Castle versus Cannon: It’s time to rethink security

P1120249In case you’re confused about the modern state of security, let me give you a short lesson.

Your network is pictured to the left. When I first started working on networks in the USAF we were just starting to build well designed DMZs, sort of a gate system for the modern network. “Firewalls” (a term I’m coming to dislike immensely), guard routers, VPN concentrators, and other systems were designed to keep your network from being “penetrated.” Standing at the front gate you’ll find a few folks wearing armor and carrying swords, responsible for letting only the right people inside the walls — policies, and perhaps even an IDS or two.

The world lived with castles for a long time — thousands of years, to be precise. In fact, the pride of the Roman Legion really wasn’t the short sword and battle formation, it was their ability to work in concrete. Certainly they had swords, but they could also build roads and walls, as evidenced by the Roman style fortifications dotting the entire world.

But we don’t live inside concrete walls any longer. Instead, our armies today move on small and large vehicles, defending territory through measure and countermeasure. They gather intelligence, and they fake their opponents out (ever heard of razzle dazzle paint jobs, or Operation Mincemeat?). What’s the difference between the Romans armies and ours? The cannon.

Long before they were made popular in modern pirate movies, they made castles pretty unpopular. For some time, of course, there was a competition between the wall builder and the cannon maker. Build the wall high, and the cannon would be pointed skyward, lobbing missiles over the top (in the form of a mortar). Build your walls thick, and the cannon would be built to launch a heavier ball, and more accurate to hit the same spot regularly. Right now we’re in that phase between the two, when armies battle as set pieces moved around the field, arranged like the movable human walls of the First World War.

But, in the end, walls are no defense against cannons. So what do we need to do? The defensive forces of your network need to become more like a modern army.

First, you need to enlist the average user. I know this is hard, particularly when there are so many new attacks, and so many good social engineers out there. We live in condition white, and we need to live in condition yellow.

Second, we need to start thinking in terms of gathering information and reacting in near real time, rather than in terms of gateways and portals. And we need to go beyond packet traces. We need to think in terms of the OODA loop, to think about what we can measure, where we can measure it, what normal looks like, and what an attack looks like. For instance, DNS data is a really good source of incoming attacks or infected machines. There are now products out there that perform near real time analytics of database accesses to stop injection attacks, and warn an administrator of irregular accesses. We need to stop arguing against BYOD, and start arguing for real security that doesn’t depend on building a wall between the network and the world. We need to understand the real difference between cover and concealment, and stop saying things like “security by obscurity doesn’t work.” Concealment isn’t cover, but it’s also not useless.

And we need to start doing these things now.

Our walls have failed. It’s time to build new security systems that are nimble, go to where the problem is, and work they way our users work.