Cybersecurity is not a fair fight.
While hackers rake in billions from ransomware attacks and cyber espionage, security is little more than a cost center for most businesses. Security teams will never have the resources to match their adversaries on every front. That’s the world we live in.
Because of this, running a security program is a lot like being a defensive coordinator – except you’ve got fewer players and your opponent is the only one who can score. This wasn’t always the case, defenders used to have the advantage – holding near absolute control over the playing field. In a perimeter-less world where developers today can spin up an instance in seconds, that’s no longer the case and security teams need to adjust their strategy rapidly if they want to stand a chance.
Let’s talk strategy – specifically man-to-man defense vs. zone defense. Man-to-man operates by assigning each defender one opponent they must shadow and eliminate from the offense’s options. This requires each defender to be quick, agile, and smart enough to anticipate any improvisation.
Meanwhile, a zone defense is about covering areas of play, rather than specific players – allowing small gains while prioritizing downfield protection.
Given the world we live in – which do you think makes better sense in cyber? The answer is obvious: zone.
Playing Man to Man is A Losing Strategy
As an IT professional, whether you know it or not, you have probably been running man-to-man for a long time. Drafted when networking meant running LAN cables across an office and inventorying assets could be done by walking through a data center, the foundational rules that underlie many of decisions we make on how to run a security program are no longer realistic.
CIS1 & CIS2 are clear in what’s expected – know everything and control everything. But is that really possible in a world where the CIO controls less than 40% of IT and engineers and employees are empowered to spin up assets on-demand? No. If you play man when you are outnumbered, you will let countless offenders run right by you.
Need proof? It’s estimated that companies today only scan a small percentage of their external-facing assets for vulnerabilities regularly, despite these assets being the front line of today’s cyberwar. Why? Legacy VM companies set up back in the days of on-prem infrastructure and desktop computers charge per IP (man to man?) and the reality is IP based tracking of external assets and the economics behind it no longer works.
Zero-Trust, SASE, and SDP architectures are all responses to a growing recognition that man-to-man defenses don’t work. 1. There will always be unknowns you can’t predict, and 2. controlling even every known issue is no longer possible. It’s time security teams apply the same thinking to their asset, vulnerability, and threat detection programs. You have to be able to respond when unexpected events occur.
The Only Way to Win Is By Playing Zone Defense
Man-to-man defenses in cyber fail for two reasons – they assume you can know every asset to defend and that you will have sufficient resources to cover every asset from every threat.
If either of those two assumptions fails, the result is entirely undefended blindspots that introduce massive risk to a business. With vast majority of cost tied to a few breaches which make up only a small percentage of attacks – rather than stopping every attack, preventing a minor issue from exploding into a massive breach should be a security team’s primary concern.
A zone defense is designed to do just this – minimize your risk of giving up the big play. They provide the enemy room to maneuver early but offer the defense greater agility and flexibility downfield, reducing the risk of a break-out play. They are focused on protecting the area of attack. Each defender gets assigned a zone, and they defend that zone against anyone whose route takes them through it.
A zone defense is considered the most conservative play to call, precisely how you should run your security program. Given that 90% of “high risk” findings in cyber are estimated to, in fact, not be high-risk, security teams have some room to give.
For overworked, underfunded, and outmatched security teams, zone is the only way to go. Get in the zone and stop worrying about giving up a yard and focus instead on preventing the big plays — those are the only ones the C-Suites upstairs are worried about.
The Best Defense is a Good Offense
Playing zone means keeping the offense in front of you. Even if your opponent manages to penetrate your first couple layers of defenses, you can regroup and trust the process. A zone defense will make you more resilient.
In an age of accelerating cyber attacks, individual security programs will always lack the comprehensive ability to protect from incoming threats. What this means for us — we need to expand our definition of winning by letting go of the idea that perimeters must be impenetrable and focusing instead on the idea of stopping the big plays.
In this four-part series, you’ll learn how to stop playing man to man and start running a zone defense. We’ll walk you through what you’ll need to be successful and how you can track your progress as you go to start racking up a winning record. You’re going to learn how to anticipate your opponent’s moves, see your defenses from an attacker’s perspective and practice how to fight. That way, when you do find yourself out there under the Friday Night Lights, outwitting and outplaying your opponent will be second nature to you.
So strap into your pads and paint on your eye black, IT pros. You are no longer the security team; you are the defense. You cannot win with brute strength, but you can win with a strong game plan, proper practice, and effective leadership. Game on!