One of the first phrases we learn in cybersecurity is “The good guys have to be right all the time, but the bad guys only have to be right once.” But has that moved from truism to outdated cliche?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and George Finney, CISO, University of Texas System. Joining is Sean Walls, CISO, Bob’s Discount Furniture.
Join the conversation on LinkedIn
Huge thanks to our sponsor, Native
Full Transcript
Intro
0:00.000
[David Spark] One of the first phrases we learn in cyber security is, “The good guys have to be right all the time, but the bad guys only have to be right once.” But has that moved from a truism to an outdated cliché?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me as my guest cohost for this episode, a regular guest on the CISO Series… We’re thrilled to have him. It is George Finney, the CISO of the University of Texas System.
George, thank you so much for joining us.
[George Finney] Howdy, yawl. Thanks for having me.
[David Spark] We brought you on just for the, “Howdy, yawl.” That’s why we brought you on. Our sponsor for today’s episode is Native, the cloud security control plane for the enterprise. If you’ve got a lot of cloud providers you work with, you’re going to want to hear what we have to say about Native a little bit later in the show.
But first, George, let’s talk about today’s topic. Does the whole idea of, “The bad guys only have to be right once,” not give threat actors enough credit? Ira Winkler, field CISO at CYE, made the case that arguing that their job is easy is flat out wrong.
Meaning that the job of the criminals is flat out wrong. He argues attackers must chain vulnerabilities while evading detection – not the easiest thing to do. This got a lot of pushback on LinkedIn because people believe this theory of the attacker only needs to be right once.
But has that classic phrase, do you think, George, lost its ring of truth? I mean, does it still hold strong, or is it tough to be a criminal, essentially, is what Ira is arguing?
[George Finney] I see the thought process there from Ira. And he’s right. The bad guys have to be really skilled in some cases, for certain kinds of attacks. The social engineering attacks that are just via email that just ask for people to hand over their passwords, that’s still pretty easy.
To Ira’s point, you still have to chain attacks together. You still have to do your recon and have a plan. So, I wouldn’t say the job is easy. Perhaps it’s a little easier than the defender’s job because we can’t break the law.
[David Spark] Yes.
[George Finney] We have to work with our stakeholders. We have processes to get change control approval. So, I think they’re just different in different ways.
[David Spark] Yes. By the way, we’re not arguing for one or the other, like, “Hey, maybe you should go to the criminal side,” or something like that. But this is just an interesting discussion because, I mean, we’re all heard this phrase of the attackers only need to be right once, but I think this is a really good conversation to sort of reveal like what is the attacker’s job, because it makes sense for the defenders on how to deal with it.
And to join us in this very discussion is the CISO over at Bob’s Discount Furniture, Sean Walls. Sean, thank you so much for joining us.
[Sean Walls] Well, thank you, David. It’s a pleasure to be here.
There must be a better solution.
2:58.322
[David Spark] Rick Carville, CISO over at Great Canadian Entertainment, said, “You’re absolutely right. Most real world attacks involve multiple steps, and a well secured system won’t typically be compromised by a single flaw. That said, the saying, ‘The good guys have to be right all the time, but the bad guys only need to be right once,’ is more about the burden of defense than how attacks actually unfold.” Very good point.
“Maybe we need to change the saying of, ‘Attackers need persistence, but defenders need resilience.’” Also like that quote. Matthew Rosenquist of Cybersecurity Insights said, “Attackers only need to succeed once to be characterized as triumphant, while the expectations for defenders are they must not fail even once in overall effort.
They deny the attackers a win to be viewed as successful. Essentially, any triumph of the attackers is characterized as a failure for the defenders, but the reverse is not true.” I know that’s where the argument is. Matthew goes on to say, “They are measured differently by default, and it takes effort to change that paradigm.” So, Rick and Matthew are saying two different things here, but these are really good arguments, George, yes?
[George Finney] 100%. I think the good guy’s job is always going to be challenging, but it’s always easy… The grass is always greener. Other people’s jobs are easy, mine is super hard. I get that. That rings true just in life. I guess I disagree a little bit… In my head, I think about this a little differently.
I think about if I were to replace this quote with something new, I would say something like we can’t be one click away from going out of business.
[David Spark] That is a good point right there.
[George Finney] Exactly. I care about my defense. I would never use the phrase, “The bad guys only have to be right once,” with my leadership. I want to reframe that. I’m not going to say that phrase is bad guy propaganda necessarily, but I think defenders have to have a totally different mindset in general.
