Security in Knowing: An Interview With Nathaniel Gleicher, Part 2

Ignorance is indeed bliss – for those who would attack our organizations IT systems. This is part 2 of a conversation with Nathaniel Gleicher, head of cybersecurity strategy for Illumio.

Yesterday, we ran
the first part of an interview
with Nathaniel Gleicher, former Director of Cybersecurity Policy for the Obama White House and ex-senior counsel for the US Department of Justices computer crimes division, now head of cybersecurity strategy for Illumio. Today, its the rest of the interview, where we went into detail on what it takes to turn knowledge into security.
In yesterdays interview, Gleicher had just talked about the Secret Service model of security, represented by a pyramid with four words -- understand, control, detect, respond -- written on slices from bottom to top, representing the sequence and amount of effort and planning put into each one.
As before, what follows is an edited version of our conversation.
Curt Franklin
: It sounds like [the Secret Service model] presents a sort of a road map toward security that that companies and organizations can follow.
Nathaniel Gleicher
: When I think about this I tend to call it the inverted pyramid. If you go next to it on that sheet of paper and you draw an upside down pyramid and you put it four horizontal slices on it and write those same words in the same order again respond at the top, detect below it, control below that and understand below that. When you look at the focus of the cybersecurity community and a lot of security teams, the way we invest looks a lot more like this.
We have a huge emphasis in detections and response. Theres a huge focus on behavioral analytics, on anomaly detection, on how do we find the bad guys once theyre inside, catch them and stop them. We invest far less in controlling the environment and we invest very little in understanding. If you look at the lesson from physical security, if you dont have a strong base, if you dont have understanding and control, your detection and response effectiveness is just capped in a very limited way.
A lot of it from my perspective comes back to this inverted pyramid. We dont understand our environments and we dont have control over them. And ironically if an intruder is inside our empire we should have an advantage -- theyre inside our house. We built the house, we know what was there. In theory we have a huge advantage, but we dont today. And so when I think about security its not about artificially forcing our environments back to a simpler way of life, its about building tools that will enable our organizations to actually understand the environment that exist today to exert control over them. That is what enables us to actually be effective in response.
CF
: I would love to hear some some more thoughts on that because it seems to me this is a key piece of the entire puzzle. A lot of organizations will give lip service to understanding things; its doing things with that understanding that so many organizations fall down on.
NG
: I completely agree. And so theres two pieces to it. One is technical and one I would actually argue is organizational.
Youre invited to attend Light Readings 11th annual
Future of Cable Business Services event
. Join us in New York on November 30 for the premier independent conference focusing on the cable industrys continuing efforts in the commercial services market -- all cable operators and other communications service providers get in free.
Everyone talks about how security is a technology problem and in some ways it is. But actually I think a lot is organizational. So youre talking about not just understanding an environment -- although to be honest thats hard enough -- but also being able to take action based on [that understanding].
Rob Joyce
is the former head of NSAs tailored access operations unit (TAO). Hes one of the best hackers in the world. He
gave a talk at Enigma
about a year and a half ago now. The basic premise of his talk was, Hi, Im from the NSA, were really good at breaking into your system. Heres what you would need to do to make our life hard. And its a fascinating perspective.
He says two things. The first thing he says is, intruders win because we know your network better than you do. This is the understanding. You know how the network was supposed to work when you set it up; we know how it actually works today. But then he goes on and he lays out five things you could do to make life hard for the NSA and for other sophisticated attackers.
I love that these are not rocket science. He talked about encrypted communications, using strong passwords, limiting user access, patching vulnerabilities and segmenting your environment. These are all things that weve known about for years, that everyone agreed are the best practices, but that when you get inside a lot of environments theyre still not done.
It drives home this message that security is actually not impossible. So its really an organizational challenge. How do you make the organization work?
CF
: One of the things that you talked about was limiting user access and I think that we can agree that in most cases that means making sure that users have access to everything they legitimately need but only what they legitimately need. There is so much emphasis on the application design side today in improving the user experience and minimizing transactional friction. So is there a necessary tension between the security side and the user experience side?
NG
: Security is essentially the practice of trying to impose differentiated friction. That is, you want to impose as much friction as possible on illegitimate actors and as little pressure as possible on legitimate actors. And one reason why I think we actually do a really bad job is that right now is because we dont understand our environments.
If you knew and understood what an individual needed to do in order to get their work done you could impose limits that wouldnt actually limit the user but would constrain an intruder trying to manipulate those credentials. The problem is we generally dont know what those needs and dependencies are.
The needs of a user, like the needs of a system, arent static. They change constantly and theyre not something that you can expect humans to track manually and keep up to date with static rules. It just doesnt work.
Part of the problem is in a lot of our environments were writing security rules at a very low level. Today, we dont write most software in assembler, we write it in higher-level languages and we have machines that do the translation. We need more things like that in security where we can express security policy at a high level and then have an intelligent system that does the translation so that we can make high level decisions and then make sure that they are carried out in the right way.
Ive found that the average organization utilizes about 3% of the open connections that they enable within their data center; actually in many cases its much smaller than 3%. So theres this huge scope of open, frictionless communication that a legitimate organization isnt using that you can close. This would radically constrain an intruder but would do very little to constrain the legitimate business.
Related posts:
Security in Knowing: An Interview With Nathaniel Gleicher, Part 1
Cybersecurity: More a People Than a Tech Challenge?
The Stress of Being CISO
— Curtis Franklin is the editor of
SecurityNow.com
. Follow him on Twitter
@kg4gwa
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Security in Knowing: An Interview With Nathaniel Gleicher, Part 2