Photo Credit: byronv2 via Compfight cc
Enterprise defence today is hard. Anyone reading the news regularly will have noticed a never-ending stream of attacks, breaches, and data lost to cyber criminals that either attack for financial gain or to cause a company harm.
The companies taking this threat seriously appoint someone to coordinate enterprise defence, and that someone usually receives a job title resembling Chief Information Security Officer, Information Security Director, or Manager. These very people then work to maximize the limited budgets companies have for security. And these very CISOs are also often the ones to take the blame when and if something happens. It is a tough position to be in, and one that warrants a new approach.
One such approach is to consider the job of the CISO analogous to playing tower defence games.
What is a tower defence game? Well, first off we have a map and a mission of protection. The attacks come in a predictable path that can be planned for, similarly to threat modelling and threat intelligence. When attacks come, in waves or over time, we have to choose among a number of different defences to counter/shoot down these attacks.
Defences have attributes in common with cyber security. Each defence has a cost, so we’ll have to start with cost effective defences. Each defence has a likelihood of success or failure, so we’ll have to stack defences to ensure success. And as the attack progresses, some defences are successful for some tactics and ineffective for others. Careful planning, then, is needed to create an effective deployment of defences along the path the attacks take.
As an example, suppose we start with the most cost-effective defence such as a laser tower. The laser tower will shoot down attackers, and as more and more attackers come, we’ll deploy more laser towers in strategic locations on the map. This resembles the CISO building an enterprise defence. However, the attackers will then evolve and start using flying attacks which your ground-facing laser tower cannot counter, at which point you’ll have to add to your laser towers or replace with anti-aircraft missile batteries. This is the CISO deploying new processes, people and tools to counter new attack vectors that were getting through in unacceptable numbers. And so it goes, with each round escalating the attacks and defences.
In the tower defence game, you actually earn money by beating the earlier stage attacks, potentially giving you enough budget to build new defences for the later stage attacks. For the CISO, this is analogous to using past successes and proper planning to build the business case for investing in the security programme. The messaging becomes one of sustainably developing controls along established attack paths, understanding that programmes must be maintained and developed to keep pace with crime.
In sum, let’s make real life a bit more like tower defence games. Let’s understand the path the criminals take, understand that no one defence is completely effective, and that no defensive strategy survives beyond a couple of rounds. We promise not to build an expense-in-depth defence (thanks again, again for this phrase, Rick Holland). Instead, playing tower defence is a way to build a capacity for defence proactively – and justify the security budget.
This analogy was co-authored by J. Wolfgang Goerlich and Claus Houmann.