[David Spark] So, both George and also Rick Carville make really good points. Rick Carville saying, “Attackers need persistence, but defenders need resilience.” And George said, “I don’t want to be one click away from going out of business.” So, reframing this, I think, makes a good point, Sean, in that scaring your own staff of being always right is not a way to sort of motivate employees, is it?
[Sean Walls] No, it’s not a way to motivate employees. And the problem there is the mindset is wrong. We’re living in a different era. Back when this phrase came out, we’re talking the 1990s. I don’t know the exact date when it came out. But the fact of the matter is is technology was different.
Business was different. The threat landscape was different. And what threat actors have nowadays is they have objectives. Right? Back in the day, they were script kitties for the most part, seeking to inflect as much damage and harm as they could on an organization.
But that all changed in the early 2000s, say around the Target happened. 2013, say. The paradigm shifted. Strategic objectives became their focus, and
making money was their objective. And so having objectives means you have to go through multiple stages in order to achieve those objectives. Getting a foot hold in the environment is stage one. And they no longer want to just inflict damage when they get there.
They actually want to establish, like you said, persistence.
And our resilience is that layered security approach where we’re not just protecting the perimeter and trying to stop that first attack, but we’re trying to watch and see what’s happening as they’re pivoting and moving laterally through our environment.
Each one of those steps in the kill chain that they execute against is an opportunity for us to see them, to catch them, and to contain them and eradicate them. So, our paradigm needs to be focused on resiliency. Resiliency is an excellent ROI. We can measure mean time to detection, mean time to containment, mean time to eradication.
We can measure these things. And if we tell our employees that one failure is absolute failure, we’re going to miss the layers and the nuances of the new security paradigm. Right? My opinion is that we need to be focused on not zero successes but how quickly can we identify that there’s a threat in our environment, and how quickly can we contain and eradicate that threat.
We should be measuring our success based on that.
[George Finney] So, I’m glad, Sean, you brought up the history of this particular phrase. We do know specifically when this phrase came about, because it was the Irish Republican Army’s attempt to assassinate Margaret Thatcher in 1984. This phrase came about October 12th, 1984.
And the phrase originates from terrorists. So, when you’re repeating the phrase to your executive team, to other folks, to motivate people, we’re not motivating people because the terrorists… They killed five people in that bombing – Margaret Thatcher just happened to survive.
Again, we’re using this kind of terrorist mindset to scare our teams, our leadership into doing something. And we know from a psychology perspective that fear shuts people down. And what we need to do is to motivate them to proactively do things in security, not use fear as our only tool in our toolkit.
Why is everyone so confused?
7:57.683
[David Spark] Jan van Dijke of SonicBee said, “‘The bad guys only have to be right once’ is not as idiotic as you make it out to be. I have seen organizations get hacked with one open RDP port, with one leaked set of admin credentials, with one employee falling for CEO-fraud, etc.
You make it sound like CVE’s are the only way hackers get in, which is clearly not the case.” Sedric Louissaint of CLA said, “I’ve literally taken over organizations AD because the DA was using a password like ‘Password123!’. Sometimes it is that easy, but you are right.
As a red teamer myself I am usually chaining a variety of vulnerabilities, sometimes misconfigurations, known vulnerabilities, or discovering a new zero day.” So, Sean, this kind of alludes to what George was saying early on. Yes, there are some cases that it is that easy.
So, in some cases, this phrase does work. Like one simple, stupid mistake can end the business or can bring the card house down, yes, Sean?
[Sean Walls] Yes and no. The examples that you cited are examples of catastrophic failures in cyber security hygiene in my opinion. Any company that operates that way will get hacked and should get hacked, and they deserve to get hacked, in my opinion, because the paradigm has been shifting for the
past 20 years. And certainly in the past 15 years, governance, security in depth, and leveraging the complexities and the immerging technologies to protect ourselves has become a staple. And if you’re not aligning with these industry best practices then you’re setting yourself up for disaster, in my opinion.
[David Spark] It’s like leaving your front door unlocked. Yeah, that’s an easy way to get hacked. So, this is arguing that, yes, the attackers can be right once. But is it really only in the case of if you’re just not doing really basic hygiene, as Sean points out?
[George Finney] Again, we still have a really easy path for attackers to get in through email. The front door is open. There are a lot of really sophisticated attacks out there, and there are some easy ones when an end user’s account is compromised, and they had local admin rights, and you can do Kerberoasting and expand really quickly to an entire organization.
