Smoke Jumpers are an elite element of the U.S. Forest Service. They are the men and women trained to jump out of airplanes and into the heart of a forest fire. As a fire rages across rugged terrain inaccessible to conventional equipment, Smoke Jumpers act to stall the fire’s advance. Often they will use techniques that literally “fight fire with fire.” Controlled burns are executed in an inferno’s path to consume the fuel a forest fire needs to continue its destructive journey, creating breaks that temper a fire’s intensity and allow crews to focus their efforts on attacking by more conventional means.
The Forestry Service established the Smoke Jumper corps in the 1930s because they knew that fires are inevitable, and that dealing with a fire on a large scale over mountainous and remote terrain was beyond the ability of traditional firefighting methods. Advancements in the relatively new field of powered aircraft and innovations such as sky-diving allowed for the implementation of a novel approach to forest management in the face of inevitable crises.
And yes, there is a lesson in that history for today’s enterprise.
The current cybersecurity strategy is to deploy more and more products to deal with attacks. It’s an inadequate defense for addressing the challenges of fighting attacks on a global scale or dealing with innovative means of attacking the enterprise. We now have more security products than we know what to do with, generating more alerts and noise, to be managed by security experts we don’t have, and can’t find.
And yet the breaches keep occurring…
New approaches are needed to complement the old ways and replace obsolete ways. We need to be more adaptive and proactive to smoke-out which defenses are working, just like smoke jumpers. We need to fight attacks by gaining the attacker’s perspective.
Most security organizations today are missing this “offensive” perspective. We need to take a hacker’s eye view of our current security controls to make sure they are deployed and calibrated to stand up to attacks. Just like smoke jumpers, we should visualize the attack kill chain whether it’s via red teams or with the right technologies like breach and attack simulations. This then allows us to back-burn and get between the adversary and their goals. More importantly, we need to do this continuously to reduce exposure time. Changes in users, applications and threats can impact security just like with fires and changes in the weather. In fact, in some cases, gaining the attacker’s perspective might result in a reduction in the number of security controls because the ones being deployed are the right controls operating with the right ROI.
This approach has great applicability for enterprises that are working toward the May 2018 compliance deadline for the General Data Protection Regulation (GDPR). You see, the stakes are high and the price of failure steep—as much as four percent of an organization’s global revenue per incident. Under the old Data Protection rules, security teams were already required to have “appropriate technical and organizational measures” to protect personal data. However, under the GDPR, they must now demonstrate that measures are continuously reviewed and updated. In fact, the GDPR uses terminologies such as “appropriate” and “state of the art” to convey the requirement for continuous risk assessment.
If your focus is on meeting the letter of the law with a façade of response plans, legal agreements and investments in technologies designed to detect and prevent attacks, but you aren’t also testing your assumptions and putting into place “continuous validation,” you’re likely to fail.
You need a continuous view into the state of security controls implemented for GDPR. Don’t just assume your firewalls, IPS, secure web gateway and email security gateway are working as expected to secure personal data. Simulating a breach through building your own automated scripts or using a breach simulation platform is crucial in order to validate whether these simulated attacks can get past security controls to the personal data that is being stored. These innovative approaches may be crucial to winning your next fight and extinguishing the next fire. Just as forest managers can monitor conditions on the ground to assess risk and take prescriptive action to mitigate risk, today’s CISO must do the same.
Complementing defensive security controls with a continuous, offensive approach may stop your enterprise from getting burned by a GDPR audit resulting fine or a potential breach.