Yesterday, we ran the first part of an interview with Nathaniel Gleicher, former Director of Cybersecurity Policy for the Obama White House and ex-senior counsel for the US Department of Justice's computer crimes division, now head of cybersecurity strategy for Illumio. Today, it's the rest of the interview, where we went into detail on what it takes to turn knowledge into security.
In yesterday's interview, Gleicher had just talked about the Secret Service model of security, represented by a pyramid with four words -- understand, control, detect, respond -- written on slices from bottom to top, representing the sequence and amount of effort and planning put into each one.
As before, what follows is an edited version of our conversation.
Curt Franklin: It sounds like [the Secret Service model] presents a sort of a road map toward security that that companies and organizations can follow.
Nathaniel Gleicher: When I think about this I tend to call it the inverted pyramid. If you go next to it on that sheet of paper and you draw an upside down pyramid and you put it four horizontal slices on it and write those same words in the same order again respond at the top, detect below it, control below that and understand below that. When you look at the focus of the cybersecurity community and a lot of security teams, the way we invest looks a lot more like this.
We have a huge emphasis in detections and response. There's a huge focus on behavioral analytics, on anomaly detection, on how do we find the bad guys once they're inside, catch them and stop them. We invest far less in controlling the environment and we invest very little in understanding. If you look at the lesson from physical security, if you don't have a strong base, if you don't have understanding and control, your detection and response effectiveness is just capped in a very limited way.
A lot of it from my perspective comes back to this inverted pyramid. We don't understand our environments and we don't have control over them. And ironically if an intruder is inside our empire we should have an advantage -- they're inside our house. We built the house, we know what was there. In theory we have a huge advantage, but we don't today. And so when I think about security it's not about artificially forcing our environments back to a simpler way of life, it's about building tools that will enable our organizations to actually understand the environment that exist today to exert control over them. That is what enables us to actually be effective in response.
CF: I would love to hear some some more thoughts on that because it seems to me this is a key piece of the entire puzzle. A lot of organizations will give lip service to understanding things; it's doing things with that understanding that so many organizations fall down on.
NG: I completely agree. And so there's two pieces to it. One is technical and one I would actually argue is organizational.
Everyone talks about how security is a technology problem and in some ways it is. But actually I think a lot is organizational. So you're talking about not just understanding an environment -- although to be honest that's hard enough -- but also being able to take action based on [that understanding].
Rob Joyce is the former head of NSA's tailored access operations unit (TAO). He's one of the best hackers in the world. He gave a talk at Enigma about a year and a half ago now. The basic premise of his talk was, "Hi, I'm from the NSA, we're really good at breaking into your system. Here's what you would need to do to make our life hard." And it's a fascinating perspective.
He says two things. The first thing he says is, intruders win because we know your network better than you do. This is the "understanding." You know how the network was supposed to work when you set it up; we know how it actually works today. But then he goes on and he lays out five things you could do to make life hard for the NSA and for other sophisticated attackers.
I love that these are not rocket science. He talked about encrypted communications, using strong passwords, limiting user access, patching vulnerabilities and segmenting your environment. These are all things that we've known about for years, that everyone agreed are the best practices, but that when you get inside a lot of environments they're still not done.
It drives home this message that security is actually not impossible. So it's really an organizational challenge. How do you make the organization work?
CF: One of the things that you talked about was limiting user access and I think that we can agree that in most cases that means making sure that users have access to everything they legitimately need but only what they legitimately need. There is so much emphasis on the application design side today in improving the user experience and minimizing transactional friction. So is there a necessary tension between the security side and the user experience side?
NG: Security is essentially the practice of trying to impose differentiated friction. That is, you want to impose as much friction as possible on illegitimate actors and as little pressure as possible on legitimate actors. And one reason why I think we actually do a really bad job is that right now is because we don't understand our environments.
If you knew and understood what an individual needed to do in order to get their work done you could impose limits that wouldn't actually limit the user but would constrain an intruder trying to manipulate those credentials. The problem is we generally don't know what those needs and dependencies are.
The needs of a user, like the needs of a system, aren't static. They change constantly and they're not something that you can expect humans to track manually and keep up to date with static rules. It just doesn't work.
Part of the problem is in a lot of our environments we're writing security rules at a very low level. Today, we don't write most software in assembler, we write it in higher-level languages and we have machines that do the translation. We need more things like that in security where we can express security policy at a high level and then have an intelligent system that does the translation so that we can make high level decisions and then make sure that they are carried out in the right way.
I've found that the average organization utilizes about 3% of the open connections that they enable within their data center; actually in many cases it's much smaller than 3%. So there's this huge scope of open, frictionless communication that a legitimate organization isn't using that you can close. This would radically constrain an intruder but would do very little to constrain the legitimate business.
- Security in Knowing: An Interview With Nathaniel Gleicher, Part 1
- Cybersecurity: More a People Than a Tech Challenge?
- The Stress of Being CISO