Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/28/2020
10:00 AM
By Maurice Uenuma, VP, Federal & Enterprise, Tripwire, former Special Ops Marine, and A.T. Smith, Former Deputy Director of the U.S. Secret Service
By Maurice Uenuma, VP, Federal & Enterprise, Tripwire, former Special Ops Marine, and A.T. Smith, Former Deputy Director of the U.S. Secret Service
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Elite Protectors Operationalize Security Protection

There is no silver bullet for cybersecurity. It takes the right people, with the right mindset, applying the right elements of good security from the data center to the SOC.

Second of a two-part series.

What do protecting heads of state, securing motorcades, defending forward operating bases, and conducting high-risk special operations raids have to do with information security? In Part 2 of this two-part series, the authors share four common principles of executive protection and military operations to help security teams prepare for a cyberattack.

Principle 1: Rehearse the Plan
Having laid the best plans and implemented all the security measures deemed necessary, elite protectors must still prepare for the worst. This means being ready to effectively respond to and mitigate the effects of a successful attack. In turn, this means training, training, and more training. Marines continually rehearse immediate action drills until the reaction is an automatic response. These drills cover common scenarios they are likely to face in combat.

The mind's ability to process information and make good decisions is degraded under stress. We don't become better thinkers when the moment comes — we become worse. For this reason, the Secret Service trains like no other agency to prepare for an assault on a principal. An agent's response — through regular training — becomes an automatic motor skill, something that happens naturally. This effect on a protector's mind can occur in any crisis situation, and applies to cybersecurity professionals as well. Immediate action drills and standard operating procedures are the default actions to take in the absence of any other guidance, and they must be rehearsed.

Principle 2: Watch the Target
The innermost ring of security is much more about watching than it is about managing access controls, barriers, barricades, and counterattack plans. A protective detail will always assign its most trusted agents to remain close to the principal. They are the last line of defense to address any threats that were not mitigated elsewhere. They do this by watching everything close to the principal — and the actual principal. Some threats are invisible, and sometimes things go wrong even without external threat actors. The only way to ensure security is to watch the person being guarded.

In cybersecurity, the equivalent principle is system integrity — monitoring protected systems for changes. This is important because, for any cyberattack to be successful, the attackers must make a change sooner or later: They must modify a setting, insert an executable, elevate privileges, or otherwise do something. If nothing happens, well … nothing happens.

Whether the principal is a human or a machine, changes that do take place are mostly routine, expected, necessary changes to perform the function the target is designed to perform. As a result, it's hard to detect those rare but significant anomalies. The level of fine-tuned anomaly detection needed to do this effectively can be achieved only when the protectors are able to sort through the expected and unexpected (or authorized and unauthorized) in real time.

In the Secret Service, the inner ring of a protective detail does not change often so that agents get to know the principal and are able to detect unusual activity. Similarly, in a cybersecurity environment, a well-tuned integrity management system can sift through the noise and alert on those significant changes when they do occur.

Principle 3: Don't Rely on the Perimeter
There is always a tendency to assume that threats come from somewhere else, while familiar things inside are safe. It's a mentality more than a reality. Elite protectors must always assume compromise and prepare for it. Secret Service agents can't assume that the outer perimeter maintained by local law enforcement will keep assassins out, nor can they assume that physical barriers will be enough to stop threats. They must plan for a breach of the perimeter.

Similarly, cybersecurity professionals know that whatever perimeter they may have relied upon in the past is no longer viable as a defense. The expansion of mobile devices, shifting of enterprise workloads to cloud-hosted environments, and the widespread use of software-as-a-service solutions means that architecting a defensive posture predicated on an identifiable boundary between "inside" and "outside" is a recipe for failure. In short, nobody is assumed to be innocent by virtue of walking around inside the environment. For this reason, defense-in-depth and the zero-trust model are being adopted as more effective approaches to thwarting attackers.  

Principle 4: The Right Mindset     
One of the hardest things for elite protectors to do is to stay alert and ready when everything seems to be just another day on the job. Agents on a protective detail or Marines manning a defensive post must keep watch, day after day, whether there is an attacker nearby or not. Regardless of what the threat landscape may be, protectors must stand watch. Operating successfully requires a unique mindset. Elite protectors embrace observation as a way of life. Situational awareness, curiosity, and attention to detail are essential traits.

The same applies to cybersecurity professionals: To be successful, being able to stay "in the orange" and maintain a high state of individual and collective awareness are essential. From consistently checking door locks and access badges to reviewing audit logs and ensuring timely patching, security is fundamentally a discipline in every sense of the word.

Principle 5: The Right People          
People make all the difference. The key tenets of U.S. Special Operations Forces (SOF) are expressed in the "SOF Truths" that humans are more important than hardware and quality is better than quantity. It can be tempting for cybersecurity professionals to believe that new, better, or more technology investment will save the day. But humans remain central to all security disciplines. After all, it is humans that must accept risks to protect other humans, whether from bullets, bombs, or bits of malware.

The world's elite protectors know that there is no silver bullet to security. It takes the right people, with the right mindset, applying the right elements of good security. It's a discipline, a way of life. From the data center to the SOC, the principles of sound security apply—just as they still do in executive protection and special operations.

Back to Part 1: "What the World's Elite Protectors Teach Us About Cybersecurity"

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "The Entertainment Biz Is Changing, But the Cybersecurity Script Is One We've Read Before."

Maurice Uenuma, Vice President, Federal & Enterprise, Tripwire Maurice Uenuma is vice president, federal & enterprise at Tripwire. He was vice president at the Center for Internet Security (CIS), and Workforce Management co-chair of the National Initiative for Cybersecurity ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.