Security has always claimed that “Defense in Depth” is the dominant strategy. As we enter the world of automated workloads at internet-scale, it has become clear that it is in fact “Defense in Diversity” that wins over depth. When dealing with large-scale automated attacks, iteration over the same defense a million times is cheap. However, attacking a million defenses that are slightly different is costly for the threat actor.
It then comes down to this: How can you raise the cost to your adversary’s observations and actions without raising your cost equally as the defender?
As human beings, we have a cognitive limit on things like recollection, working memory, dimensional space, etc. Operating outside of any one of these parameters can be viewed as beyond our peripheral cognition. Machines, however, have no problem operating outside these boundaries, being able to compute, analyze, and respond on a vastly greater scale. That being said, machines also need proper input and interaction from the human element in order to maximize efficiency and help determine things like known good and bad behavior on a network.
The first step to achieving “Defense in Diversity” is learning to identify what elements of your approach to security are human-scale problems and which are machine-scale problems.
Diversity is the countermeasure to Determinism. Extreme forms of diversity are feasible for machines but infeasible for humans, so we need to be careful in its application in our systems. By keeping these human-level versus machine-level constraints and capabilities in mind, we need to design automation that has machine-scale diversity and operational capacity while still being able to be operated at the human-scale by the defenders.
In order to effectively combat an increasingly strategic and varied set of threats, security professionals need to take a more varied approach to defense. While repetitive and static use of an effective technique or tool might keep some adversaries at a disadvantage, or even force some of them to give up outright, at some point, your organization is going to come across an attacker that not only recognizes your defense patterns, but also knows how to counter or even circumvent them, leaving you defenseless and open for attack.
Take a moment to consider the following: What aspects of your processes or automation techniques could a threat actor use against you? Just because you can automate something for security, does not mean you should. Our systems are becoming more and more automation-rich as we move from human-scale operations to machine-scale operations. However, it is paramount that we understand how to automate safely and not to the advantage of our attackers. AI and ML learning are an invaluable part of our set of defensive techniques, but there are still some scenarios where human-scale ingenuity and reasoning are vital to keeping our information secure.
I encourage you to take some time to assess your organization’s current approach to security and ask yourself some important questions:
- How deterministic are your defense methods?
- Are there any methods that you’re currently using that threat actors might be able to abuse or overcome? How would you know threat actors have taken control?
- What set of processes are human-scale? (manually executed)
- What set of processes are machine-scale? (automated by machines)
Recognizing how to efficiently balance the human and AI/ML components in your organization and understanding the advantages each provide will allow you to better defend against threats and allow you to seize victory against whatever foes come your way.
One of the many reasons the first worm (Morris worm) was successful, was because of a lack of diversity of the machines connected to the networks. Back in ’88, Vax machines were pretty much the norm (with a few Sun’s here and there). This enabled the worm to spread pretty easily because the surface area was pretty uniform.
However, we have to be careful. Diversity in this context can also correlate with complexity – which as we know can impede security posture in addition to impeding the scope of the threat.