Black Hat Executive Summit | May 6, 2015

Rod Beckstrom

Richard Bejtlich, Chief Security Strategist at FireEye

This month, we spoke with Richard Bejtlich, Chief Security Strategist at FireEye and Black Hat Executive Summit Advisory Board Member, about the impact of threat metrics, adjusting security strategy mindset, and the role of the corporate board in helping set cybersecurity strategy.

One of the things we’re trying to change in the cybersecurity conversation is that metric about the number of attacks, and talk more about the root causes, the policy improvements, the technology improvements, but also better ways to characterize our impact on reducing risk and attacks. You talk about referring to “campaigns” instead. How could that change the mindset of companies in their defensive efforts?

Richard Bejtlich: I think we need metrics that match the level of the problem we’re dealing with. Security people think in terms of tools and tactics. How many systems do we have, what are their characteristics? There are other levels of thinking, like the operational level. That’s where campaigns occur; these are sustained activities over days, weeks, months, or sometimes even years. Above that level, you have strategic thinking: are we even doing the right thing to achieve whatever our goal is? The goal should drive everything. So, when I see numbers applied to attacks, I have two reactions: one is, if the number is anything above the thousands per year, I become suspicious. What is it you’re counting? We don’t have any good definitions around what is an attack. The attacks themselves aren’t even that interesting. Most of the adversaries we have to worry about are conducting campaigns against us – and the campaign is their way to implement their strategy, which supports their goal. We need to look at what’s happening to us, map it back to what the adversary’s campaign looks like, and then we need to have our own defensive campaign against their campaign. And we can even go further and step outside our own organizations and turn to law enforcement or the military or counterintelligence and have them launch offensive campaigns against the people who are coming after us. It really depends on what level of thinking you’re looking at as to what metrics you apply and what you’re trying to accomplish.

So in order to change this mindset, organizations need to look at their security strategy as an amalgamation of campaigns?

Richard Bejtlich: Yes, every organization that’s on the Internet is going to get some level of attention. If not from nation states, then probably some amount of interest from criminal actors or opportunistic attackers. People who may be operating on behalf of one of those groups, but your network or system might necessarily not be the target of their operations, you’re just part of the facilitation of an attack from a targeted system. When you’re trying to defend yourself against someone who is targeting you, you have to throw away the other approaches like “security for obscurity,” or “not being as weak as the next weakest.” When you’re the intended target, you have to treat this as: this is a problem that won’t go away until the other side decides to change its mind. When you have that kind of a mindset, it changes the landscape from one of thousands or millions of events that occur over the course of the year, to one of having perhaps 12 groups in the world who have made their mission to steal what we have, or disrupt what we do. That makes it a lot easier to defend yourself because now you can think in terms of concrete adversaries with goals and you can plan your defense accordingly and not worry about thousands or millions of attacks.

How serious a problem is it that so few boards are being briefed about security strategies?

Richard Bejtlich: I see it in a couple different ways: there’s a tendency when you start at the technical level where the security team is, they have pretty clear evidence of what happens. But as that info gets filtered farther up the chain, each layer is seeing itself as responsible for what’s happening, so there’s an inherent tendency to make it go from red to green. In other words, this isn’t that bad, so you may have a really red situation at the tactical level, but by the time it gets to the board and strategic and policy level, they see it all as green. Because the people responsible for that activity don’t want to make it look like they’re doing their jobs. So many boards aren’t hearing the bad news because, to do so, would be [problematic for the policy makers]. That’s one force we have to deal with. Another problem is most security teams and CISOs and maybe CIOs don’t know how to look at this in a strategic way. They think in terms of what defenses I have to put in place, inputs like a certain percentage of machines patched, and other technical matters. On the other hand, you may have people who are very compliant focused: focusing on my system is adhering to a standard or legal practice. Neither meets the requirements of the board that don’t think in those terms.