This was originally posed on The Analogies Project and co-written by Claus Houmann. Please visit The Analogies Project for more IT security analogies and ideas.
Enterprise defense today is hard. Anyone reading the news regularly will have noticed a never-ending stream of attacks, breaches, and data lost to cyber criminals that either attack for financial gain or to cause a company harm.
The companies taking this threat seriously appoint someone to coordinate enterprise defense, and that someone usually receives a job title resembling Chief Information Security Officer, Information Security Director, or Manager. These very people then work to maximize the limited budgets companies have for security. And these very CISOs are also often the ones to take the blame when and if something happens. It is a tough position to be in, and one that warrants a new approach.
One such approach is to consider the job of the CISO analogous to playing tower defense games.
What is a tower defense game? Well, first off we have a map and a mission of protection. The attacks come in a predictable path that can be planned for, similarly to threat modelling and threat intelligence. When attacks come, in waves or over time, we have to choose among a number of different defenses to counter/shoot down these attacks.
Defenses have attributes in common with cyber security. Each defense has a cost, so we’ll have to start with cost effective defenses. Each defense has a likelihood of success or failure, so we’ll have to stack defenses to ensure success. And as the attack progresses, some defenses are successful for some tactics and ineffective for others. Careful planning, then, is needed to create an effective deployment of defenses along the path the attacks take.
As an example, suppose we start with the most cost-effective defense such as a laser tower. The laser tower will shoot down attackers, and as more and more attackers come, we’ll deploy more laser towers in strategic locations on the map. This resembles the CISO building an enterprise defense. However, the attackers will then evolve and start using flying attacks which your ground-facing laser tower cannot counter, at which point you’ll have to add to your laser towers or replace with anti-aircraft missile batteries. This is the CISO deploying new processes, people and tools to counter new attack vectors that were getting through in unacceptable numbers. And so it goes, with each round escalating the attacks and defenses.
In the tower defense game, you actually earn money by beating the earlier stage attacks, potentially giving you enough budget to build new defenses for the later stage attacks. For the CISO, this is analogous to using past successes and proper planning to build the business case for investing in the security program. The messaging becomes one of sustainably developing controls along established attack paths, understanding that programs must be maintained and developed to keep pace with crime.
In sum, let’s make real life a bit more like tower defense games. Let’s understand the path the criminals take, understand that no one defense is completely effective, and that no defensive strategy survives beyond a couple of rounds. We promise not to build an expense-in-depth defense (thanks again, again for this phrase, Rick Holland). Instead, playing tower defense is a way to build a capacity for defense proactively – and justify the security budget.
Posted by