In The Art of War, the general-philosopher Sun Tzu famously wrote that “if you know the enemy and know yourself, you need not fear the result of a hundred battles.” Those are rather good odds – the sort that beleaguered cybersecurity warriors would gladly welcome.
Yet most cybersecurity strategies still focus almost exclusively on external cyber threats to the business, without knowing themselves – and the cyber threats that could compromise them from within.
That puts even the most technically sophisticated organisations at risk. In our latest whitepaper, we cited research that suggests more than 1 in every 2 major organisations worldwide fell victim to insider attacks between 2017 and 2018 – and that’s only confirmed attacks. Most arise from too many users having excessive access credentials or improperly administrated rights – what one might call a digital identity crisis.
IT leaders can’t afford to externalise all their cybersecurity woes any longer. If they want to secure their systems and data, they need to “know themselves” better with a robust approach to internal cybersecurity hygiene that goes beyond the standard rhetoric.
The “Dao” of Defence in Depth
At the heart of Sun Tzu’s teachings on warfare is the principle of the “dao” (道) or “way”: a principle or set of principles that align leaders and their people on a single course of action. In the case of network security, that “dao” is simple: human beings are fallible.
Despite the best efforts of your people to adopt secure procedures and processes, they will perpetrate errors, overlook incongruities, or simply be unable to keep up with the latest threats. The result: vulnerabilities that malicious actors will do their best to hijack to force a breach.
Once everyone aligns with that principle, it quickly becomes clear that security strategies need to work despite our inherent human fallibilities. “Defence in depth”, for example, becomes an obvious replacement to traditional perimeter defences: establishing multiple layers of security – that cover different levels of data and systems sensitivity – gives network admins far more options to wall off their most critical assets should an internal breach occur.
In some cases, IT leaders will want to extend their network segmentation efforts to physical air-gapping of sensitive production and development environments. Much like airlocks in a laboratory (or a spaceship), virtual and physical segmentation naturally contains any internal breach to a certain sector, reducing risk and allowing for far easier resolution.
The “dao” of network security guides more than just overarching cybersecurity design. At a granular level, it may mean, for example, employing whitelists for devices (like smartphones or USBs) and websites rather than a blacklist – assuming any behaviour is “guilty unless proven innocent” instead of giving users an often-fatal benefit of the doubt.
It also means paying far closer attention to access and administrative rights controls, ideally by centralising or consolidating them for greater visibility over the network. Coupled with segmentation, strong access rights management controls ensure any individual can only access what they’re meant to, when they’re meant to. Ultimately, the only way to know your organisation’s self is to see what’s going on within.
Rights and responsibilities: a balancing act
All this sounds well and good – except for the fact that people don’t like being controlled or even inconvenienced in the name of security. Any network defence that slows down work or creates friction in the everyday user experience won’t last long – inspiring the foot soldiers in the organisation to work against the very systems designed to protect them. Is there a way to overcome the natural contradiction between security and efficiency?
I think there is – and once again, it’s to be found in ancient philosophy. In The Art of War, Sun Tzu states two basic conditions for the “dao” to hold strong: unity and adaptability. Unity means ensuring everyone understands and aligns with the same principles. In the case of network security, that means getting the right positioning and messages around cybersecurity measures through to different teams. Nothing particularly new there.
The other condition is adaptability – something not commonly associated with stronger network security. Yet unless security platforms can adapt to how users act and what they want, they’ll eventually prove incapable of identifying and neutralising internal vulnerabilities.
Part of that involves gaining a deep understanding of user behaviours, something that automated ingesting and analytics of events can make possible. The other part involves using that understanding to constantly reassess where the greatest potential risks reside within the organisation – and providing greater freedom wherever and whenever possible.
“Know thyself” should be the central tenet of any cybersecurity strategy. But starting with internal threats also means acknowledging that what’s within the organisation is constantly changing to keep up with business demands, people movements, and even shifts in culture. Network security strategies and the platforms they employ need to be both robust and flexible enough to flow with those changes in organisational character. Do that, and the battle is yours.
Thomas LaRock is head geek at SolarWinds
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.