Why CISOs should take a page from the Secret Service when securing their networks

Nathaniel Gleicher Illumio

A human being with relatively modest athletic ability can scale the fence that surrounds the White House in Washington, D.C. Once inside, though, good luck getting more than twenty feet from that perimeter before being tackled by a Secret Service agent who played linebacker in high school.

Nathaniel Gleicher, who saw firsthand the obsession with physical security that surrounds the White House while developing information security policies for the Obama Administration, doesn’t understand why more of us aren’t taking the same approach to cybersecurity.

“The job of the Secret Service is managing risk,” said Gleicher, now the head of cybersecurity for Illumio. The federal agency that protects the president is one of those groups that only makes the news when it screws up; however, the Secret Service has prevented an untold number of attacks on presidents and other government officials through careful analysis of threats and by understanding that you can’t lock down the entire area in which a president moves. In other words, you don’t invest all your resources in protecting the perimeter, you identify the key strategic points that you simply can’t allow any threat to access and employ more basic protection tactics to the outer rings of that location.

Makes sense, right? This is a topic that’s come up time and time again as we get ready for Structure Security, September 27th and 28th at the Golden Gate Club in San Francisco, and Gleicher plans to expand on it in a talk at the conference. Art Coviello touched on it last month, and several other members of our advisory board are focused on getting companies to move past perimeter defense and focus on more layered approaches to securing their data.

As with most things that make sense, it’s easier said than done. If the Secret Service needs to prepare for a presidential address at a football stadium, for example, it can obtain detailed maps of that stadium and make educated decisions about which parts of that stadium to defend. But your average IT organization doesn’t have quality maps.

“Most defenders don’t know what the interior of their datacenter looks like, and most people don’t know what’s connected to their network,” Gleicher said. Say an attacker manages to get control of a server: what else can they access from there? What kind of paths can they carve to the truly sensitive data? An awful lot of tech organizations can’t answer that question with the speed required in an active situation, and even if they had that map at their disposal, they often lack the tools needed to cordon off the compromised parts of their network from the crown jewels.

“Attackers think in graphs. Defenders think in lists,” Gleicher said, as a way of illustrating how defensive security needs to understand how its adversaries operate in order to properly defend their networks.

So how can you start thinking strategically about defending your networks? Gleicher plans to outline several steps you can take, and I won’t spoil the surprise here. But he’ll explain how to set up real-world defenses that work across multiple datacenters and public cloud providers as well as the tons of devices that have legitimate reasons to access your corporate network. Don’t miss his talk, scheduled for Day One (9/27) at 3:15 p.m.

Gleicher is just one of dozens of amazing speakers we’ll feature at Structure Security, including Bugcrowd CEO Casey Ellis, Okta CEO Todd McKinnon, and Ixia CEO Bethany Meyer. The complete agenda for the show can be found here, and you can register for tickets here.