Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/28/2020
10:00 AM
By Maurice Uenuma, VP, Federal & Enterprise, Tripwire, former Special Ops Marine, and A.T. Smith, Former Deputy Director of the U.S. Secret Service
By Maurice Uenuma, VP, Federal & Enterprise, Tripwire, former Special Ops Marine, and A.T. Smith, Former Deputy Director of the U.S. Secret Service
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Elite Protectors Operationalize Security Protection

There is no silver bullet for cybersecurity. It takes the right people, with the right mindset, applying the right elements of good security from the data center to the SOC.

Second of a two-part series.

What do protecting heads of state, securing motorcades, defending forward operating bases, and conducting high-risk special operations raids have to do with information security? In Part 2 of this two-part series, the authors share four common principles of executive protection and military operations to help security teams prepare for a cyberattack.

Principle 1: Rehearse the Plan
Having laid the best plans and implemented all the security measures deemed necessary, elite protectors must still prepare for the worst. This means being ready to effectively respond to and mitigate the effects of a successful attack. In turn, this means training, training, and more training. Marines continually rehearse immediate action drills until the reaction is an automatic response. These drills cover common scenarios they are likely to face in combat.

The mind's ability to process information and make good decisions is degraded under stress. We don't become better thinkers when the moment comes — we become worse. For this reason, the Secret Service trains like no other agency to prepare for an assault on a principal. An agent's response — through regular training — becomes an automatic motor skill, something that happens naturally. This effect on a protector's mind can occur in any crisis situation, and applies to cybersecurity professionals as well. Immediate action drills and standard operating procedures are the default actions to take in the absence of any other guidance, and they must be rehearsed.

Principle 2: Watch the Target
The innermost ring of security is much more about watching than it is about managing access controls, barriers, barricades, and counterattack plans. A protective detail will always assign its most trusted agents to remain close to the principal. They are the last line of defense to address any threats that were not mitigated elsewhere. They do this by watching everything close to the principal — and the actual principal. Some threats are invisible, and sometimes things go wrong even without external threat actors. The only way to ensure security is to watch the person being guarded.

In cybersecurity, the equivalent principle is system integrity — monitoring protected systems for changes. This is important because, for any cyberattack to be successful, the attackers must make a change sooner or later: They must modify a setting, insert an executable, elevate privileges, or otherwise do something. If nothing happens, well … nothing happens.

Whether the principal is a human or a machine, changes that do take place are mostly routine, expected, necessary changes to perform the function the target is designed to perform. As a result, it's hard to detect those rare but significant anomalies. The level of fine-tuned anomaly detection needed to do this effectively can be achieved only when the protectors are able to sort through the expected and unexpected (or authorized and unauthorized) in real time.

In the Secret Service, the inner ring of a protective detail does not change often so that agents get to know the principal and are able to detect unusual activity. Similarly, in a cybersecurity environment, a well-tuned integrity management system can sift through the noise and alert on those significant changes when they do occur.

Principle 3: Don't Rely on the Perimeter
There is always a tendency to assume that threats come from somewhere else, while familiar things inside are safe. It's a mentality more than a reality. Elite protectors must always assume compromise and prepare for it. Secret Service agents can't assume that the outer perimeter maintained by local law enforcement will keep assassins out, nor can they assume that physical barriers will be enough to stop threats. They must plan for a breach of the perimeter.

Similarly, cybersecurity professionals know that whatever perimeter they may have relied upon in the past is no longer viable as a defense. The expansion of mobile devices, shifting of enterprise workloads to cloud-hosted environments, and the widespread use of software-as-a-service solutions means that architecting a defensive posture predicated on an identifiable boundary between "inside" and "outside" is a recipe for failure. In short, nobody is assumed to be innocent by virtue of walking around inside the environment. For this reason, defense-in-depth and the zero-trust model are being adopted as more effective approaches to thwarting attackers.  

Principle 4: The Right Mindset     
One of the hardest things for elite protectors to do is to stay alert and ready when everything seems to be just another day on the job. Agents on a protective detail or Marines manning a defensive post must keep watch, day after day, whether there is an attacker nearby or not. Regardless of what the threat landscape may be, protectors must stand watch. Operating successfully requires a unique mindset. Elite protectors embrace observation as a way of life. Situational awareness, curiosity, and attention to detail are essential traits.

The same applies to cybersecurity professionals: To be successful, being able to stay "in the orange" and maintain a high state of individual and collective awareness are essential. From consistently checking door locks and access badges to reviewing audit logs and ensuring timely patching, security is fundamentally a discipline in every sense of the word.

Principle 5: The Right People          
People make all the difference. The key tenets of U.S. Special Operations Forces (SOF) are expressed in the "SOF Truths" that humans are more important than hardware and quality is better than quantity. It can be tempting for cybersecurity professionals to believe that new, better, or more technology investment will save the day. But humans remain central to all security disciplines. After all, it is humans that must accept risks to protect other humans, whether from bullets, bombs, or bits of malware.

The world's elite protectors know that there is no silver bullet to security. It takes the right people, with the right mindset, applying the right elements of good security. It's a discipline, a way of life. From the data center to the SOC, the principles of sound security apply—just as they still do in executive protection and special operations.

Back to Part 1: "What the World's Elite Protectors Teach Us About Cybersecurity"

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "The Entertainment Biz Is Changing, But the Cybersecurity Script Is One We've Read Before."

Maurice Uenuma, Vice President, Federal & Enterprise, Tripwire Maurice Uenuma is vice president, federal & enterprise at Tripwire. He was vice president at the Center for Internet Security (CIS), and Workforce Management co-chair of the National Initiative for Cybersecurity ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...