The constant back and forth tactical battle between malicious attackers and defenders is often referred to as a cyber security race. The Merriam Webster dictionary defines a race as “a set course or duration of time; a contest of speed”. I really do not agree with this analogy, as a race to me implies that at some point there will be a finish and a winner.
The definition implies a set course or duration of time as well. I have been in cyber security for over sixteen years and have yet to identify a set course. If there is anything I have learned in those sixteen years, it is that while things do tend to stay the same as soon as you become complacent, bad things can and will happen. Cyber security is constantly evolving and changing, we have to change with it and understand it can be somewhat unpredictable at times. I am also unaware of any set duration of time for cyber security; actually the duration of time might be answered with forever.
I have begun to view cyber security less like a race and more like a game I used to play when I was a child in grade school, Leapfrog. The rules of Leapfrog are actually fairly simple and straightforward:
- The first person kneels down on the ground, bending at the knees with their head down and back parallel to the ground in a sturdy stance.
- The second person runs and “leaps” over the first person by using their hands planted in the first persons back for leverage.
- The first person then stands up and the second person assumes the knelt position.
- The first person then runs and “leaps” over the second person using the same technique.
These 4 simple steps continue until we run out of room or someone gets tired. Notice there is no winner and the duration is as long as it takes for someone to get tired and give up. Doesn’t Leapfrog sound a lot like cyber security now?
Why the constant back and forth between attackers and defenders?
The answer, in my opinion, is actually rather simple, innovation. The Wikipedia description of innovation is right on point stating: “Innovation is the application of better solutions that meet new requirements, in-articulated needs, or existing market needs”. It then goes on to state: “This is accomplished through more effective products, processes, services, technologies, or ideas that are readily available to markets, governments and society”.
Is that not one of the best descriptions of the constant tactical battles we find ourselves in everyday in cyber security? As defenders we are constantly identifying and implementing new solutions to better defend our organization’s technology environment through more effective products, processes, services, technologies, and ideas. At the same time, attackers are identifying and implementing new solutions to attack our organization’s technology environment circumventing the innovative products, processes, services, technologies and ideas we implemented.
How can understanding all this help us as defenders?
Going back to Leapfrog, we know that speed and strength will play only a small factor in the game, and the core factor is endurance. Endurance is “the ability to withstand hardship or adversity; especially the ability to sustain a prolonged stressful effort or activity” according to the Merriam Webster online dictionary.
Training for endurance, as an athlete is very different than training for strength or speed, so shouldn’t it be different in cyber security? Endurance in cyber security must be a major factor in selecting the most efficient and innovative methodologies, products, processes, services, technologies, and ideas for defending our organization’s technology environments.