Beyond “Security Architecture” – It is all about Business Resiliency

John Chambers - RSA 2023
(Last Updated On: May 16, 2023)

“Security Architecture” is the theme Mathew J. Schwartz (ISMG) pulled out of his interview with John Chambers, founder, and CEO of JC2 Ventures. It is ironic that on a “life-impacting day,” in pop an interview from one of my mentors, John Chambers.

If you are reading this, stop and listen to the interview. Once you’ve listened, Then come back and read this post.

Matt did a great job getting John Chambers to pull out things I would hear in confidential conference rooms inside Cisco. “Johnism” insights were things that the veterans learned to listen to, rethink our assumptions, and take action. Listening to this interview takes me back to listening to John in a Cisco conference room pronouncing strategic directions that seemed crazy. “In the future, voice will be free,” “We are going to become an optical company,” and many of his public quotes reflected actions inside Cisco. Today, it is worth paying attention when John shares his “Navigating Through Cybersecurity Volatility” thoughts. John pointed out several core ‘inflection points’ that people should reflect on. The key one for me is one I’ve evolved my security thinking – the drastic change from “security products” and “security solutions” to a new model of resilient security architectures.

“There are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.” Thinking about this. It means that no matter what you do, you must expect the miscreants to be inside your network or know how to attack it at its weakest. This situation pushes the industry to a major inflection point.

Innovative organizations will change their security planning to a weave of elements that best suit their business. The security weave will mix security capabilities from multiple vendors into a “Security Architecture.” That security architecture must match the business continuity plans and apply resiliency to the security architecture. They will also expect the miscreants to be inside their operations. The “layered defense” model is thrown out for a “dipping dots” internal security architecture that extends out into the world. This would be a rethinking of micro-segmentation, zero trust, and other security widgets, cogs, and sprockets.

In this interview, security as an architecture John Chambers highlights matches my evolution as a practitioner. But I would take it further to put business continuity to the forefront. Our next step is security/resiliency architectures deployed in organizations whose flavors match the business continuity requirements of organizations. All interconnected businesses live in a cybersecurity storm. Hence, we need architectures to support business continuity.

The resiliency part is critical. As John mentioned, there are two types of companies today: ” Those who have been hacked, and those who don’t yet know they have been hacked.” Both of those conditions lead to a mode of action. Action is NOT equal to buying more products. Action is how to set up a resiliency architecture centered around security … security is all about an agile business that can react to attacks.

This is why Security/Resiliency Architecture is (IMHO) a better illustration of the rethinking we must embrace. John’s point about products is not the path forward and needs more help to illustrate why this is the path forward.

My mantra for all security companies is that you are just a widget, a cog, or an element in your customer’s security/resiliency solutions. Each organization needs security/resiliency architects who pick multiple widgets, cogs, and sprockets to build a solution that matches their business integrity objectives. You can have two banks with totally different security/resiliency architectures. Each bank would have multiple security/resiliency architectures covering the organization’s needs. Too many “security companies,” think that they are selling their product when the reality is the security/resiliency architects in those banks and looking for how that security companies’ s cog would fit with all the other cogs and work as a fast, reliable, & resilient security architecture.

Multiple Security/Resiliency Architectures

As John said in the Interview, security based on boxes, products, and solutions is not what we needed today. If you only think about security, you get trapped in the “product security” in passive defenses and layers of security. You are led back on the path of “many boxes,” hoping the layers will work. Adding resiliency into the mix changes the orientation. Security/Resiliency Architectures center on actions that keep the business up and running through all stages of a security event. The architecture’s purpose is to keep the business “security resilient.” That only comes from an architecture that empowers the humans leveraging the architecture to take appropriate action.

Let us walk through some (but now all) illustrations of how I approach my security/resiliency architectures for organizations.

