Something interesting is happening right now in the Information Security community. I’m reading and hearing more and more discussion, papers, blog posts refocusing efforts from preventing breaches to detecting and responding. This is a great thing, and quite frankly it’s about damn time.
Zane Lackey from Etsy posted a brilliant talk the other day on Slideshare, and since I follow Zane I got the alert in my inbox and immediately went to check the deck out. If you've not seen it, it’s right here, titled “Attack-driven defense”. I love the slides, I love the idea, but I was left wanting more. Zane’s ideas clearly work within Etsy – but how many environments are there out there like this? While it’s clear that there are many, many enterprises facing a similar level of threat, what is unclear is how many of them can respond in the manner that Zane’s presentation outlined.
The challenge, in my opinion, is adapting the Tripyarn (love the name of this…) framework that is clearly proprietary to Etsy to the broader small-to-medium enterprise. Enterprises that don't have a Zane and multi-person team which has the capability to write custom-code. Enterprises which rely on Windows systems and servers more than they rely on Linux. Enterprises where the present threat far outbalances the ability to play defense. This is the problem space that I believe needs Zane’s framework and approach most urgently … right now.
The trouble with approaches so customized to the environment they’re developed for is they can’t easily be adapted elsewhere – except in concept. The trouble with adapting a concept is that you need capability and skill – that doesn't always exist plentifully in smaller organizations.
The challenge, then, is to build a “Tripyarn” framework which can be adapted in environments from Fortune 100 massive enterprises, to an enterprise which has a handful of IT security resources working through keeping patches current and encrypting endpoint hard drives. What these types of organizations need is a set of pre-build blocks (like Legos) that they can put together as it fits their business and operating capability, but that still provides some incremental level of benefit in detecting “interesting operational deviations” which may signal a compromise, or at very least something interesting to go investigate.
I think tonight we may have seen the beginnings of this, and I suspect before long there will be a group working together from enterprises big and small, to deliver a defensive framework that isn't pattern-based so it can’t be ”evaded” but that has great effectiveness at detecting interesting things that have a high degree of being important to security. I’m hopeful that Zane’s presentation and slides have started something, finally, and that we’ll get past the “break everything” over-focus on offensive breaking and get into a more offensively minded defense that actually is innovative.
If this sounds interesting to you, let me know, there is lots of room for ideas and collaboration here.