Maneuver Warfare and Infosec Products
The modern practice of network security is essentially an exercise in information warfare. The two competing parties, namely the network operators and the botnet managers, are continually evolving to combat the other's tactics, each driven by economic motives. The attackers are attempting to create a distributed services platform out of the defender's systems for delivering... rich media content in the form of image spam, phishing landing pages, and DDoS packets, while the defenders are trying to keep their employer's underlying infrastructure in one piece. This is a very old analogy, one exploited heavily by individuals looking to grab funding earmarked for national defense or attempting to scaremonger groups into the potential threat of an "Electronic Pearl Harbor". The use of these analogies by demagogues does not make them any less apropos; there are many interesting conclusions that can be drawn from the application of modern military theory to the information security space.
Let's consider the somewhat popular work of John Boyd and the tenants of maneuver warfare. Maneuver warfare emphasizes rapid movement, distributed decision making, and dynamism of tactical objectives rather than the costly brute strength of an attrition campaign. This method of warfare has likely been around since the dawn of interstate combat, with Hannibal's tactics at Cannae serving as a brilliant example. In a briefing entitled Patterns of Conflict, Boyd formalized these ideas into what is now referred to as the OODA Loop. This is an embarrassingly brief description, but Boyd viewed warfare as being a a continuous cycle of Observation, Orientation, Decision, and Action, and that those who succeed in warfare are those who can correctly execute the loop in the shortest period of time. Another way of viewing it is whoever can predict their opponents next move and act/react before the other party can assess their situation will win the conflict. This can only be achieved by employing a fast operational tempo, rapidly altering tactics, obscuring your decision state from the enemy, and reducing infrastructure-based friction, such as communication cost.
The most effective infosec schemes on the market today rely upon principles that can be viewed as derivative from these lessons. The effective DDoS and Anti-Virus systems available today and under development seem to work by employing:
- Large sensor networks to reduce observation time.
- Automated analysis schemes with either zero in-loop human interaction or a slice of massive amounts of distributed human interaction to minimize feedback time.
- Rapid decision deployment to clients.
- Massive monitoring to detect and correct poor decisions.
- A large variety of detection and response tactics.
- Ability to quickly roll out new tactics in light of effective evasion methods.
As the tempo of financially-driven security events, i.e. spyware and its ilk, increases, any security system that is solely dependent on human-scale timelines to make decisions will labeled ineffective. Solutions dependent upon individual decision makers will have to complement their scheme with rapid reaction schemes or face decreasing continually decreasing accuracy figures.