You can feel the enthusiasm this time of year as football playoffs and bowl games capture massive attention. Us vs. them. You vs. me. Offense vs. defense. In the sporting world, this is how it works. There is no collaboration or uniting of opposable forces. Someone wins, and someone loses.
Historically, we’ve had similar tactics in the security world. Attackers vs. defenders. Red teams vs. blue teams. Even attackers vs. employees – oftentimes this is like an NFL team vs. high school football.
“Let’s see how bad it will be.” This was a management statement many years ago suggesting the attack should just commence without any defensive awareness, education, and training for developers, administrators, analysts, and incident responders.
Attacking without knowledge? Sure, this is an option, but is it a good one anymore? After all, it’s easier and likely less expensive to just attack – no warning, nothing. Wouldn’t it be better all-around if defense had some preparation? Isn’t this what teams do in the sporting world? Don’t they prepare for their opponent? Sure they do. They watch films and study tactics so that when it’s game time they aren’t going at it blindly.
Can’t we do the same in security? We can, and we should.
Colleagues of mine who regularly conduct penetration test have countless examples of engagements done year after year with the same findings. In other words, a company hires out the penetration test; the report is delivered, and then not acted upon. What kind of improvements are we making in this scenario? It doesn’t appear much.
In an industry where information sharing is supposed to be helpful, why not collaborate?
Nearly 10-years ago I sat down next to a penetration tester and together my defenses were attacked. There was instant value in seeing the attack and being able to identify and respond in the moment. There’s another side benefit of this and that is the attacker gets a firsthand look at the defensive attack surface and tactics used. Some may question this because the attacker is not supposed to need any more insight. But this isn’t true. There’s reciprocal benefit to each team learning more even with the primary objective of making the defensive posture that much stronger in the end.
When the attack starts, can defense even detect it? If not, that’s a great place to start!
More are starting to adopt collaboration as opposed to the shock and awe approach. Just think about it in the area of application security. Developers have an immense sense of pride in their work. They want (and will try real hard) to develop great software. Yet, after their code is in production security comes through and breaks it and then tells them the ‘X’ number of things they need to fix. And as previously mentioned, that’s a lot of what has been happening in operations after a penetration test. The engagement is completed, the report delivered, and there is a whole bunch of stuff to fix! Oh, and to be done somewhere in between the other umpteen projects already going on. It’s no wonder improvements haven’t been made through the years.
Working together allows for:
- Insight into tactics, both offensive and defensive;
- Improvements in incident response;
- Opportunity to harden and fix and retest to validate;
- Improvements to build security into the operation and avoid silos;
- Baseline opportunity to show progress and improvement;
- Measurements which can be tied to business goals (i.e. software delivered on time and more secure);
- Overt, not covert.
There’s value in working in tandem towards the old cliché of TEAM (together each accomplishes more). This does, can, and should cover operations and development, but also done properly, employees. It’s about adjusting the approach and priorities to change the behavior towards red and blue. The good news is that this approach is getting adopted and it is headed in the right direction for those who choose to collaborate vs. segregate.