How Intel Uses "Wargames" To Beef Up Enterprise Security
Enterprise security today is equivalent to an arms race. There really is no such thing as winning, but rather it's a challenge of staying one step ahead of your opponent -- the attackers. As attackers evolve and become more sophisticated, large corporate enterprises must follow suit.
Many companies are investing millions of dollars securing data centers, factories, offices and other assets against increasingly sophisticated security threats. Assessing the risk and taking precautions are usually handled by a single group of people -- typically internal information security specialists -- and are aimed at understanding vulnerabilities in a particular computing environment.
Security threats however, come from living, breathing opponents who are creative, knowledgeable, collaborative and often very determined to inflict damage. They also have a big advantage over enterprise experts in thinking outside the box, mainly because they are outside the box. To anticipate and better prepare themselves against these attacks, many enterprises are trying to move beyond understanding their computing environments to understanding how their opponents plan, think and attack.
To do a better job of this, Intel Corporation has embraced wargaming as an additional type of risk analysis that helps the company better understand and defend against malicious attackers.
Wargames are just that -- intense role-playing or gaming exercises that involve a multi-disciplinary cross-section of the organization from facilities to finance, IT staff to factory workers. The goal is to move knowledgeable experts into an attacker role and pool collective knowledge and skills to pose a range of attack ideas. The results are very often surprising--uncovering new vulnerabilities that no single individual sees when viewing threats through the shuttered view of a single discipline or business area.
After several years of running wargames, Intel feels it is better prepared, enough to even offer a generalized blueprint for how to test and implement them. Wargames are not a security panacea and are not appropriate for every threat, according to Tim Casey, Intel's senior information risk analyst. They require a commitment from top management and participants, as the cost is borne by a number of groups besides the security group.
Casey said wargames are worth the effort if an organization is serious about defending its most valuable assets against shape-shifting attackers who are smart, well funded and dead serious about getting into your enterprise.
"The threat from the stereotypical high school hackers out for some fun has become trivial," Casey said. "Today's malware is designed by organized crime syndicates who have developed extensive and sophisticated malware-as-service systems or by nation-states with literally armies of highly trained cyber warriors."
Protecting assetts a critical task
Like many multinational companies, Intel is an attractive target for this new generation of high-tech thieves. Intel spends billions of dollars each year on research and development of leading-edge microprocessor technology. "Many of our research areas are of keen interest to competitors and nation-states that are hunting for high-tech secrets," Casey said. "Naturally, Intel wants to protect these investments closely."
Intel's information security teams began using wargaming several years ago as a unique new risk assessment methodology. Although wargaming is common in the military and as old as war itself, it is relatively new to enterprise IT. Wargames are intensely focused exercises in which a multidisciplinary set of experts gets together to focus intense scrutiny on assets from an attacker's point of view. By rigorously testing our security assumptions, we are able to uncover vulnerabilities that just don't surface when using traditional risk assessment techniques.
"The cross-functional, alternate view that wargaming provides us almost always leads to new discoveries," Casey said. "We often find something we thought was OK but really needs some attention. The good news is wargames help us find those issues before they become actual exploits."
The increasing and evolving sophistication of attackers is the chief threat that enterprises need to guard against today. In the last 10 years, the profile of the enterprise attacker has changed dramatically.
On the surface, wargaming sounds a lot like penetration testing, in which a small group of experts, sometimes from an outside firm, attempts to penetrate your defenses.
However, penetration testing does not always involve a multidisciplinary approach, nor does it include anyone outside this small group of security professionals. Similarly, an audit is an exercise in getting through a checklist of best-known methods and controls. But in an audit, auditors stay in their defender mindset.
In a wargame, you gather many diverse people from across your company in one room and turn them into bad guys. This diverse group might include business process people, salespeople, logistics people, facilities people and others who would not typically sit at a table together. When these people from across your organization begin to collaborate and pool their expertise with the goal of protecting your company, and stay at it for a couple of days, some surprising attack vectors emerge that security professionals working alone might never see.
According to Casey, no silver bullet exists in corporate risk assessment. Wargaming is a one tool, along with penetration tests, site assessments and others, that enterprises can use to look at broad risks in a way that traditional security analysis tools do not allow.
"Things are constantly changing in the enterprise and getting better every day, but one thing that isn't going away is the threat of increasingly sophisticated attacks," Casey said. "Wargames aren't the only answer, but they can go a long way toward being prepared and finding hidden vulnerabilities."