If you can't beat them...

I keep reading defeatist talk. The latest is from a chap called James Lewis, a cybersecurity expert at the Washington DC based Center for Strategic and International Studies, who has been claiming that businesses should “stop worrying about preventing intruders getting into their computer networks, and concentrate instead on minimising the damage they cause when they do”.

It would be a very black day for cyber security if businesses stopped worrying about intrusions. Let’s face it the reason we have so many is because we don’t try hard enough to stop them. The attackers are fast, smart and agile, and our defences are sloppy, dumb and slow to react. The DC man is right to point this out, but the answer is to beef them up, not let the security managers off the hook.   

Valuable intellectual property can be safeguarded by not storing it on networks. We don’t do enough of this. Intruders can be stopped or quickly detected by state-of-the-art defences, though these are rarely deployed effectively even in large enterprises. Admittedly, some intelligence services have the capability to by-pass any defence, but such attacks are selectively mounted and should not be a reason for a wholesale abandonment of confidence in preventative measures.

The “dwell time” of a sophisticated APT intrusion is the serious new metric, though there is no mention of this in the international standard on this subject ISO 27004, which is perhaps where it all goes wrong. The modern CISO is bogged down in hundreds of pages of paper nonsense which stops them applying common sense and judgement. The target should be to reduce the dwell time from several years to less than a day. 

Zero days should be the target. But then that would be bordering on prevention…