasn’t exactly been sitting idle either. We have the knowhow, technology and ability to be more effective, we just simply haven’t been doing a very good job at playing defense.

In football, success or failure on the field is often dictated well in advance of the first game being played based upon how a team approaches the construction of its roster. Too much emphasis on any one area leaves you deficient and vulnerable in another. You need a roster that compliments itself well and is able to adapt to any type of game condition or opponent. The same can be said of security. While there isn’t a salary cap like there is in the NFL, organizations do have budget constraints that dictate what they can spend on security solutions and personnel so getting it right is of the utmost importance.

A football team needs to be a combination of speed, skill, intelligence and brute strength. A security team needs the correct balance of detection, prevention, analytics, and human resources that can accurately and quickly assess any given situation and react accordingly. From what we saw at Black Hat, few organizations have gotten it right to this point and are falling further and further behind the competition.

As a football fan, I am often dumbfounded when I watch my favorite team give up a play that everyone from the TV announcers to the popcorn vendor knew was coming. These guys watch film all week on upcoming opponents, know the formations inside and out, but yet often seem powerless to stop what everyone knows is about to happen. Sound familiar?  We know from the Verizon DBIR that 99 percent of all breaches involve a known vulnerability that is at least 12 months old when it’s being exploited by a hacker. In other words, we are very well aware of the issue or the play, and are doing a really poor job of playing defense and preventing the attack.

Assembling the right talent and resources is only half the battle. What truly differentiates a great team, whether football or security, is talent evaluation, coaching and leadership. Knowing how to identify the right people or solutions, and then where to deploy your resources, is often the deciding factor between a win and a loss. 

We know that the majority of breaches begin with a client-based social engineering attack. Yet, we still haven’t found a successful strategy for defeating social engineering consistently. Even worse, the average organization has no idea if they have identified, prioritized and patched their critical operating system, web and application vulnerabilities. In most breaches, we discover that the vulnerability and server exploited was something that the organization was not even aware was a problem for them. Until there is a strategy to dramatically increase their vulnerability management maturity and capabilities, this problem will continue. 

It’s only the pre-season for the NFL right now, still plenty of practices and exhibitions to get it right before the games count for real. However, it’s game on for your security team and there are no off days and no time outs. Do you have the right playbook in place to secure the win?

Eric Cowperthwaite

, Core Security Inc.

Business Perspectives

security operations

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs