What Do Silver Bullets, Bearings and Engines Have to Do With Security Intelligence?
They are old, ubiquitous, transparent and irreplaceable. Just like security intelligence, we rely on them 100 percent of the time and they never fail (well, almost never). They cost nearly nothing to create or obtain, but a failure in their operation, design or implementation can have very expensive consequences. Each copy of the same model must be identical so that customers are assured quality. Their performance must be predictable since they are exposed to some of the most hostile and dynamic environments. They come in many sizes and designs and may be integrated into solutions in many ways, but they must perform perfectly to keep us safe.
What technology is this? A bearing.
Your automobile uses thousands of them. The aircraft and engines that push you through the sky have many more. Shower valves, bikes, treadmills, tape drives and even disk drives use bearings. They are everywhere. They are seamless. We depend on them all the time.
However, when they need to be replaced, it is not cheap. The cost of replacing a bearing in your transmission can be 1,000 times the cost of the bearing itself. Coincidentally, the same claims can be made about security technologies. An unanticipated failure due to software bugs, bad algorithms, incorrect integration or poor design can cost much more than the price of the technology itself.
However, without the technology of bearings, we would not have the high-reliability items that we rely on daily, from automobiles to air conditioners.
Why is it that we have mastered this level of high reliability with the design and implementation of bearings, but we continue to struggle with security, as is evident in the breaches that seem to be on the news nightly?
The reason is that there is more to the story of bearings than just a piece of metal. The secret to success in bearings is not about what they do or that they are made of hard metal. The true magic in bearings is all about the information we collect about how they are manufactured and how they perform every second of the day.
There is a lot we can learn from this 18th-century technology. We need to take those lessons and apply them to the security intelligence challenges of the 21st century. Surprisingly, it all comes down to lessons we should already have learned.
At the end of World War II, William Edwards Deming presented a paper on statistical process control in Japan. Without going into great detail, he highlighted the fact that if you are going to make something of quality, you cannot inspect each copy or widget to ensure it is “good.” You cannot look at millions of bearings. You cannot visually check every syringe. You cannot check every square micron on every platter in every disk drive.
Instead, you need to look at the process that makes these things, not the things themselves. You must know that your product is designed correctly. Furthermore, and perhaps more importantly, you must understand how the product is being manufactured to ensure it is meeting design specifications.
The idea is that if the design is good and the manufacturing process is efficient and consistent, the product coming off the line will always be as good as its design and have no variations. In other words, the focus should be less on inspecting the bearings and more on inspecting the process that creates them.
Bearings are the poster child for Deming’s theories. A bearings manufacturer can produce millions of bearings each year. However, those bearings can’t all be inspected for defects. Instead, the manufacturer must inspect the process that makes the bearings by collecting information on the manufacturing process.
On the other end of the supply chain is the manufacturer of the engine that uses the bearings, but it follows a similar process. The performance of the engine must be measured to know whether the bearings are achieving their required quality. Is the engine overheating? Is fuel consumption low? Are noises and vibrations within predictable limits? If not, you know it is likely due to the design of the engine, the design’s implementation or the components (bearings) used in the design.
However, the actual bearing is never inspected when it is in the engine. Information, intelligence and analysis tell you how the bearings are performing and whether they are meeting the needs of the dynamic environments in which they reside — that is, the engines.
What Does This Have to Do With Security Intelligence?
Similar to the design systems (engines), we never use just one security component in our security designs. The overall security of our systems, networks and infrastructure is not based on a single technology, but rather a culmination and integration of many technologies that must work together and be built with components that are intended to perform in a dynamic environment. Our system design should consider the hostile environment in which it works, and the components that are part of the design must also be designed to work in those hostile environments.
The lesson here is that the quality of the different layers of security is no different than the various layers at which bearing technology is applied. The design and implementation of the components (such as operating systems, firewalls, antivirus and IDs) must focus on eliminating unanticipated behavior (bugs), just like bearings cannot have flaws introduced during their manufacturing process.
Additionally, the integration of those components throughout an enterprise must also be pursued to enforce a desired behavior and eliminate unauthorized access and data leakage. Engines cannot have unpredictable behavior, and neither should our networks.
Bearings are designed, manufactured and integrated into engines to enforce highly predictable behavior. Security components are designed, manufactured and integrated into complex networks to provide the same highly predictable behavior.
Security System Applications
So why are bearings and engines able to do this but security systems cannot? That question can be paraphrased in the context of bearings. How do manufacturers know whether they are producing bearings with the same quality? How do engine manufacturers know whether the bearings are still performing within their engines? The answer to those questions comes down to data collection, information gathering and analysis — otherwise known as security intelligence.
Just like manufacturing and integration, security data gathering, intelligence and analytics let security analysts find the baseline normal behavior of networks. Quality control requires that you baseline your processes to achieve consistency — a necessary step before you achieve quality.
Once the analyst has a baseline of the network’s normal behavior, anomalies such as unusual bandwidth consumption, rapid login failures, abnormal network connections and peculiar use patterns become more readily apparent.
The demands on our networks are dynamic and hostile, but they should be fairly predictable. It is that predictability and consistency that is a key component in the security of our environments. As we continue to improve predictability and consistency, continue to make regular improvements to our security profile and continue to make changes based on security intelligence and analysis of data that is collected and correlated across a large set of sources, we are able to meticulously close vulnerabilities and proactively minimize the ability for future vulnerabilities to be exploited.
These security benefits are the direct result of security intelligence, analysis and response. This is exactly the process that helps bearing and engine manufacturers produce incredible metrics. History shows us that this has been successful in implementing other technologies that are always there, always transparent, always meeting our needs and always working for us.
If we can do it with technology from the 18th century, we can do it with technology from the 21st century without reinventing the wheel — or bearing, in this case.