  • The Architecture delivers actionable reporting for daily security hygiene. Neglecting “Preventative Maintenance Inspection (PMI).” PMI discipline is one of the first thing auditors in the US Armed Forces check. Neglects PMI and jets crash, systems break, people die, and the mission is in jeopardy.  A security resiliency architecture would be able to look at all the security widgets in the solution and report “what needs to happen today.” This is NOT looking at logs, alarms, and complaining about false positives. This is about “let us inspect this today and ensure it is in tune.
  • The Security/Resiliency Architecture provides Elevated Alert Checklists to guide teams to “get ready.’ These elevated Albert checklists are pulled from the US Military. In a modern security & resiliency architecture, the system would pull in all the “widgets” and help provide a map for what actions you take when you get alerted to an elevated risk. What do you do if there is a DDoS attack threat? Do you have an elevated checklist to put architecture into a higher state of sensitivity? Do you have a playbook? Take Ransomware, BEC, and the range of other vectors. Does the architecture do the same? If an industry peer is hit and you have gone from “higher alert” to “we might get hit next,” what would you do to be on standby for the attack?
  • React with decisive speed. Architecture that facilitates nimble reactions maintains business resiliency as the security actions are activated. Many SOC/NOC has a security & resilience architecture built on the people in the room. Each person uses products and tools in front of them with a team who is the “response architecture.” In the future, a new security/resiliency architecture would focus on pulling together all the cogs, widgets, and sprockets in the SOC/NOC, clearing the path for the people to analyze and take action quicker. Ask yourself, does the security/resiliency architecture support aggressive action that focuses on business continuity while collecting data to take retribution on the attacker? (I did say retribution, but that is for another blog to explain.)
  • What else happened? One visible attack can easily be a demonstration attack. A “demonstration” is an attack or show of force on a front where a decision is not sought or made to deceive the enemy. Think of a BEC attack as a technique to plant APT. Think of a DDoS attack as a tool to have everyone looking one way while the Ransomware is inserted through a supply chain back door. How do you “shields up” when the visible attack happens?
  • Hound Dog the attackers. Rember, the security/resiliency architecture would provide the data to allow a team of hunters to go after the miscreants. This could range from tandem work with law enforcement, working with peers to clean up their networks, to pulling to gather a cross-function/multinational private industry “security trust group” to “hound dog” the attacker. “Hound Dog” does not mean attribution and arrest. What it means is action. The noise of the hounds coming for you is a deterrence. Ideally, the tandem work with law enforcement adds retaliatory and legal consequences, but we live in a world where “International Justice is a lifetime away. Today, we built our security/resiliency architecture to hunt and hound dogs.
  • Scalable Industry Collaboration is essential to Business Integrity. The Security/Resiliency Architecture supports the organization’s ability to collaborate with its industry peers, public benefit security organizations, and other trusted organizations. Organizations might be in a position to work with Local Law Enforcement. Still, the reality is that the world’s international justice system is a century away from an effective system that imposes consequences on criminal actions launched from other countries. That means private industry collaborating with private industry peers is our best path. The collaboration part of a security/resiliency architecture would link data and expand the surface area of detection. For example, tools that link malware samples into Shadowserver’s Malware Repository and Google’s VirusTotals provide the organization’s malware detection surface. Another example is Cable Lab’s DDoS Information Sharing Service (DDIS). The Collaboration part would allow feed linkages into DDIS to provide a broad service area of who attacks whom. 
  • What was the real attack? Can you gain business confidence that nothing was left behind that could endanger the business in the future?  A Security/Resiliency architecture would enable teams to explore the organization after the attack event. The tools would enable teams to inspect everything to “perceive those things that cannot be seen.” Think of the movie when something happens. In the last scene, there is a close-up of a device that got in, was overlooked, and is waiting to be activated. Any one product cannot do this internal hunt. It requires an architecture pulling together many security widgets, cogs, & sprockets all working together. 
  • Finally, does the security/resiliency architecture allow for in-depth after-action reporting, actual root cause corrective action, and areas to be better prepared for the next one? Our Root Cause Analysis (RCA) was that this element failed. RCAs are a big part of our security problem. An effective security/resiliency architecture would focus on the action … the Root Cause Corrective Action (RCCA). It would allow a team to sit down for an after-action consultation, look at the 5 whys, and reach a point of corrective action to elevate the business risk protections.

Thank you, John Chamber, for accepting ISMG and sharing knowledge that was part of Security Architecture with Resiliency focused on business continuity will replace old “product,” layers of defense, and passive response models. The new Security/Resiliency architectures are more complicated but necessary in today’s hostile “always connected” world.


Are you looking for more practical, public-service Security Advice?

The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.