Two weeks ago, the world rejoiced during the Game of Thrones “Battle of the Bastards” episode as multiple villains in the show received their just due. It was one of the best episodes in the season, but what resonated the most with me was the scene when Sansa Stark tells her half-brother Jon Snow not to underestimate Ramsay Bolton, in the battle for her childhood home Winterfell.
“You’ve known him for the space of a single conversation, you and your trusted advisors. And you sit around making your plans on how to defeat a man you don’t know.
I lived with him…
I know the way his mind works, I know how he likes to hurt people.
If you think he’s going to fall into your trap, you won’t. He’s the one who lays traps.
He plays with people, he’s far better at it, he’s been doing it all his life...”
These are important lessons about understanding your opponent and really putting yourselves in their shoes. It also reminded me of the asymmetric battle we fight every day. Attackers only need to find one hole—one exploit, one open port, one careless credential—to succeed, while we as defenders, need to be always right all the time. The level of effort and innovation being invested by the hacker community will continue to increase. The market for new and cleverer ways to defeat enterprise security is lucrative and driven by the spirit of the free market. Thetechniques that are—and will be—used by attackers are targeted, sophisticated and even collaborative. They’re far better at it, they’ve been doing it for a long time, they’re the ones who lay traps.
The only way to close the gap between the current state of IT security and the capabilities of the enemy is to outflank them; to beat them at their own game; to rip a page from the hacker’s playbook and out-innovate them. If we can better “predict attacks” and prioritize the right things to do, we can stay a step ahead.
Gartner, in their report “Designing An Adaptive Security Architecture for Protection from Advanced Attacks” by Neil MacDonald and Peter Firstbrook, published in Feb 2014 and refreshed in January 2016, states the following – “Enterprises are overly dependent on blocking and prevention mechanisms that are decreasingly effective against advanced attacks.... Comprehensive protection requires an adaptive protection process integrating predictive, preventive, detective and response capabilities”.
In other words, yes, you should have firewalls and IPS and all the other good prevention and detection security technologies. But, those alone will not be enough without the missing layer of predictive security. It’s important to consider additional areas of security coverage. Take a look at the Gartner adaptive security architecture chart in Figure 1. The top left column, “Predict” is an important emerging category to proactively anticipate new attacks against the current state of systems and information. The goal is that by predicting how attacks may occur, enterprises can then adjust their security protection strategies to prioritize and address exposure.
Source: Adaptive Security Architecture – Gartner, 2016
“Predict” is an important and critical part of any security framework. If we can better anticipate and predict our opponent’s moves, just like Sansa Stark, we can adjust our defenses. The biggest issue with security today is not that we don’t have innovative security solutions, it’s whether we are using them in the right way, prioritizing the right things to do every day with our limited resources, and able to react quickly and mitigate as many breach scenarios as possible before a breach happens.
Traditionally, security teams have used ethical hackers and red team consultants to unearth issues before a breach happens. But, these are are expensive, point-in-time engagements that are entirely dependent on the skillsets of the team members (and their favorite hacking tricks).
A more optimal way to predict attacks is via breach or adversary simulation platforms. When you simulate hacker breach methods, you are seeing how your infrastructure and systems are viewed as a target, so you can make the right decisions to reduce your attack surface and exposure. Imagine the benefit of time to actually understand the weaknesses you have in your security are and remediate them before they are “exploited”.
You can use “predictive breach simulations” for the following:
There are several architecture considerations when you evaluate “predictive breach simulation” technologies:
If you’re not spending some of your security innovation budget on predictive security such as breach simulations, you should. The best kind of security is to understand what your opponent will think tomorrow, not find out what he/she thought yesterday. Don’t be stuck in this endless prevention/detection loop, playing catch up with your opponents.
Let’s take some lessons from the Game of Thrones. It’s not enough to have warriors (and a giant) on your side in a battle, you need a security strategy that predicts what may happen to stay one step ahead.