It's surprisingly easy to break into the White House grounds — in March, someone slipped over the fence and roamed the compound before being caught. Nevertheless, the White House is still the most secure public space in the world, because whether they get tackled on the lawn, arrested at the front door, or stopped at the stairs to the residence, intruders consistently get caught before they reach the president.
Contrast this with how we protect the high-value assets in our data centers. Despite a $75 billion-a-year cybersecurity industry, attackers are still able to not only break in but to hide for months or years inside without being discovered. This is called dwell time, and the current average is about 146 days. For comparison, the White House break-in lasted about 17 minutes.
Dwell time is the most critical measure of network security, because any intruder with time to explore a network will almost certainly find a high-value target and cause serious damage. It is also the most striking distinction between physical security — where dwell time is generally short — and computer security. The Secret Service can permit a porous border because their understanding and control of the White House lets them focus on catching intruders after only a few moments inside.
The march of recent breaches has been typified by the failure to detect intruders, or overworked security teams that missed alerts even when their detection worked. Security teams today are laser-focused on this problem and are doubling down on detection to solve it. This is the right problem to solve, but focusing on detection as the solution is a trap. The real problem is that intruders often understand the networks they target better than their defenders do, giving them a tremendous advantage.
The Defender's Advantage
Throughout history, defenders' greatest advantage has been their ability to choose and control their ground. The Secret Service knows every nook and cranny of any location where the president appears. This is why dwell time for intruders inside the White House is so short: they're on the defender's home turf, and every step could be their last.
On the network, defenders have largely ceded this advantage, because most don't know what their environment looks like. If security teams don't know how their applications operate across their infrastructure, they don't have control. If they have an outdated picture of their infrastructure (your network six weeks ago isn't the same as your network today) or they don't know what is connected to their network, they don't have control. And if they're missing critical information, such as which infrastructure is running their most critical applications, they don't have control.
Why are defenders in this mess? Networks are much more complicated and dynamic than the physical world, but they're also far easier to monitor. It's a problem that screams out for artificial intelligence, machine learning, and a string of other cutting-edge buzzwords. But most of these efforts are still focused on detection: catching bad guys in the act, not understanding and controlling the environments in which they are acting.
The good news is that understanding our networked environments is doable. The problem is we've been pointing our human analysts at computer-scale problems and our computers at human problems. Again, we can learn a lesson from the Secret Service.
Secret Service agents have decades of training under their belts and are optimized to solve the hardest problems: they must decide in a split second whether someone in a crowd is reaching for a gun, a protest sign, or just a cellphone. They must distinguish between someone having a bad day and someone plotting an assassination. They must separate an exercise of free speech from a destructive plot.
But Secret Service agents are also the scarcest and most expensive resource the agency has — those decades of training don't come cheap. So the Secret Service doesn't use agents to solve all their problems. Much of the Secret Service's effort is focused on solving simpler problems before they reach their agents, so those agents can focus on the hardest ones.
Think of your security team as your Secret Service agents. Expecting them to keep up with the constant dynamism of your network doesn't make sense. But on the network, every server, every virtual machine, every cloud instance, and every infrastructure device comes with a built-in sensor. If we could leverage this and keep up with changes in our environment, we could give our security teams the information they need to do what they are trained for: catch the bad guys.
To do this, we need automated systems, we need orchestration, and we need machine learning. But we need them pointed at the right things — the computer-scale problems that prevent us from understanding and controlling our environments. Understanding and control are how defenders have been successful for millennia, in all kinds of environments and circumstances. Our task isn't to throw out these lessons and start over; it's to learn from this experience and adjust our approach to account for our new environment.
Remember that fence jumper's 17 minutes inside the compound. He should never have gotten inside, nor should he have been able to spend so long before he was caught. But when he was stopped, there were still multiple layers of security between him and the president. This is because the Secret Service isn't caught by the detection trap. The Secret Service focuses on control first. Security based on control doesn't mean defenders won't make mistakes — there will always be mistakes. It means that defenders can make mistakes and still be secure.