Jul 6 2021 · 3 min read
Asymmetric relationships contribute to Cybersecurity failures
By: Thaddeus Walsh
This blog series is written for security professionals whose security posture is moderate to high. Even those companies who have the basics in security covered can run into security challenges between digital transformation, cloud, or Linux environments. In this blog series, we’ll address a few we see from our customers and prospects. The first installment will focus on asymmetry.
Why do well-funded and well-run organizations fall victim to cyber attacks? A small number of asymmetric relationships are at the core of all failures in cybersecurity. You are intuitively aware of each of these relationships, and it’s likely that you’ve never directly thought about some of these asymmetries before. Considering these relationships directly will help contextualize all of your decisions related to cybersecurity throughout your digital transformation journey.
Asymmetric: Having parts or aspects that are not equal or equivalent; unequal
Relationship: The way in which two or more concepts, objects, or people are connected, or the state of being connected
There are three considerations to make with regards to asymmetry:
- The Attacker-Defender Asymmetry is a good place to start because it’s gotten the most press over the years. This concept is often described as an attacker needs to be right one time, a defender has to be right every time. Cybersecurity programs exist to stop incoming attacks from affecting their organization so, like goalies, they are measured by the number of times something gets by, not by the number of successful stops.
On the other side of this relationship are attackers who, due to geopolitical realities and obfuscation techniques that can hide the origin of an attack, often face little-to-no consequences for failed attacks. This allows the attacker to continue to attempt novel attacks nearly indefinitely until they succeed. In short, the definition of success is different for each of the two parties.
- Next is the Attack Surface Asymmetry relationship. The effort to build or deploy an asset is not equal to the effort required to comprehensively secure that asset. Some applications and infrastructures are expensive to develop and build, but present a small attackable surface area. More commonly, assets are easy to create, but must be secured against many types of attacks. The moment your organization deploys a web-facing application, you immediately have to protect it against DDOS, and injection attacks, and that’s just two out of the seemingly endless pool of threats you need to defend against. This asymmetry is what compels us towards organization-wide security designs and policies, since these constructs drastically reduce the price-to-secure per asset.
- Finally is the Proactive-Reactive Security Asymmetry relationship. Everyone knows an ounce of prevention is worth a pound of cure, and every cybersecurity professional deeply embraces this idiom. Unfortunately, the effort to respond to a successful attack increases exponentially as the attack progresses. Which means the relative value in responding to urgent unplanned incidents rapidly outweighs the relative value of progressing important, but low-urgency projects that would improve the posture of the program as a whole. Since in many organizations, the security team is constantly fighting fires, the rate that attacks are evolving in the wild outpaces the proactive security posture evolution of the organization.
To tie back to the original question, Why do well-funded and well-run organizations fall victim to cyber attacks? It’s not because they have weak talent or the wrong tools, rather, it’s due to these asymmetries that can intersect and overlap to create unwinnable situations for the security team.
The next blog in this series will address how Security Program Leaders can hack these asymmetries to transform the way they secure their organizations’ technology applications and infrastructure.
Stay tuned for the next blog. If there is a topic you’d like us to cover, let us know at email@example.com.