Second of a two-part series.
What do protecting heads of state, securing motorcades, defending forward operating bases, and conducting high-risk special operations raids have to do with information security? In Part 2 of this two-part series, the authors share four common principles of executive protection and military operations to help security teams prepare for a cyberattack.
Principle 1: Rehearse the Plan
Having laid the best plans and implemented all the security measures deemed necessary, elite protectors must still prepare for the worst. This means being ready to effectively respond to and mitigate the effects of a successful attack. In turn, this means training, training, and more training. Marines continually rehearse immediate action drills until the reaction is an automatic response. These drills cover common scenarios they are likely to face in combat.
The mind's ability to process information and make good decisions is degraded under stress. We don't become better thinkers when the moment comes — we become worse. For this reason, the Secret Service trains like no other agency to prepare for an assault on a principal. An agent's response — through regular training — becomes an automatic motor skill, something that happens naturally. This effect on a protector's mind can occur in any crisis situation, and applies to cybersecurity professionals as well. Immediate action drills and standard operating procedures are the default actions to take in the absence of any other guidance, and they must be rehearsed.
Principle 2: Watch the Target
The innermost ring of security is much more about watching than it is about managing access controls, barriers, barricades, and counterattack plans. A protective detail will always assign its most trusted agents to remain close to the principal. They are the last line of defense to address any threats that were not mitigated elsewhere. They do this by watching everything close to the principal — and the actual principal. Some threats are invisible, and sometimes things go wrong even without external threat actors. The only way to ensure security is to watch the person being guarded.
In cybersecurity, the equivalent principle is system integrity — monitoring protected systems for changes. This is important because, for any cyberattack to be successful, the attackers must make a change sooner or later: They must modify a setting, insert an executable, elevate privileges, or otherwise do something. If nothing happens, well … nothing happens.
Whether the principal is a human or a machine, changes that do take place are mostly routine, expected, necessary changes to perform the function the target is designed to perform. As a result, it's hard to detect those rare but significant anomalies. The level of fine-tuned anomaly detection needed to do this effectively can be achieved only when the protectors are able to sort through the expected and unexpected (or authorized and unauthorized) in real time.
In the Secret Service, the inner ring of a protective detail does not change often so that agents get to know the principal and are able to detect unusual activity. Similarly, in a cybersecurity environment, a well-tuned integrity management system can sift through the noise and alert on those significant changes when they do occur.
Principle 3: Don't Rely on the Perimeter
There is always a tendency to assume that threats come from somewhere else, while familiar things inside are safe. It's a mentality more than a reality. Elite protectors must always assume compromise and prepare for it. Secret Service agents can't assume that the outer perimeter maintained by local law enforcement will keep assassins out, nor can they assume that physical barriers will be enough to stop threats. They must plan for a breach of the perimeter.
Similarly, cybersecurity professionals know that whatever perimeter they may have relied upon in the past is no longer viable as a defense. The expansion of mobile devices, shifting of enterprise workloads to cloud-hosted environments, and the widespread use of software-as-a-service solutions means that architecting a defensive posture predicated on an identifiable boundary between "inside" and "outside" is a recipe for failure. In short, nobody is assumed to be innocent by virtue of walking around inside the environment. For this reason, defense-in-depth and the zero-trust model are being adopted as more effective approaches to thwarting attackers.
Principle 4: The Right Mindset
One of the hardest things for elite protectors to do is to stay alert and ready when everything seems to be just another day on the job. Agents on a protective detail or Marines manning a defensive post must keep watch, day after day, whether there is an attacker nearby or not. Regardless of what the threat landscape may be, protectors must stand watch. Operating successfully requires a unique mindset. Elite protectors embrace observation as a way of life. Situational awareness, curiosity, and attention to detail are essential traits.
The same applies to cybersecurity professionals: To be successful, being able to stay "in the orange" and maintain a high state of individual and collective awareness are essential. From consistently checking door locks and access badges to reviewing audit logs and ensuring timely patching, security is fundamentally a discipline in every sense of the word.
Principle 5: The Right People
People make all the difference. The key tenets of U.S. Special Operations Forces (SOF) are expressed in the "SOF Truths" that humans are more important than hardware and quality is better than quantity. It can be tempting for cybersecurity professionals to believe that new, better, or more technology investment will save the day. But humans remain central to all security disciplines. After all, it is humans that must accept risks to protect other humans, whether from bullets, bombs, or bits of malware.
The world's elite protectors know that there is no silver bullet to security. It takes the right people, with the right mindset, applying the right elements of good security. It's a discipline, a way of life. From the data center to the SOC, the principles of sound security apply—just as they still do in executive protection and special operations.
Back to Part 1: "What the World's Elite Protectors Teach Us About Cybersecurity"
- How Cybersecurity Incident Response Programs Work (and Why Some Don’t)
- Top 10 Cyber Incident Response Mistakes and How to Avoid Them
- The Modern SOC Demands New Skills
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "The Entertainment Biz Is Changing, But the Cybersecurity Script Is One We've Read Before."