Security Experts:

Hacking is Sexy, But Defending is the Grown-up Thing To Do

Defending is an Important Piece of the Security Puzzle Too Often Missing From the Broader Dialogue

I’m always amazed at how much press hacks, exploits, and vulnerabilities get.  I don’t mean to imply that understanding what makes systems vulnerable and how attackers might exploit those vulnerabilities isn’t extremely important -- of course it is.  The work that the research community does in this area is critical within the information security field.  Understanding the gaps and holes our organizations have and how attackers might take advantage of those gaps and holes is an important part of understanding the threat landscape.  In turn, as I and many others have discussed previously, understanding the threat landscape is a critical tool that can and should be used as part of a strategic effort to manage, mitigate, and minimize risk.

I’ve lost count of the number of conferences that exhibit, discuss, and celebrate hacking.  Of course, it is important for security researchers and others to have a forum in which to show their findings.  My point here isn’t to criticize these events or detract from them, but rather, to ask a simple question from a slightly different angle. Where are the conferences that exhibit, discuss, and celebrate the defender?  In other words, where are all the press and lauds for those that toil endlessly and dedicate themselves to protecting their organizations and the information those organizations are entrusted to safeguard and protect?

Hackers vs. DefendersFrom my perspective, defending is an important piece of the security puzzle that is all too often missing from the broader dialogue.  To put it another way, what is the “so what” factor that comes from the hacking piece of the puzzle?  Hacking is great, but the knowledge we gain from those efforts needs to find its way into practical application and operations.  Essentially, we as a security community need to remember the defenders and allow them to apply and leverage knowledge gained through other efforts within the security space.  Hacking is sexy, but defending is the grown-up thing to do.  Even though you’ll never see someone who solved their alert fatigue issues and runs an efficient security operations program on the six o’clock news.

So what can we as a security community do to help bridge the gap between hackers/researchers and defenders?  Here are a few thoughts:

●  Broaden the forum:  Everyone loves to see a great hack, a new vulnerability, or a clever exploit at a hacking or security conference.  The researchers that help us learn through their findings are certainly doing very important work.  But it seems to me that this is only half of the picture.  What about taking all of that important knowledge and applying it to solve operational problems in an effort to improve an organization’s security posture?  Why not open up the stage to defenders and others that have taken work from the research community and successfully applied its findings to their operational environments?  Unfortunately, I don’t see enough of this in the security world.

● Provide context and understanding:  Security is, in essence, a risk mitigation profession.  When boards, executives, and managers hear of the latest hack or vulnerability, they may press the security team for action.  But what’s often missing from this dialogue (or perhaps monologue) is a true understanding of what risk a new find introduces to the organization.  There is tremendous potential to provide critical context and understanding here.  Mapping the hack to the risk it introduces can help organizations understand, deliberate, and act in a strategic and logical manner.  But all too often, I see organizations make knee-jerk reactions and act in a haphazard and illogical manner.

● Shrink the attack surface:  Many people are interested in what attackers, adversaries, and hackers are busy with.  Understanding this is, not surprisingly, a great way to understand how the threat landscape organizations face is changing and evolving.  But there is another angle that is, unfortunately, seldom taken advantage of.  Knowledge of who and what might be targeting our organization, industry, or geographical region and why can help us identify and prioritize risks to the organization.  In turn, we can use this information to shrink the attack surface we’re trying to defend each and every day.  Less noise and a more defined problem generally mean greater overall visibility and awareness into what is happening within our organization.  The potential here is tremendous, but it requires bridges between the researcher and defender worlds that are few and far between.

● Improve efficiency:  I’m sure we’ve all seen people spend large amounts of time on activities and tasks whose value-add we question.  It’s easy to be a critic, but how can security leaders improve efficiency and focus valuable resources on the most value-added activities and tasks?  While there are many approaches, understanding what attackers are after and how they go about accomplishing their goals can help organizations invest precious and limited resources more wisely towards the goal of mitigating risk.  This, in turn, improves efficiency by reducing time and money wasted on activities and tasks that have little to no value-add when it comes to reducing overall risk to the organization.

● Learn and improve:  No organization is perfectly secure or bulletproof.  Understanding how attackers succeed in infiltrating our organizations is a tremendous opportunity to learn, reflect, and of course, take action to close gaps and fill holes.  As defenders, we should be sure to focus on what attackers are doing, as it can help us learn an awful lot about our organizations and improve our security postures. 

Unfortunately, whether we like it or not, the security world is somewhat divided between hackers/researchers and defenders.  Each side is doing extremely important work but may not fully appreciate the work being done on the other side of the divide.  As a security community, if we work to build bridges between researchers and defenders, we can help apply important knowledge to real operational problems.  This, in turn, will greatly aid us as a community in improving the security postures of our organizations.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is CTO – Emerging Technologies at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.