As security professionals, we pride ourselves in our ability to evaluate and manage risk. But there is one problem that we all know, but never quite want to admit: measuring risk is really hard to do. Risks are ideally calculated from multiple data points of stable historical evidence (think actuarial tables). In information security, the historical data is far from stable. Cyber attacks are perpetrated by motivated human beings who shift tactics over time.
In his book Antifragile: Things That Gain from Disorder, Nassim Nicholas Taleb describes a novel concept regarding risk. He says that risks are much too hard to predict. Instead, he introduces the concept of fragility as a preferred way to evaluate the ability of an organization to prevail against threats. The goal is to be “antifragile” against any event – predicted or not – that could affect the organization, instead of creating defenses against specific threat scenarios. Further, a good way to become antifragile is to have “shocks” that may cause some harm, but do not cause irreparable damage. This creates resiliency.
Resiliency is the big buzzword of today. Many organizations don’t seem to realize that they are fragile even though the evidence is staring them in the face. They go through periodic red team or penetration tests that uncover critical issues. During the tests they may not even detect any signs of hostile activity. What’s the answer? “Well, those pen testers always get in.” But aren’t you building and buying defenses and training people to always keep them out? Don’t you take care to have defense in depth?
It’s not just a matter of fixing the gaps that were found, such as some poor account passwords or bad configuration settings. If testers get in, your defenses are fragile. You need more “shocks” (i.e., testing) to make them antifragile.
The military has a saying, “we train the way we fight.” Unfortunately, our security teams rarely train even though they are defending against adversaries who constantly create, modify, and test attacks. Worse yet, some companies’ “training” consists of once-a-year “tabletop” exercises in a conference room.
Fortunately, there are more ways to cost-effectively build resilience in our security staff, processes, and controls against simulated threats on a regular, continuing basis. Many security organizations have a lot of tools but have no idea of how truly effective they are. Is your security program antifragile? If you are relying mainly on Indicators of Compromise (IOCs) instead of adversarial behavior models (e.g., MITRE ATT&CK), your security program is not very resilient.
It’s time to change our mindset from just buying tools to optimizing the tools we have. At Bobcat Cyber we help organizations safely simulate real-world attacks in their environments so they can improve their resiliency. Drop us a line at firstname.lastname@example.org if you’d like more information.