The Three Legs of Cyber Security

For nearly 10 years I’ve been using The Great Wall of China as a way to illustrate the three legs of IT security. I explain how security is a three-legged stool and the Great Wall shows this in perfect detail. The analogy has been useful with my conversations with both technical and non-technical IT professionals and students. I hope you find it helpful with developing your own total security plan and/or explaining this complex subject to others.

Cyber/IT security is an ever evolving cat and mouse game that challenges all of us, at home and at work. However, there are some fundamentals that don’t change. Defense in depth, policy with enforcement, and the three legs of security are examples. By focusing on the fundamentals, and allowing the fundamentals to drive your decisions, you will be able to get through all the noise, buzz, hype, etc. around IT security. There are no magic bullets, focus on the fundamentals and not the next new shinny object.

This article focuses on the three legs of cyber security, Prevention, Monitoring, and Remediation. My intention is not to explain in depth each of these legs. But, instead, explain how they all work together. And why security breaches will happen if you don’t focus on all three areas. The Great Wall of China, built well over 2,000 years ago, will be used to illustrate these three legs of cyber security and highlight how long this fundamental practice has been used.

1) Prevention. This is what IT professionals focus most on. We love to build walls to keep the bad guys out. Firewalls, IPS, End-point Security, and the like grab our attention. In my opinion, we spend far, far too much time on prevention. We do bake-offs, market research looking for the latest and greatest, and spend huge amounts of time trying to find the next magic bullet that will solve all our security woes. Put “Next Gen” in front of the name and you have us hooked. I’m not saying prevention isn’t important, but we need to leave time and resources for the other two legs of security. If all our focus is on prevention, we will be compromised, period. No prevention method is fail-proof. Given enough time, any wall can be breached, just ask Andy how it’s done:

2) Monitoring. The Chinese actually built housing for troops on top of their wall. Talk about 24x7x365 monitoring. They didn’t just build the wall and walk away, they knew they had to monitor what they built, aka installed. An un-monitored wall will be breached if there is something of value on the other side. Over time, the cost of monitoring may be greater than cost of the wall itself (and be of more value).

Attackers are always evolving and finding ways around our latest and greatest defensive measures. Today, cyber security requires watching our networks and data with technologies such as SIEM (Security Incident and Event Monitoring) with threat feeds, and Cyber SOC (Security Operations Center). These can be very expensive technologies and required very skilled security engineers to manage. In the past, only very large organizations could afford this type of monitoring. But now there are managed/cloud offerings that make these technologies affordable to any size company. Trusted Network Solutions can offer you some options, shoot me an email.

If we’re not proactively monitoring our walls then when do we remediate breaches? After the bad guys are in-country and our villages are burning! I’m betting that the Chinese, like many organizations today, had to learn that lesson the hard way. History has shown that it is difficult to justify spending all that is needed on all three legs of security. Sometimes the justification is only made obvious after a breach has caused great damage. But don’t give up being proactive, keep trying to get the funding needed to monitor… at minimum you are covering your rear-end if an undetected breach happens under your watch.

3) Remediation. When the bad guys attack, and they will attack, can you fend them off? We’ll, if you don’t know they are attacking, the answer is “no”. Without monitoring, your remediation will just be clean-up. You’ll have to hunt down the intruders and try to minimize the damage. The costs can be astronomical and you can just watch the news for examples. Remediation and monitoring go hand-in-hand.

The Great Wall of China once again gives a perfect visual, this time representing remediation. Look at the 3rd arrow on the image above. Those notches in the top of the wall, like you see on castles, are called “crenelations”. These notches give the troops protection as they fend off attackers. As the bad guys tried to climb or penetrate the wall, you can imagine soldiers shooting arrows, pouring hot-oil, and dropping bombs on the bad guys below. Those watching the wall become defenders of the wall.

Even if the bad guys overwhelm your defenses and breach the wall, at least you’ll know your wall is breached. Otherwise, you don’t know you’re breached until the villages are burning. Then critical data is lost… being sold on the dark web, gigs of data encrypted and ransoms demanded, and other attacks launched from your network are a few examples of those “burning villages”.

Remediation comes in many forms. Here are some things to consider.

  1. Stopping the attack. Do you have an Incident Response Plan? Do you have the skills and tools needed? Whom would you call if the attack was beyond your capability to stop? How much would they cost and how quickly would they respond?
  2. Cleaning up the attack. Do you have the skills and tools needed? See number #1, these two are tightly related. In short, do you have a “cleaner” like The Wolf? (caution, some strong language)
  3. Communicating the attack. Do you have a written policy in your Incident Response Plan? Who approves information given to employees? Who talks to the press? Who will represent your organization if legal issues arise?
  4. Recovering from the attack. Do you have cyber insurance? A retainer with a 3rd party security response company? How is your BC/DR plan, and have you tested it lately?

The Great Wall of China is proof that the fundamentals of good security have not changed in thousands of years. Yes, we have many new tools and technologies and the digital world makes it more difficult the see the walls we’ve built. But the fundamentals are still the same. Avoid the noise and magic bullets, use the proven fundamentals to drive your security decisions. And when you get push back from managers, executives, and/or owners, stop talking high-tech and show how what you are trying to accomplish was tested and proven over two millennium ago.

Author: Dave Norwood

About Trusted Network Solutions:

TNS is a leading Value Added Reseller providing secure network systems and solutions to the SMB and enterprise markets. TNS offers best-of-breed technical solutions acquired, installed, secured, and maintained using the most cost effective methods


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s