Equilibrium Networks

One of the first things you learn as a defense analyst (my first real job) is the difference between assessments based on threats and capabilities. For example, Britain has the capability to launch a nuclear strike against the United States, but there is no real threat of this actually happening. As another example, the greatest threat presented to the US by other states’ WMD capabilities is due to the possibility of the weapons falling into the hands of terrorists. The attributable use of WMD by states themselves can be deterred quite effectively through US capabilities: the Cold War is a case in point.

In the case of cybersecurity, deterrence is hard: there’s not a lot that you can do to reciprocally threaten your adversaries, even if you’re a government. And most of the threats facing governments (and the overwhelming amount of threats facing everyone else) at present are based on network infiltration and data exfiltration, versus other, more spectacular forms of exploitation. Infiltration and exfiltration aren’t really spectacular enough to warrant an escalated response even if attribution is possible, and frankly NSA ought to be doing that sort of stuff to other states anyway, so there’s not much deterrent value for the US there. Making mildly embarrassing comments about other governments doesn’t really amount to much in the wider scheme of things.

On the other end of the threat spectrum, taking down sensitive government networks or SCADAs is not very likely anytime soon precisely because those are spectacular acts, and the organizations that might have those capabilities don’t want or need to do that sort of thing now. Most states have little incentive and a lot to fear (deterrence again!) in case of attribution of such acts, so outside of a shooting war or the willingness to enter one, don’t expect this sort of thing. Organized crime similarly would have a lot to fear from taking down SCADAs (there are better ways for them to make money) and no good reason to attack most government networks. And terrorists generally have more effective ways of attracting attention and spreading fear.

In general, DoD offers a weak form of extended deterrence to US and even international network operators: for example, it’s not impossible to imagine the US positioning some forces in the Russian near abroad on behalf of NATO in response to a more dramatic reprise of the 2004 Estonian cyberattacks. If a state didn’t keep its citizens or proxies from waging large-scale cyberattacks on another state, that tacit or explicit sanction might be enough to justify conflict escalation. And the states who might provide that sanction are usually also states that have authoritarian governments capable of shutting down private access to networks in order to avoid conflict escalation. The actions of the Iranian government in June 2009 clearly illustrate this point.

In short, the realistic threats that face organizations are infiltration and exfiltration, along with denial of service. More spectacular attacks are likely to be confined to government organizations or critical infrastructure only as adjuncts or precursors to a broader campaign including physical attacks, or at least inviting physical retribution.

Another other thing to keep in mind is that in cybersecurity threats and capabilities are strongly correlated: insiders and sophisticated criminals or states can do a lot of highly targeted damage, though most organizations’ significant exposure is limited to the first one or two of these. Because predictable economic considerations typically determine the behavior of these actors, security infrastructures can and should take this into account. Measures like access controls, configuration management, backups and encryption can be a much more effective use of limited resources for a lot of organizations than network monitoring or intrusion detection appliances, and managed hosting can avoid a lot of worries about DoS.

But try to find an IPS vendor who will admit that rigorous configuration management can be more effective than their product for any organization with a constrained budget and a “fail-open” policy (which means just about everyone). I doubt you’ll find one. IPS is mainly useful for easily detectable attacks that patching should generally take care of, but the vendors will talk about defense-in-depth and hope you either don’t practice good configuration management or are willing to spend money on mostly redundant efforts.

The advantage of a network monitoring system compared to an IPS or even an IDS is that network monitoring can always fill a real gap in defense-in-depth strategies for large or especially vulnerable organizations facing significant threats and willing to spend the time and effort to mitigate the progess and effects of successful attacks. An IPS should be mostly redundant if you patch well, and an IDS will only give you a picture of what it thinks are attacks, while including a lot of time-consuming false alarms and omitting a lot of false negatives and other useful information about network traffic.

This is why we decided to build a network monitoring platform that is based on giving you broad visibility into your network traffic. Think of our platform as like a security camera. If you had a safe that someone tried to break into, the first thing you’d want to do is check the tape, even if the theft was unsuccessful or the alarm went off. You’d want to see clues that were left or determine if anything else might be missing. That’s not to say that a clever person might not be able to bypass or fool the camera, but it still provides a distinct layer of defense beyond locks and dumb sensors that also helps to deter anyone worried about getting caught.

The bottom line in security is always that if a bad actor really wants to do something and has the capability to do it, they will. Penetration testers can scare almost any organization into spending more on security because by their nature they tend to represent capabilities more than likely threats. But most organizations don’t really face significant threats that aren’t better handled with simpler, cheaper and more obvious tools than an IPS.

Often people get caught up in the hype and cyberpanic that is generated from new exploits or viruses or the ilk, and that rewards a culture of security vendors and professionals that already has an incentive to manufacture threats in order to drive sales or recognition or budgets. This is ultimately counterproductive for security consumers. Focusing on actual threats instead of crying wolf about theoretical capabilities is better for real security and for the bottom line.