The Advanced Persistent Threat Means We Need a Third Bucket

Gartner has always taken a simplistic approach to dividing their analysts in the consulting practice:  keep the bad guys out (defense) and let the good guys in (access).  I have no quarrel with these two buckets and they have made sense for some time, but I respectfully believe it is time the industry accepts a broader reality and adds a third bucket that addresses when the adversary has thwarted the first two buckets, which is happening with alarming frequency.

I was at the Capital Connection Show last week and had the pleasure to attend a luncheon roundtable discussion that included Gary Gagnon of MITRE and Debora Plunkett, NSA’s Information Assurance Director.  I found it interesting that the call to arms was not for better shields but for a better understanding of how to detect and eradicate adversaries that have made it through the defenses.  It was clearly a pragmatic view that offense is always ahead of defense, and that a continued emphasis on chasing the perfect shield was no longer viable.  Regardless of if you like the term, the Advanced Persistent Threat is a reality, and the advanced persistent adversary is now organized, competent, and highly motivated.

Unfortunately, the IT security industry formed in a simpler time when the two buckets of defense and access were enough.  The entrenched thinking and alignment of products into these buckets have seemingly left no room for a third bucket.  When we brief the analysts or the press it is clear that while they understand what Triumfant does and the value our solution represents, there is a struggle to process the information because we do not neatly fit into a bucket or one of the sub-classifications in those buckets. I fear that it actually puts Triumfant at a disadvantage even though we effectively fill critical gaps in endpoint security and configuration management.

There is an interesting corollary when one looks at the evolution of the defense of the United States over the past 30 years.  When I entered the professional workforce in 1981 at what was then Martin Marietta, the U.S. Armed Forces focused on fighting a broad, land-based conflict in Eastern Europe against the Soviet Bloc.  For those too young to remember, military vehicles and uniforms were not desert khaki, but green.

Ten years later, America was fighting the first Gulf War and the military was scrambling to find khaki and brown paint – literally.  Military vehicles would pass on the highways and you could see they were hastily painted from forest green to desert brown.  Many of the vehicles and weapons built for the woods of Eastern Europe were not so effective in this new theatre.  The adversary was also different in nearly every aspect.  So we quickly found that our strategies and techniques had to be completely reset.  In spite of these challenges, the public was served multiple images of the sophistication of our weapons, creating a sense of confidence that our military superiority would shield our home soil from aggression.

Ten more years later on September 11, 2001, I stood at a window on the 27^th floor of a high-rise office building in mid-town Manhattan as my brain struggled to process the data from my eyes as I watched the first of the Twin Towers of the World Trade Center shudder and fall.  The enemy was no longer in some far away land most of us would never see, the enemy was among us.  The enemy had in fact lived among us, and we had trained them to have the skills to perform their acts of aggression.  Iconic building on our own soil had been attacked, and non-combatants were killed.

I did watch both towers fall, and I can assure you I do not invoke 9/11 lightly or use it as a casual metaphor.  That day the United States understood that defense was no longer about keeping the bad guys out, because they were already in.  The nation was forced to completely rethink security and come to grips with finding and removing embedded adversaries and admit to the hard truth that there was no way to completely secure the perimeter.  The myth of the shield fell in the flames of the WTC and the Pentagon

We are at that place with IT security and have been for some time.  The pragmatic know this and are well on their way to addressing the problem.  But the industry itself and many within organizations and government agencies are stuck on the concept of perfecting shields rather than dealing with the cold harsh reality of an adversary that has long since found ways to penetrate those shields in a targeted and systematic way at a rate that increases daily.

The larger, incumbent security software companies that started with shields predictably hold onto the premise and respond to problems by introducing new shields that the bad guys soon evade.  Organizations buy into the story because it simply feels better to think about keeping the bad guys out than admitting they have long since found their way in.  They rest on reports from AV software that show increasing detection statistics that create a false sense of security because there is no statistics on what is getting through.  Yet outside statistics prove conclusively that things are getting through.

Folks, the world has changed and there is no denying it nor can we turn back the clock.  There has to be a third bucket that addresses what we do when the bad guys get past our defenses and infiltrate our systems.  My problem – I don’t have a good name for the bucket, so I am open to suggestions.  Regardless of what we call it, it is time to face the uncomfortable truth and adjust our thinking accordingly.