Those who know me well know that American football is my favorite sport and that I often use football terminology to explain the world of cybersecurity. Here’s a few of my tips to help you gain an idea of where your security program stands maturity-wise (or even a little more information for when you’re watching next week’s matchups).
On the defensive side
Cover 0, Cover 1, Cover 2, Cover 3, Cover 4 are all football zone coverage schemes. The number indicates how many defensive backs (DBs) are dropping back into coverage, with the remaining defensive backs performing other tasks such as blitzing or playing man-to-man coverage. These zone coverage schemes remind me of enterprise segmentation. Enterprise segmentation is the act of dividing a network into zones to provide additional security through impeding, controlling and monitoring unauthorized traffic between zones. This prevents intruders from easily moving laterally throughout the network and stealing or destroying valuable data, much like zone coverage helps the defense cover the entire field to prevent a successful catch.
A prevent defense features at least five DBs all dropping back into coverage. This scheme, often deployed by teams that are up big—maybe by three touchdowns in the final minutes of a game—is used to prevent deep passes but allows for shorter gains that keep the clock running. In the cyber world, layers of defense are necessary. Slower and more complex attacks are defended against via greater defense in depth and more diligent separation of valuable assets and activities. Today’s attacks will not be stopped via a single safeguard, but rather through a collection of them. If we keep letting the attackers make short gains, or in other words, move laterally (east to west) through a network in search of valuable assets and data, trouble will follow.
The route tree is a way to boil down the basic passing routes into a one-through-nine numbering scheme. These numbers often are used when calling a play. For example, a “1” route is a flat route, a quick-hitting pattern in which the receiver takes three steps and breaks out toward the sideline. Every security organization needs plays to run when it comes to Incident Response Plans (IRP). Development and institutionalization of rules and procedures for making and monitoring decisions on strategic concerns, specifically internal and external threats to businesses, are also key elements of the executive commitment in incident response.
Reviewing Cybersecurity Game Tape
A healthy organization (team) should be able to implement six basic foundational principles for incident response, according to NIST SP 800-61, Computer Security Incident Handling Guide: preparation, identification, containment, eradication, recovery and follow-up. One key way to practice those plays is through tabletop exercises. These are discussion-based exercises in which your staff meets in a classroom-style setting or in breakout groups to discuss their roles during an incident and their responses to a particular cyber incident situation.
A leader (coach) presents a scenario and asks the participants questions related to the scenario, initiating discussion among the participants about roles, responsibilities, coordination and decision-making. These tabletop exercises are discussion-based only and do not involve deploying equipment or other resources.
Creating a strong o-line
Having played offensive line (many decades ago), the Pancake Block—when a blocker knocks a defender “flat as a pancake”—was my favorite. In cybersecurity, the Intrusion Prevention System, or IPS, offers this protection. The IPS often sits directly behind the firewall and provides an additional layer of analysis that looks for dangerous content. Think of your IPS system as an offensive lineman who can prevent attackers from entering your network. When a known event is detected, the packet is rejected, leaving that malicious traffic flat as a pancake.
the weak side
The weak side of a formation in football is whichever side the tight end does not line up on, or the side of the formation with fewer offensive players. In enterprise cybersecurity, people are our weak side. Consistent security training is crucial for organizations to reduce risk and ensure the security of data within the organization.
As I have said for more than 20 years now, security-awareness training is the cheapest risk-reducing measure that an organization can take. Unfortunately, my mantra has not seemed to stick, because organizations rarely enforce this type of training. A consistent training strategy helps organizations cover their weak side and enforce a strong security posture across all areas of the business.
The Blind Side
No, not the movie; it is a term for the side of the offensive line that the quarterback is facing away from while in the pocket. For right-handed quarterbacks, the left tackle protects the blind side. This is similar to the back door we discuss in cyber. Back doors subvert an organization’s attempt to restrict access to systems by effectively removing the fence and allowing entry by simply walking past the locked gate. Back doors are a shortcut to the system.
The solution to shutting the back door lies in system log files, but it is not easy. Processes are necessary, but as we have seen, they can be subverted if we do not orchestrate all security resources properly. People, technology and processes have to work cohesively to fight the bad guys. Once you have those cohesively working, you are well on your way to security transformation.
Playing as a Team
Just like football, cybersecurity is a team sport and requires unity of people, process and technology to reach maximum maturity in your security transformation journey. Customers are finding it difficult to both manage and reduce risks to their organizations. They need the ability to communicate the business value of security solutions to executive leadership and champion a security-centric corporate culture across the enterprise.
We help customers mature the major components of an enterprise security posture: endpoint protection, security architecture, enterprise segmentation, identity and access management, and next-generation firewall platforms. We have decades of experience across all solution areas, as well as deep understanding of the security landscape through a legacy of experts representing multiple industries. We also have today’s leading and emerging security OEMs represented in our Advanced Technology Center for integrated solution demonstrations, sandbox environments, proofs of concept and lab as a service engagements.
To see where your team is at or for help building your lineup, request one of our security workshops.