Despite hard work, long hours, smart people and great individual hacking tactics, what online trends are overwhelming security teams?
How can cyberpros who are constantly upgrading OWASP skills and working nights and weekends already, do more with less?
What other professionals' disciplines can we learn from, and what analogies and examples can help teach us lessons to improve security effectiveness?
Recently I met Nick Drage online. Nick is the principal consultant at Path Dependence Limited in the U.K. He is a security thought-leader, practitioner, global cybersecurity consultant, and he presents on security issues at conferences worldwide.
I was very intrigued by Nick’s recent presentation in Belgium which packs so many helpful examples, practical lessons, fun stories and more about what’s going on in our security industry.
In addition, even though we come from very different backgrounds, Nick and I both believe, write and talk about how security teams and leaders can learn a lot from American football. But he takes his analogies and lessons even further than most.
I strongly urge you to watch this passionate, clear, ground-breaking presentation. I'll go further, this video is in my "must watch" category for all cybersecurity and technology leaders as well as frontline cyberpros. Note, this was given at an OWASP event in Europe. Caution: You’ll need 45 minutes, but it is well worth your time.
NFL / Global Cybersecurity Similarities
At a summary level, what is Nick's case? As the NFL playoffs rolled into divisional round games this weekend, more and more cybersecurity experts are seeing similarities between football strategies and cyberdefense strategies. Indeed, the lessons learned go much deeper than executive level analogies and fun tips.
After all the effort we put into improving our technology, why does everything seem so awful in cybersecurity? Here are some of Nick’s main points in the video presentation:
- In any battle, we have: Grand strategy (the ultimate goal), strategy (the big idea), tactics (the things you use) and operations (the way you use them).
- You, working long hours, becoming the best (hacker) you can be — by improving your skills with passion. But team play is lacking.
- Whatever we build, including infrastructure, applications, code, we make it as good as we can. But the sum of the parts seem to lack coordination.
- Meanwhile data breaches are way up — along with global risks and cyberthreats moving forward.
- Getting better at cybersecurity may feel like we’re playing golf — trying to improve — but we’re not.
- We need to look to other disciplines to learn from others. We can save decades, and we are at a strategic inflection point now.
- Need to work smarter — a different way of thinking.
Why? Both NFL Football and Cybersecurity:
- Utterly incomprehensible from the outside
- Complex
- Team games
- Highly specialized
- By situation
- Attack or defend
- Offensive and defensive playbooks
- Fight over territory
Nick Drage (ND): My audience were all the attendees at OWASP BeNeLux, a daylong conference in Mechelen, Belgium, organized by the OWASP organizations from the Netherlands, Belgium, and Luxembourg. They were a variety of cybersecurity focused developers or engineers or managers, or other functions associated with cybersecurity in some way.
As for the session title, "Lessons From The Legion" kind of means "What lessons can the cybersecurity industry learn from the play of the NFL's Seattle Seahawks defense between 2011 and 2017, commonly known as 'The Legion of Boom era,' " and kind of means "To me, as someone who's always had an interest in conflict in warfare, or sports, or video games, the way we handle cybersecurity has always felt wrong, and this is the start of my exploration into why".
DL: What is the main session point that you are making for security teams engaged in cyberdefense?
ND: That there are lessons we can learn from organizations who operate in a similar environment to our own. In particular, the ways those organizations have succeeded or failed can illustrate what we should emphasis or ignore. Trying to make sense of how to win our complex conflicts is a very difficult task, especially as the Internet is such a counter-intuitive environment; looking at football, a less complex area of conflict with much simpler "victory conditions," we can pick out strategies we might have otherwise dismissed.
While the more notable and noisy parts of my thinking relate to football, I think the industry has a lot to learn from war fighters as well, most starkly the importance of logistics and morale — but those lessons are less entertaining and the video clips are less immediate.
DL: Why do you find NFL football analogies helpful?
ND: I've followed the game, on and off, for about three decades — I fell away from it due to the lack of in-depth coverage, especially in the UK. But then in the last few years, my interest was rekindled when Andy Ellis, currently the CSO of Akamai, mentioned the Football Outsiders website on Twitter. From reading that website and following from there I discovered other resources that meant I could begin to finally appreciate the complexity of the game and the tactics and strategies that work or don't.
