Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //

Security in Knowing: An Interview With Nathaniel Gleicher, Part 2

Ignorance is indeed bliss - for those who would attack our organizations' IT systems. This is part 2 of a conversation with Nathaniel Gleicher, head of cybersecurity strategy for Illumio.

Yesterday, we ran the first part of an interview with Nathaniel Gleicher, former Director of Cybersecurity Policy for the Obama White House and ex-senior counsel for the US Department of Justice's computer crimes division, now head of cybersecurity strategy for Illumio. Today, it's the rest of the interview, where we went into detail on what it takes to turn knowledge into security.

In yesterday's interview, Gleicher had just talked about the Secret Service model of security, represented by a pyramid with four words -- understand, control, detect, respond -- written on slices from bottom to top, representing the sequence and amount of effort and planning put into each one.

As before, what follows is an edited version of our conversation.

Curt Franklin: It sounds like [the Secret Service model] presents a sort of a road map toward security that that companies and organizations can follow.

Nathaniel Gleicher: When I think about this I tend to call it the inverted pyramid. If you go next to it on that sheet of paper and you draw an upside down pyramid and you put it four horizontal slices on it and write those same words in the same order again respond at the top, detect below it, control below that and understand below that. When you look at the focus of the cybersecurity community and a lot of security teams, the way we invest looks a lot more like this.

We have a huge emphasis in detections and response. There's a huge focus on behavioral analytics, on anomaly detection, on how do we find the bad guys once they're inside, catch them and stop them. We invest far less in controlling the environment and we invest very little in understanding. If you look at the lesson from physical security, if you don't have a strong base, if you don't have understanding and control, your detection and response effectiveness is just capped in a very limited way.

A lot of it from my perspective comes back to this inverted pyramid. We don't understand our environments and we don't have control over them. And ironically if an intruder is inside our empire we should have an advantage -- they're inside our house. We built the house, we know what was there. In theory we have a huge advantage, but we don't today. And so when I think about security it's not about artificially forcing our environments back to a simpler way of life, it's about building tools that will enable our organizations to actually understand the environment that exist today to exert control over them. That is what enables us to actually be effective in response.

CF: I would love to hear some some more thoughts on that because it seems to me this is a key piece of the entire puzzle. A lot of organizations will give lip service to understanding things; it's doing things with that understanding that so many organizations fall down on.

NG: I completely agree. And so there's two pieces to it. One is technical and one I would actually argue is organizational.

You're invited to attend Light Reading's 11th annual Future of Cable Business Services event. Join us in New York on November 30 for the premier independent conference focusing on the cable industry's continuing efforts in the commercial services market -- all cable operators and other communications service providers get in free.

Everyone talks about how security is a technology problem and in some ways it is. But actually I think a lot is organizational. So you're talking about not just understanding an environment -- although to be honest that's hard enough -- but also being able to take action based on [that understanding].

Rob Joyce is the former head of NSA's tailored access operations unit (TAO). He's one of the best hackers in the world. He gave a talk at Enigma about a year and a half ago now. The basic premise of his talk was, "Hi, I'm from the NSA, we're really good at breaking into your system. Here's what you would need to do to make our life hard." And it's a fascinating perspective.

He says two things. The first thing he says is, intruders win because we know your network better than you do. This is the "understanding." You know how the network was supposed to work when you set it up; we know how it actually works today. But then he goes on and he lays out five things you could do to make life hard for the NSA and for other sophisticated attackers.

I love that these are not rocket science. He talked about encrypted communications, using strong passwords, limiting user access, patching vulnerabilities and segmenting your environment. These are all things that we've known about for years, that everyone agreed are the best practices, but that when you get inside a lot of environments they're still not done.

It drives home this message that security is actually not impossible. So it's really an organizational challenge. How do you make the organization work?

CF: One of the things that you talked about was limiting user access and I think that we can agree that in most cases that means making sure that users have access to everything they legitimately need but only what they legitimately need. There is so much emphasis on the application design side today in improving the user experience and minimizing transactional friction. So is there a necessary tension between the security side and the user experience side?

NG: Security is essentially the practice of trying to impose differentiated friction. That is, you want to impose as much friction as possible on illegitimate actors and as little pressure as possible on legitimate actors. And one reason why I think we actually do a really bad job is that right now is because we don't understand our environments.

If you knew and understood what an individual needed to do in order to get their work done you could impose limits that wouldn't actually limit the user but would constrain an intruder trying to manipulate those credentials. The problem is we generally don't know what those needs and dependencies are.

The needs of a user, like the needs of a system, aren't static. They change constantly and they're not something that you can expect humans to track manually and keep up to date with static rules. It just doesn't work.

Part of the problem is in a lot of our environments we're writing security rules at a very low level. Today, we don't write most software in assembler, we write it in higher-level languages and we have machines that do the translation. We need more things like that in security where we can express security policy at a high level and then have an intelligent system that does the translation so that we can make high level decisions and then make sure that they are carried out in the right way.

I've found that the average organization utilizes about 3% of the open connections that they enable within their data center; actually in many cases it's much smaller than 3%. So there's this huge scope of open, frictionless communication that a legitimate organization isn't using that you can close. This would radically constrain an intruder but would do very little to constrain the legitimate business.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file