The Detection Trap: Improving Cybersecurity by Learning from the Secret Service

Intruders often understand the networks they target better than their defenders do.

Nathaniel Gleicher, Head of Cybersecurity Strategy, Illumio

June 12, 2017

5 Min Read

It's surprisingly easy to break into the White House grounds — in March, someone slipped over the fence and roamed the compound before being caught. Nevertheless, the White House is still the most secure public space in the world, because whether they get tackled on the lawn, arrested at the front door, or stopped at the stairs to the residence, intruders consistently get caught before they reach the president.

Contrast this with how we protect the high-value assets in our data centers. Despite a $75 billion-a-year cybersecurity industry, attackers are still able to not only break in but to hide for months or years inside without being discovered. This is called dwell time, and the current average is about 146 days. For comparison, the White House break-in lasted about 17 minutes.

Dwell time is the most critical measure of network security, because any intruder with time to explore a network will almost certainly find a high-value target and cause serious damage. It is also the most striking distinction between physical security — where dwell time is generally short — and computer security. The Secret Service can permit a porous border because their understanding and control of the White House lets them focus on catching intruders after only a few moments inside.

The march of recent breaches has been typified by the failure to detect intruders, or overworked security teams that missed alerts even when their detection worked. Security teams today are laser-focused on this problem and are doubling down on detection to solve it. This is the right problem to solve, but focusing on detection as the solution is a trap. The real problem is that intruders often understand the networks they target better than their defenders do, giving them a tremendous advantage.

The Defender's Advantage
Throughout history, defenders' greatest advantage has been their ability to choose and control their ground. The Secret Service knows every nook and cranny of any location where the president appears. This is why dwell time for intruders inside the White House is so short: they're on the defender's home turf, and every step could be their last.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register

On the network, defenders have largely ceded this advantage, because most don't know what their environment looks like. If security teams don't know how their applications operate across their infrastructure, they don't have control. If they have an outdated picture of their infrastructure (your network six weeks ago isn't the same as your network today) or they don't know what is connected to their network, they don't have control. And if they're missing critical information, such as which infrastructure is running their most critical applications, they don't have control.

Why are defenders in this mess? Networks are much more complicated and dynamic than the physical world, but they're also far easier to monitor. It's a problem that screams out for artificial intelligence, machine learning, and a string of other cutting-edge buzzwords. But most of these efforts are still focused on detection: catching bad guys in the act, not understanding and controlling the environments in which they are acting.

The good news is that understanding our networked environments is doable. The problem is we've been pointing our human analysts at computer-scale problems and our computers at human problems. Again, we can learn a lesson from the Secret Service.

Secret Service agents have decades of training under their belts and are optimized to solve the hardest problems: they must decide in a split second whether someone in a crowd is reaching for a gun, a protest sign, or just a cellphone. They must distinguish between someone having a bad day and someone plotting an assassination. They must separate an exercise of free speech from a destructive plot.

But Secret Service agents are also the scarcest and most expensive resource the agency has — those decades of training don't come cheap. So the Secret Service doesn't use agents to solve all their problems. Much of the Secret Service's effort is focused on solving simpler problems before they reach their agents, so those agents can focus on the hardest ones. 

Think of your security team as your Secret Service agents. Expecting them to keep up with the constant dynamism of your network doesn't make sense. But on the network, every server, every virtual machine, every cloud instance, and every infrastructure device comes with a built-in sensor. If we could leverage this and keep up with changes in our environment, we could give our security teams the information they need to do what they are trained for: catch the bad guys.

To do this, we need automated systems, we need orchestration, and we need machine learning. But we need them pointed at the right things — the computer-scale problems that prevent us from understanding and controlling our environments. Understanding and control are how defenders have been successful for millennia, in all kinds of environments and circumstances. Our task isn't to throw out these lessons and start over; it's to learn from this experience and adjust our approach to account for our new environment.

Remember that fence jumper's 17 minutes inside the compound. He should never have gotten inside, nor should he have been able to spend so long before he was caught. But when he was stopped, there were still multiple layers of security between him and the president. This is because the Secret Service isn't caught by the detection trap. The Secret Service focuses on control first. Security based on control doesn't mean defenders won't make mistakes — there will always be mistakes. It means that defenders can make mistakes and still be secure.

Related Content:

About the Author(s)

Nathaniel Gleicher

Head of Cybersecurity Strategy, Illumio

As head of cybersecurity strategy, Nathaniel is responsible for thought leadership, public engagement, and overseeing Illumio's security technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the popular press, and academic journals.

Prior to Illumio, Nathaniel investigated and prosecuted domestic and international cybercrime at the U.S. Department of Justice, advised the South Korean government on technology policy, and served as director for cybersecurity policy on the National Security Council at the White House. Nathaniel received a B.S. in computer science from the University of Chicago and a J.D. from Yale Law School. He has served as a Peace Corps volunteer on the island of Saint Vincent and as a Luce Scholar based in Seoul, South Korea.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights