The focus on security has shifted from network security to enterprise information protection, where the main point is simple: data is the focus for both the offense and the defense, and the cost of defense grows more quickly than the cost of offense.
This imbalance is not going away, and as a planning input it is dominating regardless of whether you are on the one side or the other. As the cyber world is a world of interconnections, a defensive failure outside of your view or scope may propagate to you. The most skilled opponents rely on such propagation, and they are persistent, their technology is advanced and the result is threatening.
That adds up to an advanced persistent threat (APT). While appropriate, the APT term -- which has its root in the military sector -- is messy because in the fall and winter of 2009 APT in one form or another began to show up in various marketing efforts, which watered it down. Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute.
Note that we use the word "and" in that definition. If the so-called APT is to be sufficiently different to be a separate species of cybercrime, it has to have the collection of all three difficulties. APT is to typical cybercrime as an elephant gun is to an ordinary rifle -- a matter of degree, but an important matter of degree. Not everyone who is a possible target is worth the expenditure of work by the attacker or the implicit exposure of closely held attack tools.
An aspect of sane risk management is to not invest more in protection than an asset is worth. This goes for car insurance, door locks and access control. It goes for many things, and its counterpoint for the offensive side is to not bother using arbitrarily powerful tools when the data can be gotten with simple throwaway tools.
In that sense, offense and defense calibrate each other, and if an APT is in play inside some enterprise, it is because the value of the data there warrants the risk and investment by the offense. The defense has to calibrate its defensive effort by the data's value as well, but the strategic asymmetry enjoyed by the offense means that as data value rises, a greater share of the total effort has to be expended by the defensive side.
It is natural for CIOs and other leaders to know something about this threat, but to have every incentive to provide the least expensive fix to the most present danger -- least expensive measured not only in coin, but also in process.
Given that the offense has the advantage of no legacy drag, the offense's ability to insert innovation into its product mix is unconstrained. By contrast, the CIO who does the least that can be gotten away with only increases the frequency of having to do something, not the net total work deficit pending.
In other words, the offense expends work whenever innovation is needed; the defense expends work each day and never catches up. Put differently, killing the most dangerous animal on the front porch each morning has no effect on the supply of dangerous animals waiting in the yard.
This "least expensive defense" is not insane, just ineffective because the offense is a sentient being with a strategic advantage. Solving an unbounded, amorphous problem does not generate much CIO enthusiasm, even when money is lying on the table unused; this is understandable.
The "least expensive defense" is also very difficult to calibrate. What does it mean if you add another defense to your infrastructure and then another offense promptly appears? Was that a win? Do you have any new information about how many more defenses it is going to take to win?
No, you did not win and you have no information beyond observing the latest defensive increment getting circumvented. Only getting in front of the threat can ever work; reacting to threat-after-loss has no effect on the future at all.
The most important part of an advanced persistent threat is the ability of its operator to mutate as needed. We see this so much already that we can almost say that the classic versions of defense are no longer of much relevance at all.
Antivirus has been rendered all but impotent by automated self-modification in ever more sentient offensive technology. Firewalls have been rendered all but irrelevant by tools that opportunistically hang their traffic on traffic that defense cannot afford to inspect, much less block. Auto-update has been rendered all-but-dilatory as the reverse engineering of patches into attack tools completes far faster than software updating does.
Even if you don't think the advanced persistent threat is all that advanced, realize that if this is so, it is only because it doesn't have to be when your defenses don't require it to be. Even more central, do not think that the supplier of defensive weapons will ever have weapons to thwart (the deployment of) offensive weapons that are sufficiently well targeted to hit only some people, some computers, some data. Antivirus vendors, firewall engineers, and/or auto-update operators simply cannot afford to deal with attacks that don't have high prevalence -- it is just not economical for them to try.
Trust is the lubricant of business. Competitiveness sometimes requires cooperation and cooperation always requires some trust. Your data is your wealth, but when you cooperate you share not only your good will but also your data, which is to say you share your wealth.
Your counter party may not care about your wealth as much as you do, and so the sentient opponent -- the one behind this advanced persistent threat -- will decide to get at your data (wealth) by applying his tools to your data while it is on your counter party's premises. Said another way: The one who will suffer the loss and the one who must prevent the loss may not be the same entity. This can work both ways: your firm may hold data for others, too.
Getting out in front does not happen by having the defense run faster. The offense has a strategic advantage and it can always run faster than the defense. Einstein called this one right when he said that doing the same thing over and over again while expecting a different result is the very definition of insanity. Making your signature updates, perimeter configuration, software update, or anything of the sort run faster will cost something, but deliver less. As the Harvard National Security Journal said on Feb. 22, 2010: "Analysts who measure the cost-effectiveness of defensive measures in cyberspace relative to the accelerating growth of new cyber attack methods suggest that the defending side in cyberspace is already at a severe disadvantage and that the offensive-defensive gap is widening."
In medicine, there is the concept of "no therapeutic difference," which occurs when further precision in diagnosis can make no further improvement in what can be prescribed. In the world of advanced persistent threats, a sufficiently targeted attack is indistinguishable from a corrupt insider. Distinguishing whether it is an APT or a corrupt insider has no therapeutic difference.
As has been written everywhere and at once, the corrupt insider may be exceedingly rare, but if he does exist his damage potential more than makes up for his rarity. More to the point, if this APT is really advanced and persistent, you should assume that "they" have been in your systems before. You should assume that they have social engineering skills that will turn trusted employees into corrupt insiders with an alibi.
When you are losing a game that you cannot afford to lose, change the rules. The central rule today has been to have a shield for every arrow. But you can't carry enough shields and you can run faster with fewer anyhow.
The advanced persistent threat, which is to say the offense that enjoys a permanent advantage and is already funding its R&D out of revenue, will win as long as you try to block what he does. You have to change the rules. You have to block his success from even being possible, not exchange volleys of ever better tools designed in response to his. You have to concentrate on outcomes, you have to pre-empt, you have to be your own intelligence agency, you have to instrument your enterprise, you have to instrument your data.
With data, not networks or infrastructure, as the unit of surveillance and action, an adaptable approach to data security is possible. Not another shield for every arrow, but a comprehensive fortress of information control and risk management -- a unifying framework that can best be described as Enterprise Information Protection (EIP).
EIP unifies data-leak prevention, network access control, encryption policy and enforcement, audit and forensics, and all the other wayward data protection technologies from their present state of functional silos into an extensible platform supported by policy and operational practices.
This unified, enterprise-wide, platform-centric ideal is a state change in thinking for many CIOs, yet those who manage the network and see daily the advantage the offense enjoys know all too well the deficiencies in our arsenal. This is not to cry "the sky is falling," but rather to be clear that the more advanced and persistent the threat, the more getting out in front of it is the only option other than surrender.
Geer is chief scientist emeritus at Verdasys, a provider of solutions to secure proprietary and sensitive data for Global 2000 companies. Geer is also CISO at In-Q-Tel and the author of several books on risk management and information security.