Firewalls and Football

Now that we are well into the fall football season, this is a good time to observe some of the things we can learn from football to develop a sound protection strategy for our enterprise networks. Consider for a moment what would happen if the defensive line of a football team were to place the same players in the same line-up play-after-play, game-after-game. You don’t need to know the intricacies of football strategy to realize what would happen.

First, the offense would quickly adapt their plays to exploit the weakest aspects of their opponent’s defense, and then they would proceed to score relentlessly against them. Common sense suggests there needs to be dynamics in an effective defensive strategy. The defense needs to understand the strengths of their opponents, develop a game plan that can weaken those strengths and force plays in a particular direction that can slow or stop the offensive gain.

Now let’s consider a network defensive strategy. What if we tried to use the same firewall port filters, the same IDS, the same email spam scrubbing, and same response strategy over and over? The opposition will naturally adapt their techniques. They will learn your defense, and find a way around them. Here’s an interesting look at how technology defense can learn from Sun Tzu’s Art of War.

Don’t think you have any opponents? Think again. If your business has money, intellectual property, and/or computing resources, then there are others that would like to gain from your losses. They are your opponents, and you need to defend your business against them.  There is no such thing as a nice quiet neighborhood on the Internet. When you connect to the Internet, you are joining in with billions of other Internet users in the entire world. Along with this come some great opportunities to expand business and also all of the malicious and competitive attacks against you.

So what do we do? Let’s look back to football. The defensive strategy starts well before game day. The defensive coordinators will study their opposition. They will observe the strength of their players, observe the plays they have used, observe the sequences of running and passing, consider what other defensive strategies have been successful. They will use this information to help identify and build a defensive strategy for their own team.

For example, they may focus on the rush to shut-down a star quarterback’s passing play. They will strengthen the primary to stop a running play.  They will match the skills of their secondary against the offensive receivers.

Similarly, the planning does not stop when the game starts. If the planned strategy is not working, the defensive coordinators will adjust the strategy, change the line-up, and make adjustments. Tactical changes are as necessary as part of the overall strategy.

Now we see a need for dynamics in both strategy and tactics to be used.  How do we build some dynamics into a network defensive strategy?  This is the basis behind the Security Event and Threat Analysis (SETA) service offered by AT&T, and perhaps there are aspects of this in other Managed Security Services. Inherent in such a service is the Security Operations Center (SOC), but it is more than that.  An effective SOC needs five elements:

1. Insight – It needs insight into the many offensive strategies used by many attackers. It is not sufficient to be looking at one enterprise and gain the level of understanding that is needed to see new attacks in development and to see how those strategies evolve in time. You want coordinators that know the landscape.

2. Strategery – Strategery wasn’t a word until coined by George W. Bush some years ago and kept alive by Will Ferrell in numerous episodes of Saturday Night Live.  But I find it fitting here. The SOC needs to partner with customers to become a defensive coordinator for a network. Their role is to learn about the threats, observe trends, and prepare plans for preventing the opponents from executing successful plays/attacks against an enterprise.

3. CreativityAttackers are creative and continuingly evolving. That means the protective strategies also need to be continually evolving in an innovative manner. It is not enough to have a set of tier 1 analysts that simply respond to events with a scripted response plan. There needs to be a tie into a research and development community that can help provide innovative and new detection and protection strategies for customers.

4. Depth – Similarly, as new types of events are discovered in the community and as new types of situations occur with customers, there needs to be a full repertoire of escalation paths that help to adapt the service to counter the changing offensive strategies of attackers.

5. Teamery – Okay, teamery isn’t a word any more than Strategery, but it fits. The SOC is a coordinating component for preventing and mitigating security threats. The SOC generally does not design or control the network. It generally does not design or operate the systems connected to the network either. The SOC needs to be in a position to build team relationships with the IT partners in an enterprise and establish all of the necessary plans for managing scenarios that are expected to take place. As the legendary football coach Paul “Bear” Bryant, from Alabama, said, “”You must learn how to hold a team together. You must lift some men up, calm others down, until finally they’ve got one heartbeat. Then you’ve got yourself a team.”

The next time you watch a game of football, consider how the dynamics of your protection strategy can help protect your business.  Make sure candidates for your service are able to provide good answers to your questions about the 5 elements needed in a Security Operations Center.

How about you?  How do you see security adapting and changing in light of new threats?  What do enterprise-level security professionals need to watch for today? What steps have you implemented that work?  We’d love to hear from you and get your opinion.
Brian Rexroad Executive Director of Threat Analytics AT&T About Brian