Go on… choose your own infosec adventure

By Rick McElroy, Carbon Black

I often reflect on how difficult choices in the IT industry can be. Do we invest more in prevention, detection or response? Do we automate or add more staff? Do we use a managed service or keep it in house?

These represent some of the strategic decisions defenders are faced with yearly. This does not even address the various tactical questions that come up each day. Do we approve the request or deny it? Do we block that IP or keep it open? Do we call HR or not?

For defenders, every day is a labyrinth of choices and decisions to be made. Most of the time, we don’t have the luxury to take the time we need to gather all the data to reach a decision. Sometimes (arguably most times) we make the best decision we can with the best data we have at the moment. This myriad choices got me thinking about a set of books I read as a kid. The ‘Choose Your Own Adventure’ series.

These books were like video games before everyone had a computer. They inspired lots of early game designs. In this series, you could decide the fate of the protagonist by making various choices throughout the book. Some led to victory. Some led to alternative endings and some led to death. Such is life in information security.

Each book had a complex map which showed all the possible choices and outcomes.

A really simple decision point, such as sleeping or not, could lead to the best or the worst possible outcome. You could read through the book 20 times and try all the possible combinations of decisions (the old brute force technique) to drive the outcome you wanted, or you could skip to the end and reverse the outcome of the decisions.

I read a few of the books brute force style but became obsessed with picking a new one up and doing one perfect run through. This was all a fun exercise. I had no idea that 30 years later I would think about the time spent reading them and how they have helped me avoid the pitfalls of security management.

These books helped me to understand that each choice made had a benefit or a consequence and subsequent iterations through the book made it easier and easier to avoid the bad outcomes. This process also helped frame decisions in terms of “if” and “then.” SPOILER ALERT: If you join the caveman, the story continues. If you don’t, the story ends.

So what exactly does this have to do with information security?

In cyber security we are still making lots of the same mistakes we always have. We are brute forcing our way to the outcome instead of truly thinking about the outcome and what choices we need to make to achieve it. We need to make better choices and put more strategic thoughts behind them.

If we do even a quick mapping exercise of the worst possible outcomes, we gain the ability to make better decisions sooner upstream.

Considering all the points at which a program or a technology initiative could fail is imperative to success. Planning for failure will put a program miles ahead of anyone who doesn’t. This exercise does not need to be exhaustive or comprehensive. Yet knowing the big ones is always a good place to start.

A simple one would be: What if a security project is delayed due to resource constraints? Does that kill the project or lead to a regroup and restart?

This will help the team map dependencies and choices downstream to avoid the worst outcome (cancelling the project). Performing this exercise will also help you better understand your threats.

What’s a more likely scenario for any organisation? An insider accidentally releases confidential information? Or a nation-state actor wants our intellectual property? Each would present its own set of choices, but the first question that needs to be answered is: ‘where do we focus?’

  • How would the insider accidentally do that?
  • What’s missing that could help avoid the accident?

Instead of a decision that leads to restarting the adventure like in the ‘Cave of Time,’ the risk is a breach.

  • What led to this breach?
  • How long did it take you to respond?
  • What could your program have done differently now to avoid this scenario?

These are just a small representation the thousands of decisions made by defenders every day. Each decision made by a cyber defender has certain benefits or consequences.

Have you taken the time to run through these scenarios with your team offline? Each day, you are able to choose your own infosec adventure. What paths are you considering and how do you go about avoiding pitfalls?