Often labeled as a “gun guy”, it was only a matter of time before a firearms analogy made it from pen to paper. So, what better material to draw from (the puns write themselves) than the famed Silver Bullet or the iconic Gatling Gun?! Using Wikipedia as our trusty reference, the silver bullet is described this way: “In folklore, a bullet cast from silver is often one of the few weapons that are effective against a werewolf or witch. The term is also a metaphor for a simple, seemingly magical, solution to a difficult problem.” We will borrow from the latter part and avoid the complications of debating the efficacy on werewolves and witches for now. I will excuse you if you thought we were going Lone Ranger and Tonto with the silver bullet reference.
As for the Gatling gun, the image that comes to mind is the scene in The Outlaw Josey Wales where the gun is used to great effect. Admittedly, any connection to an Eastwood western is the path of least resistance for how my brain is wired. Inside family joke – I refer to myself along with my brother and sister-in-law collectively (and proudly) as “The Outlaws”, so trust me when I say Clint’s classics run deep with me. Borrowing from Wikipedia once again, “The Gatling gun is a rapid-firing multiple-barrel firearm invented in 1861 by Richard Jordan Gatling. It is an early machine gun and a forerunner of the modern electric motor-driven rotary cannon.” The modern implementation is best represented by the flying tank also known as the U.S. Air Force A-10 Thunderbolt II “Warthog” equipped with the 30 mm GAU-8/A Avenger rotary cannon aka BRRRTTTTT (from the sound it makes when fired).
Personal note: As someone who grew up as an Air Force “brat”, I had an up close view of the sacrifices our military men and women (and their families) make to secure our freedoms. I have great respect for our armed forces and consider it a privilege to have planted my family’s roots alongside our military community at Robins Air Force Base. Another honor was to have my first paying (summer) job working for tips at my Dad’s squadron snack bar on Davis–Monthan AFB (He was in EC-130s at the time). It was there that I was able to watch the A-10s fly around the Tucson desert sky, hence my bias for these beasts of the air.
With our firearms references intact, let us consider how our analogy applies to Security. Many in business wrongly assume there is some solitary “seemingly magical” solution to information security…the silver bullet. The problem is the silver bullet in security is as imaginary as the ever-elusive werewolf. It simply does not exist! To start with, we cannot manage security in a vacuum. There are three business constraints that must be managed together – Confidentiality, Integrity, and Availability (aka the CIA model). I often tell clients that I can make their network 100% secure and of course they look at me with a healthy bit of skepticism – even they don’t REALLY believe in a silver bullet it seems. I simply say, “Let me unplug everything from the network and shut your computers down.” This is followed quickly by, “VERY SECURE, right?! But not very available.” And that is about as close as we can get to a true silver bullet. With that extreme shot down, what can be done? Now we can discuss degrees of security, risk tolerance, accessibility and, ultimately, cost.
Instead of thinking about security as a single magical thing, we need to embrace the idea that an effective security strategy incorporates a variety of tools and processes. We need a Gatling gun approach. The industry term for this is Defense in Depth. We must deploy multiple security mechanisms and controls that create a layered defense against the endless barrage of external threats. These layers may include firewalls, intrusion prevention, endpoint detection and response, network segmentation, least privilege access, encryption, strong passwords, patch management, data recovery, breach awareness, and end-user training. Unlike the silver bullet, if one system fails, another is in place to potentially stop the threat. Consider end-user training, an often-forgotten security measure – if a user is trained to properly identify phishing email attacks and avoids clicking on the malicious link, the endpoint security or firewall never have to defend against the threat. Even better, if there is anti-phishing security around the email service, the user never receives the email in the first place.
Is your organization overconfident in a single security product? Are the security best practices and product features like reading Greek? Not quite sure how to balance the C-I-A equation for your business? Partner with a technology vendor who understands the nuances of security and has the experience to build an effective defense in depth strategy right sized for your business. So, do silver bullets stop werewolves? Maybe, maybe not. Give me a Gatling gun, or better yet, an A-10 with its rotary cannon any day. BRRRTTTTT!
–Charlie Waters, COO – Total Computer Solutions, Inc.