Taking the “P” Out of “PDR”

The House & the Cloud

Protection, Detection, Response – In my book, The House & the Cloud (Written in 2007), I proposed the idea that IT’s security model of Protection, Detection, Response, while technically correct, is flawed. Most organizations were putting too much stock in the “P” and not nearly enough in the DR – Detection/Response. I went on to say that “D” is actually the most important one – the response needs to be there, but the D must be nearly perfect or the entire model falls apart (For more detail on this, read the book).

Well here it is, 2013, and the Wall Street Journal writers agree – Prevention is Over: Assume Your Intellectual Capital is Under Attack (May 27, 2013). This is a sound bite…if you’ve taken my Making Money w/ Security Sales Workshop (note the next one coming up in July) – you’ve heard me talk a lot about great sound bites and how to use them – this is one. When the IT guy says, “We’ve got it covered” – no they don’t! But there’s no reason to argue the point. Simply quote The Journal – but do it in the direction of your asset owners (those with business level liability), not IT.

James Holley and Jeff Spivey, the writers of this WSJ article state, “Enterprises (and companies of all sizes) are being attacked because of who they are, what they do and the value of their intellectual property. But they are responding with security controls that are years out of date.” When they say, “Years out of date” I think of the older security models that assumed we could keep hackers out. Physical security did away with that notion back in the days of castles. It didn’t work then, and it doesn’t work now.

APT (Advanced Persistent Threats)

“The APT are groups of people – they are a “who”, not a “what””. This is important. Advanced Persistent Threat – has been a buzzword in the security industry for a while now. It refers to some very serious attacks – think of Stuxnet and other attacks we’ve seen on energy companies and perhaps cyberwar efforts or Anonymous attacks reported over the past two years. Holly and Spivey point out that you can’t just look for Malware, although malware (BOTS) are the major tool most often used to grab data. But APT is bigger than Malware. “They have very sophisticated attack tools and will conduct operations specifically to hide in your environment. These groups want one thing: your intellectual property. And they are not giving up and moving on to the next easy target. They’ll simply find another entry point—likely through one of your unsuspecting employees,” say Holly and Spivey.

Author Bruce Schneier points out, security is not a math problem, it’s a people problem. People are the entry point for these attacks. In fact, Kevin Mitnick, author of The Art of Deception goes into some great detail on how people are deceived and talked into offering up credentials for just about anything. About a year ago the Wall Street Journal reported on a white hacker, disguised as a 25 year-old woman using Facebook, who managed to talk 13% of the men in one financial organization out of their passwords. This is kind of attack will defeat almost any security architecture.

What’s the solution? Detection, Response, and lots of training – making sure your people really understand data handling in the same way tellers are trained to handle cash. You can’t really remove the “P”, but as I state in the House & the Cloud, the “P” should simply be viewed as the trip wire that sets off the alert – “D”, which then signals the proper timed response. If you don’t have a copy of The House & the Cloud, get it free in PDF format on the right hand sidebar of this blog.