Infosec As a Form of Asymmetric Warfare

By Steven Fox, Founder of SecureLexicon

I recently had the privilege of discussing the applicability of Sun Tzu’s The Art of War to information security with Amit Yoran, Chairman and CEO of NetWitness.

Mr. Yoran’s experience in military, government, and private information security domains provided valuable insights on the value of this military treatise. Below are highlights from the podcast.

The Art of War

Sun Tzu’s influence is felt across disciplines – business, politics, and sports.

According to Mr. Yoran, “There are an amazing number of parallels between The Art of War and the information security business.  In its very basic form – knowing your enemy – knowing how cyber vandals, miscreants, criminals, and even nation-state actors use cyber attack and cyber exploitation for their various objectives.”

In a cyber landscape, we face adversaries that, in some cases, employ advanced techniques in their attacks.

“Cyber security is an asymmetric form of warfare,” says Yoran.  The issue of attribution compounds the difficulties associated with cyber security.

According to Mr. Yoran, attackers rely on anti-forensic attack techniques to cover their tracks.

In response, NetWitness’s network monitoring technologies apply “forensic rigor” to the examination of network traffic. This allows the attack target to gather intelligence on the attacker.

Mr. Yoran states that this focus on forensic analysis enables strategic and tactical agility.

Sun Tzu stresses the importance of understanding yourself as well as the enemy. It is important to recognize how your existing assets can be positioned to compete successfully.

Mr. Yoran agrees.  “There’s no way for you to flip a switch and have people change their perception, processes, or mode of operation.  Nor should they abandon the security infrastructure they’ve invested in.  These are necessary.  They are also insufficient when dealing with advanced threats.”

However, this awareness allows organizations to invest strategically to enhance their defenses.

The Cyberspace Review

In the July installment of my Art of War column, I detailed Sun Tzu’s perspective on the Obama Administration’s Cyberspace Review document.  This article outlines three scenarios where government oversight can hamper the effectiveness of security leaders.

When asked about his perspective, Mr. Yoran conceded that parts of the plan relate to government agencies and are not applicable to the private sector.

He stressed, however, that matters of cyber defense is an all-inclusive responsibility given that the vast majority of these resources are developed, owned, and operated by the private sector.

He feels it is appropriate for the government to set the rules of engagement on the battlefield.  “It is illegal – criminal - to use offensive methods in your defensive strategy,” said Yoran.

By doing so, we would be no better than those attacking us.

The Conditions for Victory

Sun Tzu said that “the winning army realizes the conditions for victory before fighting.”

When asked about these conditions, Mr. Yoran replied that the conditions for victory in the cyber battlefield do not align with those of conventional warfare.

“We must accept that, in this venue, the advantage goes to the aggressor,” said Yoran.  “Any medium to large scale enterprise is compromised already or significantly vulnerable to compromise.”

Given the recent cyber attack on government web sites, this statement is particularly salient.

“If we are going to win in cyber,” said Yoran, “we must be prepared for our systems to be comprised.  We need to be able to operate our businesses, and conduct our government and public services, in a state where we know or we can reasonably assume that parts of our IT infrastructure are comprised.”

This aligns with Sun Tzu’s advice to assume that the enemy will attack and act accordingly.

Cyber Espionage

Sun Tzu offered that foreknowledge of the enemy’s plans is critical to success. The Art of War dedicates a chapter to the different types of spies one can employ for intelligence gathering.

When asked about cyber espionage, Mr. Yoran discussed the magnitude of this threat.

“FBI has estimated that over 100 nations have offensive cyber capability and organizations that have offensive mission around the world,” said Yoran.

He cited a National Research Council policy framework that states that the capabilities of these nations are at least as sophisticated as what we see from cyber criminals.

“Our own national infrastructure is perhaps more vulnerable than most given its size, its age, and the fact that we are adding interoperability technologies and communications on top of an existing platform,” Yoran continued.

Mr. Yoran cited increased coordination between government and private sector practitioners as a positive step in dealing with those vulnerabilities.

Leadership in the Modern Enterprise

Sun Tzu highlights the importance of balanced leadership composed of the following attributes: intelligence, trustworthiness, humaneness, courage, and sternness.

I asked Mr.Yoran to comment on which of these attributes are needed to tackle the current business risks.

“Trustworthiness is always at the core,” said Yoran.  “By that I mean trustworthiness in government, in the private sector, and in the relationship between government and the private sector.”

