Teaching Your CEO about Cybersecurity: An Anatomical Analogy

In the past year or so, I’ve been looking at all sorts of technology related to cybersecurity. Compared to most domains of IT, cybersecurity is a jungle of overlapping offerings. It is not easy to understand each product or how many products one might need.

To help sort things out in my mind, I’ve developed an analogy based on human anatomy to describe the capabilities that are offered by the various cybersecurity products. So far, this analogy has proved helpful in explaining cybersecurity products to C-level and line-of-business executives.

The Anatomy of Cybersecurity

Cybersecurity used to be all about locks. The idea was that a firewall would stop those you didn’t like from getting access to stuff they shouldn’t be able to see. Other systems for intrusion detection arose that would alert you when someone was poking around.

Anti-virus software running on your PC was basically like a lock powered by data. The AV software looks for signatures of known threats and doesn’t allow that content onto a computer. The quality of AV software depends heavily on constantly getting better data, that is, better collections of signatures.

Locks and Alarms for those Ham-Handed Vandals

The locks and alarm approach first developed when security was fundamentally about stopping ham-handed vandals from trashing your computing infrastructure. These attacks didn’t do much to conceal themselves. They were all about looking for someone who left their digital car unlocked with the keys inside. Those were simple days for security.

Nowadays, the attackers are not vandals but spies, thieves, extortionists, and other people with extremely sophisticated skills. They are looking to conceal themselves and to get into an environment and stay there so that they can take as much as possible. Their attacks are called Advanced Persistent Threats (APTs) and they usually are designed to play out in stages. First, the threat gets a foothold, then looks around, perhaps installs more software, and eventually ships out valuable information.

To catch APTs before they get in, and to improve the way that anti-virus software works, cybersecurity companies like FireEye and others use a behavioral approach. Content and software are put in a petri dish environment inside a waiting room. If it then tries to do something that indicates an attack, it is not allowed in. While this approach works, it will never catch everything.

Cybersecurity Systems Won’t Work All the Time

But you know what? Cybersecurity systems won’t work all the time. Remember, a huge percentage of the computing infrastructure we have was not built to be safe in a networked environment. Also, employees have bad habits and the makers of APTs are good at exploiting them. In addition, the most advanced APTs are created to get a specific individual to do something stupid by clicking on a link. Threats are sent in an email you are likely to open; for example, think about a threat lurking in a message about your kid’s soccer team.

The offense, the bad guys, have the advantage. They just have to get through once to achieve a victory. The defense, the good guys, have to stop every attack, and there are just too many ways to stop everything.

So, advanced cybersecurity systems must also look for attacks that have succeeded. This happens by looking for abnormal behavior that indicates the presence of an APT attempting to cause some trouble. Here’s where the anatomy comes to the surface.

The Anatomy Emerges

I use eyes as a way to refer to technology that looks for problems. Anti-virus software scans hard disks of personal computers, but a whole collection of similar technology has been created to scan all the assets of a data center for problems.

Ears refer to technology that gathers data. Data centers are awash in machine data such as logs that indicate is what is happening in servers, routers, applications, firewalls, and so forth. But the raw flow of network traffic is also a rich source of data, as is the data available through hypervisors. There are many different types of ears coming available that can be a huge help for security operations teams.

Now eyes and ears are helpful, but raw data doesn’t mean much unless you have some way of determining what is normal. So most eyes and ears technology has something of a brain either to help determine what’s normal or to help describe a sophisticated picture of normal behavior.

Cybersecurity systems also need a coordinating brain to listen to all of the information coming at it from the eyes and ears and then figure out what to do. Sometimes, automatic responses will be in order. Other times sending a description of the problem to the inbox of the security operations team will be the right thing. The brain must also be able to find new higher level patterns that combine evidence from many different sources.

If a brain knows what needs to happen, it needs arms and hands to take action. Often, security appliances such as firewalls allow holes in the network to be closed. Routers and load balancers can shift traffic elsewhere. In most data centers, every piece of equipment has an API that allows control of some kind. All of these capabilities together constitute the arms and hands of a cybersecurity system.

Computing Is Everywhere

The last thing needed is legs. In the modern world, computing now takes place everywhere. When devices leave the confines of a corporate network that is protected by a fixed firewall, they start working on wireless networks. The right way to solve this problem is to move the firewall or other protective services to the cloud. This is what I mean by legs, the ability for cybersecurity functionality to follow end-users wherever they go.

As it turns out, most products offer more than one of the capabilities just mentioned. But by using these categories, it is possible to put many different overlapping technologies on the same yardstick.

If you have ideas for improving this analogy, please comment below.