Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

The Detection Trap: Improving Cybersecurity by Learning from the Secret Service

Intruders often understand the networks they target better than their defenders do.

It's surprisingly easy to break into the White House grounds — in March, someone slipped over the fence and roamed the compound before being caught. Nevertheless, the White House is still the most secure public space in the world, because whether they get tackled on the lawn, arrested at the front door, or stopped at the stairs to the residence, intruders consistently get caught before they reach the president.

Contrast this with how we protect the high-value assets in our data centers. Despite a $75 billion-a-year cybersecurity industry, attackers are still able to not only break in but to hide for months or years inside without being discovered. This is called dwell time, and the current average is about 146 days. For comparison, the White House break-in lasted about 17 minutes.

Dwell time is the most critical measure of network security, because any intruder with time to explore a network will almost certainly find a high-value target and cause serious damage. It is also the most striking distinction between physical security — where dwell time is generally short — and computer security. The Secret Service can permit a porous border because their understanding and control of the White House lets them focus on catching intruders after only a few moments inside.

The march of recent breaches has been typified by the failure to detect intruders, or overworked security teams that missed alerts even when their detection worked. Security teams today are laser-focused on this problem and are doubling down on detection to solve it. This is the right problem to solve, but focusing on detection as the solution is a trap. The real problem is that intruders often understand the networks they target better than their defenders do, giving them a tremendous advantage.

The Defender's Advantage
Throughout history, defenders' greatest advantage has been their ability to choose and control their ground. The Secret Service knows every nook and cranny of any location where the president appears. This is why dwell time for intruders inside the White House is so short: they're on the defender's home turf, and every step could be their last.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

On the network, defenders have largely ceded this advantage, because most don't know what their environment looks like. If security teams don't know how their applications operate across their infrastructure, they don't have control. If they have an outdated picture of their infrastructure (your network six weeks ago isn't the same as your network today) or they don't know what is connected to their network, they don't have control. And if they're missing critical information, such as which infrastructure is running their most critical applications, they don't have control.

Why are defenders in this mess? Networks are much more complicated and dynamic than the physical world, but they're also far easier to monitor. It's a problem that screams out for artificial intelligence, machine learning, and a string of other cutting-edge buzzwords. But most of these efforts are still focused on detection: catching bad guys in the act, not understanding and controlling the environments in which they are acting.

The good news is that understanding our networked environments is doable. The problem is we've been pointing our human analysts at computer-scale problems and our computers at human problems. Again, we can learn a lesson from the Secret Service.

Secret Service agents have decades of training under their belts and are optimized to solve the hardest problems: they must decide in a split second whether someone in a crowd is reaching for a gun, a protest sign, or just a cellphone. They must distinguish between someone having a bad day and someone plotting an assassination. They must separate an exercise of free speech from a destructive plot.

But Secret Service agents are also the scarcest and most expensive resource the agency has — those decades of training don't come cheap. So the Secret Service doesn't use agents to solve all their problems. Much of the Secret Service's effort is focused on solving simpler problems before they reach their agents, so those agents can focus on the hardest ones. 

Think of your security team as your Secret Service agents. Expecting them to keep up with the constant dynamism of your network doesn't make sense. But on the network, every server, every virtual machine, every cloud instance, and every infrastructure device comes with a built-in sensor. If we could leverage this and keep up with changes in our environment, we could give our security teams the information they need to do what they are trained for: catch the bad guys.

To do this, we need automated systems, we need orchestration, and we need machine learning. But we need them pointed at the right things — the computer-scale problems that prevent us from understanding and controlling our environments. Understanding and control are how defenders have been successful for millennia, in all kinds of environments and circumstances. Our task isn't to throw out these lessons and start over; it's to learn from this experience and adjust our approach to account for our new environment.

Remember that fence jumper's 17 minutes inside the compound. He should never have gotten inside, nor should he have been able to spend so long before he was caught. But when he was stopped, there were still multiple layers of security between him and the president. This is because the Secret Service isn't caught by the detection trap. The Secret Service focuses on control first. Security based on control doesn't mean defenders won't make mistakes — there will always be mistakes. It means that defenders can make mistakes and still be secure.

Related Content:

As head of cybersecurity strategy, Nathaniel is responsible for thought leadership, public engagement, and overseeing Illumio's security technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/13/2017 | 10:58:46 AM
Problem Solving
Because of the ever changing cyber threat landscape, and the pace at which our infrastructures are being attacked, using technology to assist our cyber defenders is an absolute requirement.  However, it's a very important distinction to remember that technology does not solve our problems.  PEOPLE solve problems.  Technology is just a tool.
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/12/2017 | 11:28:03 AM
White House As Honeypot
I have always found it interesting the White House has had as many intrusions as seen on the news (and not), or even that some get as far as they do.  While it's easy to point to incompetence I rather like to see it as something else.  The White House acts as a honeypot.

You see, similar to how one might set up a sweet server that is begging to be compromised to see what flies are attracted the honey, I suspect the White House acts in a similar fashion.  For anyone who has stood outside the White House, there is an almost inviting accessibility to the grounds.  What better way to quickly assess who in the neighborhood has malicious plans than to present a honeypot like the White House?

Now, speaking of dwell time, those with budget could utilize this same concept to border their inner critical data with inviting honeypots that would attract both one-hit-wonders and dwellers.  The key is for those who would dwell, by sitting in the honeypot they are hurting themselves by providing extended time for InfoSec pros to find them and end their squatting reign.  Expense may come to mind, but I suspect the cost and maintenance of an ESX server with a host of VMs spun out to act as a honeypot shield would pay off more in the end for some companies than by just relying on automation.

Adding good automation to the mix would just seal the deal.  With honey.


7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...