A few weeks ago I joined the eSentire Executive team at the US Military Academy at West Point for a Leadership Development program run by the Thayer Leader Development Group (TLDG). The historical significance of West Point is difficult to overstate. Its alumni include some of the most accomplished military and government leaders the United States has ever produced. The class of 1915 had 164 graduates. Incredibly, 59 of those graduates became Generals. They included Five Star General of the Army Omar Bradley and Dwight D. Eisenhower who went on to become the President of the US. This group is known as “the class the stars fell on”.
Upon my arrival at West Point, I immediately sensed two things: purpose and integrity. Everyone I interacted with, from the youngest cadet to the most seasoned General conveyed a deep sense of mission and personal integrity. It’s clear why so many great leaders emerge from its graduates. Every single cadet is instilled with Leadership from the moment they arrive as a freshman (or “Plebes”, as they’re otherwise referred to). The Army’s core values - Loyalty, Duty, Respect, Selfless Service, Honor, Integrity, Personal Courage spell out LeaDeRSHIP.
The mission of the eSentire executive team was to grow our understanding and capabilities in leadership through the experiences and insights of some very distinguished retired military officers. The retired Army Generals and Colonels we would be meeting with have served with honor across many decades, through war and peace. Leadership is a core value, deeply ingrained in their DNA and souls. They came prepared to challenge us and inspire us.
The reason eSentire found itself in this program is thanks to a key learning we made about the similarities between the environments and challenges faced by the US military and our business when dealing with cyber-attacks. The more we learned about the military approach to cyber security and the challenges of hunting for new attacks, the more we realized our theater of operations was very similar.
The term “asymmetrical warfare” is used to describe an environment where an attack can attack continuously without expending much effort, yet the defender must devote much greater resources to defend against these attacks. There is virtually no cost to an attacker for a single (or multiple) failed attack, but the cost to a defender for a single successful attack is very high. The parallels to cybersecurity are clear. The tooling and infrastructure available to an attacker are cheap and readily available. A great example of this is the “DDoS for sale” model being used against several well known organizations recently.
One key difference we recognized was that our mission (and laws) prevent us from any offensive response activities. I must admit that some days, it would be nice to fire back “virtually” at an enemy, but that would cause more problems than it resolves. Nonetheless, it would feel good, even if only for a few minutes!
There’s a name for the environment the military and parts of law enforcement (like the anti-terrorist task forces) live in. It’s called VUCA.
- Volatility
- Uncertainty
- Complexity
- Ambiguity
Think about how warfare has evolved; it’s gone from defined battle lines with adversaries wearing clearly identifiable uniforms to today’s urban battlefield, where the hostiles are embedded with the friendlies and are nearly impossible to differentiate until they act. The same types of challenges exist for Homeland Security and the FBI as they try to identify those within, and outside our borders who make and execute terrorist plans. The environment we operate in at eSentire in our Security Operations Centers is also a form of VUCA. And, realistically, everyone responsible for protecting their organization’s assets lives in a VUCA environment, too. Whether you know it or not.
Let’s look at VUCA in detail, to understand better how it describes the challenges we face in cybersecurity.
Volatility
Volatility is defined as something “likely to change in a very sudden or extreme way”. It’s easy to see how cybersecurity exists in a volatile environment. Every day, the attack surface we manage changes. New vulnerabilities emerge, often with no notice or patch. Systems that were previously safe are compromised and used as launching points for attacks. And every day users interact with phishing scams in their email, fall victim to dangerous websites and are socially engineered to cough up their credentials. Yes, we live in a volatile environment.
Uncertainty
Certainty is elusive. Most IT managers acknowledge that they operate with imperfect data. Knowing exactly what systems are on a network is a big challenge. Understanding the state of those assets is equally difficult, especially with the mobility of users and the ever growing list of services, tools and technologies being deployed within most businesses. And on the other side of the equation, you don’t know for certain who the bad guys are. You don’t know with any certainty the tools they use, or the insights they have. You can try to apply threat intelligence to this, but ultimately it’s never enough. The problem is too volatile to have certainty about anything, other than certainty that there are threats you must manage.
Complexity
This one is obvious. Every device, service, and application we deploy brings with it new complexities. Policy configuration is extremely challenging. The balance between “optimized for security” and “optimized for getting work done” results in weakened policies and new risks that have to be managed.
Complexity piled on complexity results in an attack surface that is essentially unknown. And this applies to all organizations from the smallest to the largest. Cybersecurity defenses bring their own complexity, and that’s significant. Having the skills within your company to effectively manage the responsibilities that come with cybersecurity is increasingly becoming unattainable to all but the very fortunate few at the top of the pyramid. Scaling this capability and keeping up with the complexity is deeply affecting the midmarket the most. This is why eSentire focuses so much on absorbing the complexity of cybersecurity for our clients. We understand this challenge.
Ambiguity
And finally, ambiguity. Grey. Not sure, could be, but then again, might not be. This has been the bane of the IT security team’s existence. Deploying lots of products at gateways, on endpoints and everywhere in between that generate a never ending exhaust of log and event data. What do you do with it? How do you find the real threat? Can you trust that you’ll find a new threat in the log data? Probably not.
How do you turn a grey signal into a definitive hack or an innocent event? What other data and telemetry do you need, and did you collect it? Ambiguity was the core issue that drove eSentire to focus on solving the cybersecurity differently over a decade ago. An anomaly is just that until you can investigate the context of that anomaly. And to do that you need very different tools and capabilities than you typically deploy in an organization.
Hunting requires specialized weapons, and a co-ordination of efforts. This is why eSentire is successful when demonstrating our abilities against other approaches like SIEM. We hate ambiguity. We can’t eliminate all of it, but we do a very effective job of providing our SOC analysts with enough context and forensics tools for them to get to the answer fast. And then respond, with weapons hot. Well… connection killing weapons, anyway!
Conclusion
One of the observations our Advisor Lt. General (retired) Ronnie Hawkins has shared with us is that in a VUCA environment, you have to approach planning very differently. No matter what your plan is, as soon as you engage with the adversary, they have a vote and your plan is now changed. The “Commander’s Intent” is the appropriate way of delivering mission orders, not command and control as we see in the movies. The Commander describes the who, what, when, why and where but not the how. You know my intent; you will figure out the how. I can't tell you the how in a VUCA environment because the adversary has a vote.
I’ve been to many Leadership conferences in my career. My experience with the TLDG team at West Point changed me. It gave me a greater appreciation for how to lead in a VUCA environment. It made me think about my own leadership philosophy, and how sharing that more visibly can help my teams understand my approach to getting things done. And it demonstrated to me that my colleagues on the executive team have the right stuff, and they have my back. Just as we have the back of every single one of our clients. It’s our first and the most important company core value.
In a VUCA environment, you absolutely need that.
