Ever so often we hear proclamations that certain security technologies, like antivirus, are failing so badly that they should be regarded as bygone defenses of simpler times. These types of arguments arise with great regularity-- anyone remember the supposed demise of IDS? While it's true that organizations are still spending a large percentage of their security budget on the "FAI" triad (Firewalls, Antivirus, IDS), there is no question as to whether these foundational defenses should be deployed (imagine a day without antivirus? no thank you!).
The bigger issue lurking behind our own reaction to the latest dismal AV catch-rate statistics or painful breach analysis is one that we aren't talking enough about. This is an issue that I call
security monoculture.
The term monoculture found its origin in the agriculture industry. To drive greater yields, farmers began producing genetically similar species of crops. The benefits of this approach included standardized production cycles, fertilization methods, and pest control techniques which could be scaled at less expense. The net impact of these innovations are extremely impressive (if you've ever driven across any of the state in the great plains, the results of this approach are quite hard to miss.); however, all choices have consequences on both sides of the ledger. In the way that every plant in a genetically similar monoculture has common defenses against threats, similarly, all members of the monoculture share common weaknesses. For this reason, diseases or pests who successfully establish themselves in these environments are capable of causing extreme damage.
You might ask what agriculture has to do with information security. The truth is that there are trends in information security that invariably push us toward our own security monocultures. More specifically, there are a large number of organizations that have adopted security architectures whose defenses, processes, and methods are so similar that their risks are magnified substantially.
As a quick case in point, let's take our much beloved defense-in-depth strategy. Defense-in-depth (DID for short) is in the heart and soul of every information security practitioner right up there with the CIA triad and Shon Harris books. The concept behind defense-in-depth is extremely logical: to defend the things we care about, we build our defenses in a manner where the failure of one control/defense can be compensated by the operation of another. It is quite easy and correct to visualize defense-in-depth architectures as a series of concentric circles: valuables inside, controls/defenses in-between, and evil outside the gates. A full discussion of contemporary challenges for the DID model is a topic unto itself. A key issue with defense-in-depth is not whether it is logical, rather, it is whether our approach to DID incorporates enough defensive diversity.
When we take a look at many organizations, we unfortunately often find the same security solutions mixed in with the same security deficits. This lack of defensive diversity is a god-send to an adversary who wishes us harm. From the perspective of a hostile actor intent on exfiltrating data, the fact that our defensive controls are so similar means that she needs to modify very few of her methods to successfully evade detection and accomplish her mission.
Avoiding security monoculture requires a few things from us that start with our mindset and end in our practices:
- Willingness To Lead - As security professionals we have to be accountable for our decisions and our performance. With security, however, there can be a great pressure to be in lockstep with our peers. If we are defending like everyone else and get hit, then it can honestly feel reassuring to be able to state: "Everyone else is doing it this way." Don't fall into this trap. It is one thing to selectively adopt good practices, but we must realize that all environments present unique challenges. Be decisive and address these challenges based on your research, your experience, your best judgement and take accountability for your decisions.
- Compliance ≠ Security - If we are only concerned with making sure that all the checkboxes are filled, then we've embraced an approach that leads very quickly to security monoculture. Compliance should be treated as risk to be managed and not an end-goal. Any static defensive position becomes an almost immediate advantage to an adversary. Don't just reach compliance requirements and stop-- we have to keep going and develop our defenses in a manner that makes the most sense for our organizations.
- Do The Basics Extremely Well - Often with security architecture we can build great walls around some really shoddy buildings. While it is great fun to explore the latest exploit or new technology, we have to focus our efforts first and foremost on basic foundational practices like patch management, IAM, and change management review. By formalizing and consistently executing these practices, we gain a great deal of differentiation from a large number of other organizations.
- Active Defenses - This term seems to be somewhat en-vogue though it is often misunderstood. Active defense isn't equivalent to "hacking back". A significant idea behind active defense is the implementation of non-passive controls which offer denial and deception capabilities. The utility of active defense approach can be immense, and more organizations need to begin to develop defensive stratagems that include these measures.
The challenges of security monoculture are significant, but organizations who understand this reality can, ironically, turn this situation to their advantage. Defensive strategies which cultivate and exploit adversaries' own empirical assumptions can be extremely powerful.