Perfect Security is Like Achieving Lightspeed
In my previous post, I discussed one of my favorite topics: The Heisenberg Principle of Security vs. Privacy. There is another law of physics I typically use that has an analogue in security: lightspeed. The closer you get to lightspeed, the more energy you need to go faster, and conversely any object with mass cannot actually achieve lightspeed. Similarly, spending money on security improves your security. But, as you get more secure, you will be spending increasingly more money for decreasing amounts of additional security. The equivalent of mass here is the information, by the way. Perfect security cannot be achieved unless you have no information to protect.
To understanding why there are diminishing returns in security spending, consider the various side-channel attacks that have recently been in the news, such as Spectre, Meltdown, and RowHammer. Most of these attacks rely on extensive repetitive actions to slowly leak information. RowHammer is a great example—by repeatedly hitting rows in memory, you might be able to flip a bit in an adjacent row. The numbers on this are staggering: 140,000 row activations gives the attacker a 1 in 1,700 chance of flipping a bit in an adjacent row on DDR3 memory. Yes, it can be done—but how much money and effort should we expend to protect ourselves from that remote possibility?
What are the chances this bitflip is going to be “productive” from a security perspective? After all, one needs access to a memory row adjacent to a row of security interest, likely something in huge swaths of kernel memory. Similarly, the Meltdown/Spectre class of vulnerabilities takes a tremendous effort to usefully leak memory. Examples show leaks of 1 KB per second are theoretically possible, but computers have quite a bit of memory, and mitigating the vulnerability means a 30% performance hit on some servers. Put in other terms, where you previously spent $10,000 on data center costs, you now will need to spend $13,000. How much security is “enough?
Maximize your security spending
The trick of security spending naturally is to get to maximum value, meaning, the “most” amount of security for the dollars spent. Moreover, since security is dependent on the value of the data (i.e. what are you trying to protect), this is never a one-size-fits all. Common practices are certainly to be followed: access control, separation of privileges, encryption of data at rest; but even in these, there are implementation decisions that are very organization specific. To get started, I’m sharing three guiding thoughts:
- Defend in depth: firewalls and network access control are so affordable you can slice and dice access to the most minimal set needed. And please remember to do egress filtering on subnet, DNS, NTP, etc.
- Make better use of your topology. They are natural defenses. With “topology,” I mean your understanding of your attack surface. Complex public-facing services are natural entry points for bad guys, so spend time and money defending those. However, seal off remote corners of your network from unneeded access (in and out). This does not need to cost a lot.
- Seek shared tooling—NOC and NSOC typically both look at the same data feeds, but do different things with the data. Seek tooling that can be shared by both teams, because it saves money in terms of procurement, lifecycle management, and often overlooked: savings in time lost in communication breakdowns between teams.
Ultimately, the “best security for the money” comes down to deciding what you need to protect, and identifying the lowest hanging fruit. Pluck those first and move up the tree from there. You don’t need to go the speed of light, you just have to move faster than the bad guys.