You are here

You are here

Lessons from the Masters: Playing through with your security plan

public://pictures/20151229-DSC_4817 (1024x766) (640x479).jpg
Dan Schulte Security Strategist, Hewlett Packard Enterprise

The first major golf tournament of the year is in the books. My favorite tournament didn't disappoint, but it was definitely heart wrenching. Watching the Masters unfold was simply shocking, and you couldn't help but feel for Jordan Spieth. Making the turn, it looked like he had the tournament in hand. A five-stroke lead and only nine holes to play. It seemed more like a coronation than a competition. Then, Jordan bogeyed two in a row, the lead was down to one, and he was heading into Amen Corner.

Hole 12 strategy: Have a plan or fail

Every professional golfer needs a plan entering Amen Corner. Hole 12 is widely considered the toughest par three in golf, and without a plan, you will likely fail. This is no different for incident responders and security practitioners. You must have a strategy, or you will likely fail.

After hitting the first ball in the water on 12, Jordan vacated his plan. He dropped 80 yards away from the hole instead of the identified drop zone and subsequently hit another ball in the water. Still reeling, Jordan then grabbed a ball from his caddy that flatly skipped over the green and into a bunker. After all was said and done, his one-shot lead was now a three-shot deficit, and he had quadruple bogeyed the hole. The Masters was lost. 

Keep sporting the green jacket

So let's look at this in terms of incident response (IR). When going into a known incident, you had better have a prepared, practiced, and ready-to-execute plan. Abandoning your plan in the middle of the event is equivalent to not hitting from the drop zone in the Masters. When dealing with advanced attackers, you must already know where they are, where they have been, and how you are going to manage the situation. Simply swinging a club at them over and over (like Jordan's golf balls) is the equivalent of playing whack-a-mole. 

To eradicate an embedded attacker, you will need to execute a plan to fix infected systems, change passwords, segment systems, and potentially remove Internet access over a short period of time. What cannot happen as an IR team is to get into the middle of the event and decide to take shortcuts, become frustrated, or abandon the plan completely. If you do any of those things, you will likely be handing over your data, like Jordan handed over the green jacket.

Focus needed to finish strong

The same could be said for your security strategy. This should be an overarching plan to protect data, assets, and corporate reputation. Again, you cannot attack this blindly and expect to come out unscathed. You must have a plan to protect corporate applications and data, as well as prevent spending on unnecessary processes or technologies.

There is a lot of concern today about network encryption and security's loss of visibility. There are two things that security organizations can do to make this lack of visibility irrelevant: protect at the application itself and utilize data protection. This allows you to focus on what's critical to the organization instead of attacks and signatures traversing the wire. Once you have defined your strategy, you need to work it through.

There will be hardships throughout the plan, but don't abandon it. You'll risk losing your Masters.

Keep learning

Read more articles about: SecurityInformation Security