Mr. Yoran also emphasized that trust must be developed between the cyber warriors/defenders and leadership.

This mutual trust has been hampered by the fact that these groups speak different languages.  We need to focus on how we can improve those communications with an eye on engendering trust between these communities.

Mr. Yoran cited intelligence as a critical attribute a leader must develop.

“The better we understand our own vulnerabilities, our own exposure, and our own reliance on technology – the better [able] we are to address the business risk and modify our behavior so we are mitigating the risk.”

Read also:

Sun Tzu and The Art of Information Security

Sun Tzu and The Art of CIO Success

Steven Fox is an independent information security consultant. He holds a Masters in Business Information Technology from Walsh College, an NSA recognized Center of Excellence. He serves on the board of the Detroit ISSA chapter and is a columnist for the ISSA Journal. He is also the founder of SecureLexicon , a security advisory firm addressing the unique security concerns of nonprofit organizations.

He can be contacted at sfox@securelexicon.com
Follow him on Twitter - @SecureLexicon
Join Steven’s LinkedIn Network

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here: 

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, PCI, Sarbanes-Oxley, Steven Fox, Uncategorized, due diligence, hackers, identity-theft, malware, national security, privacy 

Comments

• ISR Headline Index

  • When Social Networking Clashes with Security
  • Spam Block: Public Servants or Vigilantes?
  • Sticky Situations in Social Media
  • Quick Tips for Using Secure Shell
  • Consolidate Compliance With Open Source
  • DoS Attack Reveals Widespread Vulnerabilities
  • Study Shows Employees Put Data at Risk
  • Tracking Google’s Script Kiddie Hackers
  • Newbie Introduction to Digital Forensics Part 2
  • Simple Log Review Checklist Released
  • Press F1 for Help? Microsoft Zero Day Threat!
  • A Newbie’s Introduction to Digital Forensics
  • Security Best Practice: Trust But Verify…
  • Google, Adobe, and Big Oil Under Attack!
  • Building your OWN Malware Lab (Part 2)

• Recent Comments

  • Ryan Aslett on Data Loss Prevention Has Jumped the Shark
  • Tom on (Lack Of) Encryption and The HITECH Act
  • ADMIN on Patriot Hacker Hits Jihad With DDoS Attacks
  • Robert Siciliano on Data Loss Prevention Has Jumped the Shark
  • Karen J. Cox on Data Loss Prevention Has Jumped the Shark
  • Scot McLeod on Outsourcing Breach Response Lowers Costs
  • John Marke on Gartner Tells CIOs to Embrace Social Media
  • Social Engineering and Enterprise Security | CIO – Blogs and … | Enterprise Engineering Addict on Gartner Tells CIOs to Embrace Social Media
  • From Russia, With Smartphones on Top 8 Social Media Security Threats
  • Judith Hoffman on Scam Alert: Rogue Gmail Account Phishing
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (26)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (23)
  • Breach (540)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (26)
  • Class Action Lawsuit (111)
  • Cloud computing (109)
  • Coby Royer (5)
  • CTO Forum (9)
  • D&O Liability (597)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (7)
  • due diligence (306)
  • Fame Foundry (1)
  • FEATURE ARTICLE (428)
  • Financial (583)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (369)
  • Greg George (5)
  • H1N1 (15)
  • hackers (535)
  • healthcare (130)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (531)
  • IDExperts (17)
  • Ike Z. Devji (1)
  • Infosec Island Network (34)
  • Insider Threat (486)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (67)
  • ISR News (321)
  • Jacqueline Herships (2)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (2)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (21)
  • Larry Ketchersid (1)
  • Laton McCartney (7)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (497)
  • Mark Smail (1)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (3)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • MicroSolved (1)
  • Mike Duncan (3)
  • Mike Meikle (4)
  • Mike Spinney (1)
  • Military (207)
  • national security (449)
  • PCI (304)
  • PCI Security Standards Council (32)
  • Physical Security (11)
  • privacy (548)
  • Rachel James (10)
  • reach (7)
  • Rebecca Herold (16)
  • Richard Stiennon (44)
  • Robert Siciliano (34)
  • Sarbanes-Oxley (498)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (8)
  • The Privacy Professor (16)
  • Thomas R. Fox (8)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (14)
  • Tripwire (18)
  • Uncategorized (621)
  • virtualization (97)
  • Webcast (49)