Recently, I spoke with a veteran who spent 25 years in bomb disposal activities. That’s a long time in a dangerous occupation. He was in the front row as the DoD evolved its approach to this dangerous mission.
It’s silly to refer to anything related to bomb disposal as “standard,” but what started out as a standard job of managing the detonation or disposal of ordnance evolved into sophisticated operations to track the patterns and activities of those trying to hide the devices.
To contextualize the evolution of their processes, he described a “boom timeline.” A boom timeline plots actions leading up to and after a detonation. Instead of narrowly focusing on remediation – disarming after the bomb was deployed, they expanded their focus to the who, what, where and when of the device placement. They learned that the further left of boom they could get, the better prepared they were for threats, either reducing placements or redirecting activity around them.
That description really put the hook in me. The parallel to the cybersecurity industry jumped into my head and I’ve not been able to shake it.
In the early days, simple .exe blocking and aggressive firewall port blocking were sufficient to secure the environment and address threats. Over the last 20-plus years of increasing attack volume and sophistication, IT has been forced to ramp up their countermeasures.
But despite this increase in threats, IT hasn’t evolved their approach to “left of boom.” They have remained focused on identification and remediation after the fact – after malicious code has reached their environment, after machines have been exploited, after data has been leaked from the organization. These actions are too little, too late; the costs have been incurred, and the damage done.
The cybersecurity industry is a multibillion-dollar-a-year punch/counter-punch industry. Teams try to stay current with patches and state of the art solutions. Bad actors collaborate to find weaknesses in systems. When new exploits are discovered, patches, fixes or product upgrades are pushed out through the ecosystem to close the latest vulnerability. Vendors have conditioned buyers to deploy ‘next-generation’ technology on a continuous cycle. = This has resulted in continuous revenue growth for the industry.
The reason for this is obvious. The web is built on open protocols that were never designed for today’s world. I’ve written about this before, how the web was designed for academia, without considering security or enterprise management control as part of its architecture. But the market embraced these open technologies, resulting in the always-connected – and highly vulnerable – world we live in.
IT operates right of boom because that’s where the browser lives. Every time a link is clicked, arbitrary code enters the network and executes on the local device. More and more technology is deployed to plug a fundamental hole in the architecture. The security world is built around this paradigm of after-the-fact analysis.
Playing the trends forward, the future doesn’t look great. IT needs to be right 100 percent of the time, the bad guys only once. And the bad guys are getting better at exploiting weakness. We only need to look at the devastating impact of WannaCry to prove the point.
Getting IT left of boom means preventing exploits from ever reaching the network. You can do that today pretty easily – just disconnect from the web. But that’s not a practical option. Whether for mission, operations or morale, the internet is a necessity and unless something is done to change the landscape, life will get more costly and more complicated for IT, without a meaningful reduction in risk.
A technique that’s gaining ground in IT circles is cloud-based isolation. These are solutions that execute web code on remote hosts, while providing users secure, interactive access through display-only interfaces. These solutions keep the web at arms-length from the user, providing full access, but eliminating the exploit surface area. Instead of risking the local environment, remote hosts are built on demand and destroyed at the end of the session. Nothing enters the network, no resources are exposed. The approach is obvious in hindsight.
These solutions are gaining momentum, and they’re proving that it is practical for IT to move left of boom. They just need to re-think the paradigm.