And from there, just from the discussions about the keys to team success — playing as a team, findings players to fit your strategy while modifying your strategy to fit your players, the emphasis on preparing for opponents, the importance of analytics in removing human bias from decision-making, and so many more ... I was struck by how those ideas weren't being followed in my industry, that seems to have much more of an emphasis on personal talent and technological superiority.
So those analogies help me conceive of the issues the industry faces, but in a simpler way than trying to comprehend an entire industry.
DL: You take your football examples to a level I have never seen, and offer great lessons that are helpful. What are those key lessons (summarized)?
ND: I think my key lessons would be:
One — The importance of practice. I think this is something people appreciate but rarely implement. Practice can mean you simply become more adept at the fundamentals required for your profession, which is what most industry training focuses on, but more realistic practice helps you become better in the vagaries of a real world situation, and means you and your colleagues become more familiar with each other’s strengths and weaknesses as individuals and as a team, meaning that you perform better in a real world situations; also practice helps remove issues with your processes or plans when mistakes don't really matter. And especially if you've practiced, at some point, an actual Red Team — that all means when it comes to a real world situation, such as a breach, you've already been through a similar situation so many times before you're in the best condition to respond when it counts.
Two — What I describe as "eliminate the big play", essentially that the most important cyber security issue for many organizations isn't to avoid being compromised at all, but avoid being compromised in a significant way. In the same way that an NFL Defense can give up yards as long as it doesn't give up points, cybersecurity defenders can withstand insignificant compromises of their systems while using those attacks to learn more about their opponent, rather than trying to somehow stop all attacks everywhere they protect.
Three - my final point is "out hit your opponent". In cyber security there's almost no "attacker cost", which gives our adversaries no discouragement from trying different attacks, especially with so many opportunities for automation. By making each attack represent a risk to the attacker not only is the entire conflict more balanced, but you can gain valuable time by slowing down your opponents’ decision making process.
DL: Why is a focus on tactics and tools without a wider cyber strategy such as dangerous thing?
ND: It's dangerous because we do have a wider cyber strategy, it's just not overt and explicit, which means we've not considered issues with our implied strategy overall, or whether there are better ways to face our challenges overall that aren't apparent from a tactical viewpoint. The tactics and tools organizations adopt, for example an emphasis on technological solutions and individual aptitude, or an emphasis over perimeter firewalls rather than micro-segmentation or endpoint security, are emergent properties of the tactics that feel right as point solutions, but possibly don't scale efficiently as part of a complex system.
DL: Do we need a paradigm shift at how we look at attack / defend in cyberspace? Where is this heading next?
ND: Do we need a paradigm shift? I can very confidently reply with a definite "probably." It might be that our current ways of working are the best we can do in a vendor-led and technology focused industry, but it does feel to me as though we've sleep-walked into that situation, rather than intentionally entered it; and that we can achieve more with the talent and resources we have.
And as to where this is heading next? I don't know, I think the Zero Trust Networking / Beyondcorp ideas look promising, but I recall from reading up on the theory behind it a couple of years ago that some of the concepts, such as the all-seeing all-knowing Data Acquisition Network, seemed unworkable. I think the DoD's "Defend Forward" idea is interesting as a way forward, but it seems to be coming in just when the defenders - due to the increasingly virtual nature of infrastructure - finally have home field advantage. I'd love to give you a confident prediction, but I have more questions than answers right now.
DL: Anything else you want to add?
ND: Just two points...
We need to think "why are we doing it this way?" more in the industry. The usual answers of "because that's how we've always done it" or "because it's obvious" or "because that's how everyone else does it" don't hold up to scrutiny.
And that all feedback is welcome, good or bad, as long as it's constructive. I think that we're at a key moment in the evolution of cyber security, where we're enumerating some of the central assumptions and concepts that we all operate under, and determining whether they're valid or not through reason and/or analysis could provide us all, individually and collectively, with substantial benefits.
DL: How can people get in touch with you (or follow) you?
ND: I can be contacted on nickd [at] pathdependence.co.uk, or follow me on Twitter on @SonOfSunTzu.
Final Thoughts
I want to thank Nick Drage for taking time to answer my questions.
Again, this presentation from Nick Drage is not just for NFL fans but for your cybersecurity operations teams and as well as everyone who is involved in OWASP work and improving the security of software and infrastructure. Share these perspectives with others. Discuss his presentation – whether you agree with it or not.
I really like the quote that Nick uses as he ends his presentation.
SunTzu said: “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.”
We can watch and learn more about both cybersecurity strategy and tactics to improve effectiveness.