June 10, 2013 By Chris Poulin 3 min read

(Note: I grew up in a European colonized country. Football to me is European football, soccer to most Americans. I love American football too, but Europeans were calling it football long before we were.)

You would never man a football team with just a goaltender and backs.  But in security that’s exactly what we do: deploy defensive technology such as firewalls, IPSes, and endpoint security. As the bad guys attack us, the best we can hope for is a draw.

Football and information security differ in offensive tactics. Our opponents’ (the bad guys) objectives, whether stealing intellectual property, conducting cyber espionage or cyber war, destroying manufacturing capability by controlling our SCADA systems, or just vandalizing our data, starts with invading our side of the field; whereas, our goal as information security professionals is simply to conduct business on our own side of the field.

Or perhaps a more apt metaphor is that our game of football is conducted on a field occupied by our business and our competitors, and the threats are from the stands. Whereas in real life football, we endure the taunts and jeers of the crowd, and occasionally an overzealous fan racing through the field naked, we’re being attacked with gunfire and bombs in the cyber arena.

Ethically we can’t fire back: that’s the job of law enforcement. But we can’t turn turtle either. Our best strategy is to identify the bad guys as they enter the stadium, or arrest them in their flats.

In fact, Scotland Yard did just that with the 24 men who had planned to take down a number of airplanes with liquid explosives. Through old fashioned intelligence gathering, they correlated suspicious purchases to a potential terrorist plot and stopped the men before they even got to the airport.

When it comes to information security, it’s unlikely that any of us has the resources or jurisdiction to conduct covert operations on the open internet. However, every one of our information infrastructures contains a wealth of data that, if mined and analyzed, equates to information security intelligence. The defense-in-depth technology we invested in years ago, and even operational technology that may not be employed in a security context—web, email, and database services, operating system audit logs, switches, and even printers—shed light into all corners of our information infrastructure and paint a complete security intelligence picture. There’s an opportunity to take advantage of our technology infrastructure toward an offensive end.

One benefit of an offensive play is gaining  an advantage through early detection. If we can catch an exploit in the discovery and footprinting phase, we can defend ourselves from the imminent compromise. Or we can detect anomalous user behavior that precedes data theft. But that’s only part of the benefit. Security intelligence also provides advance context about our own environments—what are the assets and are they vulnerable? how is my infrastructure segmented and defended? what kind of information normally flows across my network?—and is critical in prioritizing defense and response efforts, as well as determining the potential consequences of attacks and the impact of a compromise.

For the more civic-minded, there are forums to share information between organizations and gain a wider view of the threat landscape, going beyond the borders of our individual perimeters. Those organizations include ISSAISACA, and InfraGard. Joining and sharing gets closer to changing the game and creating an offensive strategy.

We cannot continue to do what we’re currently doing: if the entire game is played on our side of the field, the opposition will quickly discover the weaknesses in our defenses and exploit them. Our strategy needs to shift to repelling attackers before they rush our goal en-masse.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today