With organisations are struggling to deal with cyber security threats, there is plenty we could learn from the Roman Empire's approach to security.
The Roman Empire had a fearsome military reputation. Formed nearly 3000 years ago and well before the first modern computers there are attributes of its military campaign which have striking relevance to today’s cyber security challenges.
Organisations are struggling to deal effectively with cyber security threats, and high profile breaches threaten to bring even the titans of businesses to the brink of catastrophe. Yet the Romans had an approach that companies would do well to emulate.
Approaches to security presently fall into two camps, Compliance Based and Threat Based. Or as the Romans presented it, Hadrian’s Wall and Deva Vitrix.
Hadrian’s Wall, one of the great monuments to the ancient Roman Empire, was built to separate the Romans from their enemies – the barbarians. Built from sea to sea it represented the line between trusted and untrusted territories, an attempt at a complete security solution to repel the enemy.
Figure 1 Hadrian’s Wall (Reconstruction)
The parallels with modern security programmes are evident, both in the traditional ‘perimeter defence’ model and most importantly with the compliance based approach to security. Whether compliance to external standards (such as PCI DSS, ISO 27001, and NESA) or internal baselines set by the organisation, security is often handled by the IT department in an ongoing (often insurmountable) effort to have every system meet these minimum requirements.
There are some major problems with this approach:
Further drawing parallels, the defence doesn’t account for how easy it is for foes to bribe or trick the guards into letting them in. Now think of the staff in your organisation, the gatekeepers of your critical assets, and imagine those guards were civilians – untrained in detecting friend from foe…
Fortunately the Romans weren’t so foolish as to rely on the wall as their only means of defending the realm, as the security programmes of the most sophisticated organisations show.
The Romans deployed resources into Castra – military camps or towns. The castra (such as Deva Victrix) provided a different form of defence, shaped around the territory under its influence.
Figure 2 Deva Vitrix (Chester)
The castra had many functions, including operational as well as defensive, and were vital to a successful military campaign. Looking at the castra we can see a few key elements of an effective defence:
The threat based approach to security looks at an organisations most critical functions and, significantly, the collection of unique threats to the business. This part is key as it requires the input of senior management, who will be better equipped to evaluate business risk rather than technology risk. An alternative way of thinking about this approach is to look at your business and identify ‘what goals would an attacker seek to achieve?’
Supplementing knowledge of business risk with threat intelligence and exercises to truly think like an attacker can shed light on how, why and when the business could be breached. Only with this understanding can appropriate defences be put in place. As the military expert Vegetius writes “A general is not easily overcome who can form a true judgement of his own and the enemy’s forces”.
As we’ve seen, a compliance (or Hadrian’s Wall) based approach to security cannot protect against targeted attackers. Technical controls cannot withstand a targeted attack from a motivated individual or group, as technical controls can always be circumvented at their weakest point. Moreover, the approach is not cost effective and leads to an ever increasing black-hole for security spend that never quite achieves the baseline set.
There are many assets that simply do not require this level of protection or compliance, but are included due to a catch-all policy or failure to descope the environment. This leads to wasted spend. Conversely, with limited budget and a lack of business context, the most critical business functions cannot be protected at a purely technical level. As the baseline can’t adequately address business risk, this leads to over exposure and exposed risk.
A purely threat based approach cannot defend every asset appropriately either. The level of depth needed to fully understand the threat to every single asset is immense and a programme that requires customised defences for every asset is simply unmanageable.
A blended security approach is needed, combining the two approaches for a truly effective defence against cyber attacks:
Reallocating resources by reducing the focus on technical defences and total security compliance allows organisations to be more appropriately protected from the threats they currently face.
The baseline controls should be reduced but sufficient to ensure that there is no exposure from those commonly exploited issues, and IT operational security spend is actually reduced to ensure that an attacker will not simply walk through the front door. Compliance with the baseline is also far more achievable, and an estate that can protect everything to a basic level will be less vulnerable than one that protects only a proportion of systems to a higher degree.
Alongside this programme is a focussed effort on the critical operations of the business. These most critical functions are targeted by motivated attackers not simply running simple tools, and therefore require a human defence against human attackers. By mapping the paths that an attacker would take to target the business, the organisation can focus resources on preventing, detecting and responding to those headline-grabbing incidents.
Just as the Romans would surely have failed if Hadrian’s Wall was the only thing protecting the borders of Britain, so too will organisations fail if a threat based approach is not run alongside more traditional security measures.
We have seen two approaches to security, Compliance Based and Threat Based (or Hadrian’s Wall and the Castra), of which Figure 5 provides a useful comparison of the two approaches. Neither approach is the ‘right’ approach to security – if the goal of a security programme is to prevent loss to the company from cyber attack, then only a blended approach to security will be effective.
This blended approach allows a secure baseline to be achieved, preventing more common or opportunistic attacks, whilst focusing resources on protecting the most critical parts of the business. The success of this approach naturally requires a blended effort from the business also, including IT teams alongside input from senior management.
The rewards of such an approach to security then naturally fall into both camps. More appropriate spending of security budget allows the security team to be more effective, and focussing on critical parts of the business protects the company from being the next Sony, eBay, Target, or JP Morgan.
If I can leave you with one final thought from our scholar Vegetius, it is “Si vis pacem, para bellum”. If you want peace, prepare for war.