Cyber Security: The Doctor Will See You Now

Healthcare.jpgCyber security organizations can benefit from the rich historical lessons and gained insights of the medical industry.  The medical community has evolved to manage risks similar to those in the computer security world.  It is time we learn from the valuable experiences to identify opportunities and effective strategies in protecting systems and data, while avoiding painful hazards and ineffective approaches. 

Computer security has many similarities to the healthcare and medical industry.  Both disciplines are driven to protect the well-being and quality-of-life of their relative participant communities.  Our bodies are complex and constantly changing ecosystems which challenge the medical profession, similar to how security must work to protect sophisticated and evolving computing environments.  We want our bodies to perform, achieve tasks, adapt to new challenges, and thrive over time.  The same is true with our devices and compute environments.  Both aspire to avoid catastrophic failures but also want to operate within an acceptable risk envelope.   Nobody wants to live in a bubble, just as users and organizations need to take risks in the pursuit of enjoyment, productivity, and gains.  Expectations for cyber security and healthcare are similar, as are the complex set of risks which continually challenge both industries.

Successful health management is about good planning to promote long term overall health.  In some cases tactical actions are required for immediate relief.  But it is preferable to be healthy and periodically suffer from a minor illness or injury.  The overall objective is to establish and maintain a healthy and well balanced body.  Knowing minor issues will eventually arise, the benefits of a good general condition will contribute to an ease in handling such situations and give the best opportunity to return to a healthy state to promote longevity.  This is far more effective than living unhealthy and relying solely on tactical interventions at the point of crisis.

The value of strategic versus tactical planning continues to manifest great benefits and holds true in computer security as well.  It is important to establish and be executing to a long term plan of good security management instead of relying only on crisis response functions.  Maintaining a high level of general security posture and practices allows for efficient management of resources and a better position across the spectrum of potential threats.

Thinking strategically affords the ability to deal with incidents from a position of health, rather than suffering from a weak condition which lends itself to foster a continuous stream of problems and leads to living day-by-day in a tactical manner, putting out one fire only to move on to the next.

Tactical security solutions are well suited to resolve short term problems.  Symptoms.  Have a spam problem, integrate a spam filter device.  Viruses running rampant on clients, invest in anti-malware software.  Insecure employee remote access giving you heartache, start with a VPN solution.  Problems with hiring unsavory workers, institute a background vetting process for applicants.   Terminated employees still accessing the network, implement a robust last-day-office program to eliminate accounts.  These are all good tactical responses to immediate problems.  Although they provide relief, they unto themselves do not establish a good overall state of health.  It takes more.

Modern healthcare industry has evolved over time to predict, prevent, detect and respond to conditions.  Medical research is conducted to understand causes, identify future trends, and how to better deal with problems.  Robust preventative care reduces many issues before they can manifest.  Early detection mechanisms provide better chances of successful treatment before conditions become too serious.  Advances in emergency care allow for effective response to crises where immediate and timely response is critical.  This overall strategy represents a successful overlapping approach to medical care. 

Cyber security can also reap great benefits in applying a similar defense-in-depth strategy.  Research into technology, threat agents, attack methods, vulnerabilities, and impacts allows for insights to predict likely events and better capabilities in dealing with them.  Such research can give the necessary insights to help understand where and how attacks will manifest.  This in turn creates opportunities to efficiently and effectively manage the risks of loss.  Prediction gives insights to where, when, and what types of attacks are most probable.  This can bolster avoidance, detection, and proper response. 

Defense in Depth 2012.jpg
Preventative controls are the lifeblood of computer security.  Exercise, eating well, and refraining from caustic activities such chronic smoking, obesity, or overexposure to the sun and other carcinogens is important for preventing known health maladies.  Keeping computer systems updated, applications patched, running anti-malware software, and insuring the user acts in a common-sense way are the best preventative controls to protect them.  More advanced organizations take a proactive look at likely threat agents, their motivation, and methods to align controls for maximum effect.     

For attacks which undermine established controls, it is important to quickly detect the breach.  Only then can a proper response begin.  Visiting a primary care physician periodically for check-ups is part of a good health regimen.  The simple act of having a professional evaluate, consult, apply finely honed skills to detect problems is invaluable.  To maintain an effective cyber security, regular analysis is also needed.  For individuals, much of this can be accomplished within host intrusion detection and anti-malware software.  For enterprises, network and host surveillance structures are typical, sometimes supplemented with system audits, honeypots, or penetration systems for advanced reconnaissance.  They persistently look for telltale signs of unwanted acts, stealthy access, and system compromise.

These detective controls are very important to complex environments where prevention of all potential attacks is too cost prohibitive or technically impossible.  Instead, such organizations rely on detecting those outliers and rapidly responding.  It affords a desired trade-off for some situations.  This can be a very cost effective solution for rare but potentially expensive events. 

No security is perfect.  In finding the right balance, it must be accepted critical situations will arise.  Cyber security requires the equivalent of emergency rooms for localized emergencies and large enterprises maintain the FEMA/CDC type response capabilities.  The key is to respond in a rapid manner with the right actions for a given situation.  Intelligence and empowerment is the key to success.  Even in the event of a critical failure a rapid and effective response can minimize the impact to an acceptable level.  The medical community has embraced emergency care for centuries.  It is the last line of defense and should never be neglected regardless of how strong preventative care appears.

Thinking and acting strategically is the key.  Tactical thinking, although important, is inefficient and limited in overall effectiveness.  No drug, pill, or treatment will erase a lifetime of poor health and destructive lifestyle.  Security too, is not achieved in a day.  Investing in healthy long term policies, technologies, practices, and behaviors generates the best return.

Computer and information security requires a long term vision and a plan must be in place to give direction to establish good operational foundations.  Security professionals should treat the systems under their care like patients.  Tactical response will play its crucial part, but should not lead the effort.  Awareness of the challenges and goals, an understanding of factors which contribute to risk, and commitment to invest and execute to the right combination of behaviors and controls will lead to the path of risk management longevity and sustainability.

The Cyber-Security doctor is in.  What questions will you have for your security team?

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.