I worked at a number of jobs when I was younger before I finally ended up in my technology career. I think most people go through a bunch of similar jobs growing up such as working in the hospitality industry. While I did have a burgeoning career in cooking, I left that at one point and got into physical security. I joined the army reserves (AKA “the militia”, but not to be confused with the American-style prepper gun nut militias) as a part-time job, and for my full-time job, I worked as a security guard. I’m not in the physical security field anymore, but there’s a lesson I learned during that time that has stuck with me for my entire career and still serves me well today in the information security field and it’s the topic of this post.
When I was toiling away in the middle of the night as a security guard at hospitals and truck companies, my supervisor would stop in a few times a night. He’d always want to see my rounds report and he would always tell me to put more detail into it. I’d say “but there’s nothing to say, nothing happened”. He’d reply “Nothing happened because there’s a security guard roaming around randomly looking for trouble. We need to make sure the client knows that.”
Eventually, I got out of my security guard mindset and started thinking like a manager. I don’t know who hired our company to provide security at these companies, but someone did. And that person has to justify that cost to someone periodically. I started to realize that the measure of success for that person’s decision is that NOTHING HAPPENS. But you know what’s really hard to justify at budget meetings? Spending money on something when NOTHING HAPPENS. I started putting more detail into my reports at that point because I started envisioning that person defending my wage. I started recording when I noticed a padlock unlocked, or a car I hadn’t seen before driving by the compound, or an office door open that usually is not. I wanted to give that person a good idea of what they are paying for and give them the tools to continue paying me. I envisioned the finance people at the meeting denying the security budget request because “we don’t need that, nothing happens anyhow.”
I envisioned the finance people at the meeting denying the security budget request because “we don’t need that, nothing happens anyhow.”
Infectious Disease
This problem isn’t just a security problem, it exists in many areas. Anti-vaxxers are an example. In recent memory, anti-vaxxers decided that inoculating the population against measles was no longer necessary because nobody has measles anymore. Well, guess what happens when you remove the thing that is making NOTHING HAPPEN? You get a measles outbreak in one of the most medically advanced countries in the world. (CDC)
The majority of cases were among people who were not vaccinated against measles
Nothing was happening because something very important was happening - vaccinations.
Infosec
It’s hard to put a value on security. That is true in the physical security world and it is true in the infosec world. When security works, nothing happens, and it’s hard to predict what could have happened if the security was not in place and the value of the damage that this thing-that-did-not-happen could have caused.
Infosec prevents things from happening by employing the “kill chain”. Yes, the “Cyber Kill-Chain” (or Intrusion Kill Chain) is a model, just like its roots in the military kill chain. It has problems, but so does the OSI and we use that all the time. Infosec is effective because it severs the kill chain at the earliest possible opportunity which renders the attacker unable to complete its mission. (Sucuri)
Infosec “security guards” identify reconnaissance activity and mitigate it, therefore NOTHING HAPPENS because the attacker cannot get enough intel to proceed to step two and weaponize an attack effectively. At my work, we sometimes see customers decide to let their Web Application Firewall (WAF) subscription lapse; some of them actually cite cost as the factor. A measurable chunk of them come back a month later with an infected website. The WAF broke the kill chain for them, and when they removed it, the attackers were able to advance their attack successfully. But because the WAF as working, the perception is that NOTHING HAPPENED so there was no monetary value in maintaining the subscription.
Reporting
These are but a few examples to show that reporting matters. A lack of incidents doesn’t get noticed; we need to find a way to report the unnoticeable things that are preventing noticeable things from happening. The CDC graph and narrative does a good job of this: it shows that there is a correlation between measle outbreaks and a drop in vaccinations. It is much harder to do this with infosec because it’s more difficult to determine what is a deliberate recon and what is just weird traffic. And, even more importantly, if you are reporting an incident further along the kill chain than a reconnaissance, you’re effectively reporting that something DID happen despite the measures in place, but was still mitigated at later steps.
It’s no secret that I use the Sucuri WAF to protect my sites and we go out of our way to provide reporting to our customers so they know there’s a reason that NOTHING IS HAPPENING to their site.
Sum up!
Infosec workers and managers need to provide some level of reporting to stakeholders. It can be tough to do because many times when something trips an IDS, infosec workers investigate and determine that it was just a harmless port scan and close the alert. But that port scan should be recorded somewhere; not because it may escalate later (although it may), but because stakeholders need to know that they were port scanned, they were targetted, and the defence measures in place mitigated the attack right at the first link of the kill chain. That is what stakeholders are paying for so they need to know they’re getting something for their money.
When You Don't Need Security Is When You Need Security