Force Multiplying Security

Apr 2024

I started thinking about this idea in 2010. At that time, most people weren't focused on security, but after years of red teaming (since the late 1990s), it made sense to approach security this way.

In 2012 I wrote the draft of a post entitled “Deploying Security The Special Operations Way”. The post never saw the light of the day because, at the time, the concept was rather hard to implement. However, I encoded some of the concepts in the Security Operating Model, The Recipes Of Security, The Art Of Adversarial Simulation, and The Principles Of Security.

It makes sense to write about this now. Security is pervasive in everything we do, and, well, things need to be simplified; we are drowning in complexity.

So, I took some original content from "Deploying..." and updated it to make it more relevant to today's world. The result is a rough, evolving post that I’ll clean up as I refine my ideas. This isn’t a step-by-step guide—it’s more of a "how to start thinking about the problem" resource. To make it work for you, you’ll need common sense and a good understanding of your own environment.

This is a work in progress and will continue to be...

Intro

Modern security is often complex and seen as a blocker, especially in big companies. Security professionals need to look at a myriad of different technologies brought by developers seeking the cutting edge of current offerings, or by older processes left behind by past products. At best the different approaches to technology work together, but a lot of times they do not. Add to this the complex environment that needs to be defended, assessed, threat modeled, and defended again, and it’s easy to see how big companies - and some smaller ones as well - would try to grow their security organizations. More people, more vendors, more “managed”, more...

In general, most people don’t want to think about security, they just want it to happen, adding to the difficulty of security teams trying to make people abide by policies and standards.

What can we do, then, to help move security to a better place?

We must remove complexity out of security by providing simpler processes and an automated choice that best serves the person using it. The effort we must focus on needs to solve the following:

Our intent should be to simplify the security processes, automate them when possible, and add them as capabilities in other teams’ processes. Remove their need to have to make decisions, or have to think about whether something is secure or not.

Simplify and automate.

We need to force multiply: we need to make security improve other teams’ work and enhance their probability of success.

First Things First

We need to understand first what good looks like in the place we are working on. We need to think of the basics first, the minimum viable security standard we need to achieve in order to build from there.

First of all we need to build a baseline.

This baseline can be a collection of simple but easy to follow policies that dictate the basic do’s and don’ts, it could be a set of guidelines that give people in the company a good common sense direction (e.g. always use your password manager to store your passwords and generate single use passwords), or it could be a prebuilt collection of vendors that the company can choose from which will provide a more secure experience from the very beginning.

Whatever the initial point is, it should be easier to implement and should remove a lot of the classic security problems already.

Rules

In general, security serves a purpose. We are not a silo and we don’t develop in a vacuum. We are service providers with the ultimate goal of enabling the business by helping to understand risk. Anything we do must serve that purpose, and if it doesn’t, then we shouldn’t spend the effort on it.

Listed below are a few rules that would help you understand whether a security solution is worth pursuing and simplifying.

A security solution or policy should:

  1. Mitigate or reduce a specific risk
  2. Push secure-by-default configurations forward
  3. Enable the security team to get more situational awareness
  4. Improve a process’ chance of success

Keep in mind these rules as you begin to work in building the baseline, assessing the current security processes and vendors, and working on simplifying security.

The Focus

There are two main areas of effort: the culture of a company and the guardrails we, as security professionals, can provide to make our processes simpler and more efficient, and easier for people to adopt and follow.

What I’ve seen in the past 25+ years leads me to believe that, unless a company was planned from the ground up to be a single unit, with a single tech stack and approach to technology, chances are things are chaotic, with different and segregated systems not talking to each other, acquisitions that were never integrated properly brining more ways of doing things, and a general culture that is adverse to doing things in any new way.

For security and compliance to be simplified, we need to start first with the culture, where we can work towards having one unified approach to security, IT, networking, development, and other technical efforts. A culture where simpler policies and standards can be applied and enforced, and when needed updated to keep with the change pace.

Next we need to focus on creating a culture of security. One that thinks about applying the basic principles of security to everything they do. And for this we need to simplify what we do and create guardrails to help steer people and their processes. Guardrails provide the gentle push of security towards the baseline we want to enforce, where it can be “deployed” and by doing so, create a secure-by-default starting point, with the ability for security to gain more situational awareness.

Teams and businesses get better products and we get the ability to detect bad things.

Go one step further and identify the processes that can be automated, enabling more to be done faster, and those guardrails now get a boost of energy.

A collection of guardrails and automation leads to a paved road approach. This approach ensures that whatever the teams chose to do is the most secure. It provides them with autonomy and removes possible bottlenecks created by security.

Notes:

Guardrails are security tools in the pipeline that help ensure the software doesn’t drift too far from established standards. These guardrails allow developers to maintain their creativity and flexibility while building features that ultimately go to the customer. Guardrails do not dictate precisely how something is done but instead provide a container around the solution and ensure that the finished feature doesn’t stray into the land of insecurity.
Paved roads are platforms that developers can build on top of without having to worry about aspects like identity and access management.

Source

Paved roads and guardrails help make their products better.

General Thought Process

When you begin working on simplifying security, focus on understanding the priorities a business has, and its biggest risks. Work backward from the core risks and select the efforts that best help lower that risk, focusing next on simplifying it for the teams. In short: understand the risks, assign criticality, and begin to work from there.

Always think about how to make security simpler, lighter, and faster for the teams. You want to get to the point where you can create guardrails and automations, so you can give the tools for people to implement security themselves, freeing you to go tackle the bigger issues.

The Process

First, identify the processes that the security team already have and ask:

As you do this, make sure you add a way to monitor any automation you create to make sure it works. A key aspect of this activity should be the ability for us to understand when something is not working and change it.

Then, focus the effort in the following actions:

Remember: Always revisit your processes and check whether they can be made simpler. It’s incremental improvements towards the simpler and more efficient way of doing things that will make this happen, with each iteration better and more useful than the previous one. Just start and deliver one feature, then the next one, and then the next one...

Start small, then iterate as needed. Work from the outside in. From the 10,000 ft how-to-solve-the-issue to the actual one inch altitude with the detailed list of things to do.

Important: limit optionality. Enforce critical security controls.

When you give too many options to people, those people might have a hard time choosing, leading to poorer solutions and higher risk. Focus on creating shared accountability and governing mechanisms to enable the autonomy we need for a paved road.

Remember: If something isn’t actually optional, giving an option is confusing.

Treat each security solution as a product: create it, document it, take it to market. Then iterate. Remove the unnecessary and leave the features that work.

The intended outcome should be:

The Work

Start where you are, and look at what you have.

Shrink the tech. Limit new investment in niche, shiny, and new solutions that only address single security and risk use cases. Focus on unifying the solutions.

Questions to ask first:

Then:

Remember: people, clear processes and simple solutions that just work are key for reducing and managing security risks.

Ask:

Recommended Initial Baseline

Closing

Security begins with people. We need to enable people to do security. Each and every person at the organization and team levels need to be ready, trained, and understand the issues we face.

Security is a force multiplier, and as such there is a real need to focus on having the right people, the right processes, and the right tools. A small team of highly capable security professionals can achieve a lot. By “exporting” security to others, the nimbler security teams can go focus on the bigger issues. Automation and guardrails are the answer here.

Priorities are needed, along with clear communication and simple standard operating procedures that both security and non-security people can understand.

Create that paved road and set security free.