So, that’s certainly the case. However, the name of the podcast kind of gives it away here. It’s defense in depth. One of my favorite sessions at RSA I think it was seven or eight years ago… I went to a session from a mathematician. Assuming that just all tools are 80% affective when you have multiple layers of tools, it makes it much more challenging to move laterally to evade attackers.
And he proved mathematically that at eight or nine layers, if you’re assuming all of the layers in the stack, that is enough to make it challenging for an attacker to get in. You have to have good hygiene, totally agree, but I somewhat disagree with Sean’s statement.
I don’t think anybody deserves to be hacked. I don’t want to do victim shaming here. We’re all on our own journeys. We want our business to invest in security because we care about security, and we want to make sure that we protect our investments.
But, again, every industry, every organization has a different risk tolerance, is in a different field, or uses different tech, so it’s hard for me to put a one-size fits all kind of approach.
[David Spark] Good point. And I wanted Sean to be able to respond to the comment. Sean, just clarifying here, you’re not saying they should be attacked. But if you make a stupid mistake like leaving your front door unlocked, what do you expect? Yes?
[Sean Walls] Yes. The fact of the matter is I don’t think anybody deserves to get hacked, but the industry has matured enough over the past 15 to 20 years that we should know better. And it’s the responsibility of any affective security leader to convey these details, this information, and the urgency, and the threat landscape to executive leadership, and get that buy in, and ensure that adequate hygiene and controls are in place.
But I want to make one point – is that even if you get an RDP foothold in an environment, you still have to go through multiple stages. The administrator account, yeah, that’s one thing. But you still have to find the crown jewels. You have to stage them.
You have to exfiltrate them. You have to go through a number of different steps. So, this one and done paradigm, it still doesn’t hold true, even in an environment that’s poorly secured.
Sponsor – Native
12:23.597
[David Spark] You know, security teams are being squeezed from both sides. AI is accelerating attacks, and it is accelerating infrastructure change inside the enterprise. Now, at the same time, cloud providers have finally built the enforcement controls to make secure-by design architecture possible.
The problem
is that every provider works differently. Oh, yes, we’re well aware of this. So, turning security intent into consistent enforcement across AWS, Azure, Google Cloud, and OCI is incredibly hard to do manually. This is where our sponsor, Native, comes in.
Native is the Cloud Security Control Plane. Native translates security intent into provider-native enforcement, previews the impact before deployment, and keeps guardrails aligned as cloud environments evolve. So instead of reacting after the fact, teams can enforce security at the source, inside the cloud itself.
Native makes secure-by-design architecture real. And you want to learn more, you got to go to their website. Go to native.security. And when you go there, let them know you learned about them from the CISO Series.
I didn’t think of these options.
13:43.312
[David Spark] Drew Simonis, CISO in Residence over at Insight Partners, said, “It was a phrase borne in a different era and like many such things we just adopted it as shorthand. It is no longer literally true but the spirit of the comment (that attackers have some advantage due to the complexity of technology systems) remains figuratively true for many.” I think that’s actually a very good point right there.
“Defenders can take advantage of the complexity in their own environment to create their own advantage, but most do not. Instead of creating a minefield, most defenders are focused on creating a tidy display case of goodies.” That’s a really good point, too.
Brian Zimmerman of US Cyber Command says, “You are taking the saying out of context. The context is the hacker has nothing to lose except failing at getting in. They can try as often as possible. Whereas the defender, who has one infrastructure to defend, needs to be on their game and can’t make mistakes.
To your point, sure, defense in depth should provide multiple layers, but full compromise isn’t when you lose. I’d argue any compromise is. Once there’s persistent access, it can open the door for further attempts to go deeper. The saying is for defenders to know they need to keep up with their security and just not set and forget.” I don’t know if the saying says that.
But, George, really good points. Really good arguments on all sides here, from both Drew and Brian. I’m just going to say pick your favorite here, and go at it.
[George Finney] I really like Drew’s statement about creating a minefield.
[David Spark] Yes.
[George Finney] And I think there are lots of different ways you can do this.
[David Spark] By the way, an argument for honeypot, too, here.
[George Finney] That’s exactly where I was going to go. Right? When you look at some of the deception technologies or tools out there, if an attacker gets access and can enumerate your domain or review your contact, in the past we’ve created honey accounts.
So, if anyone even touches a particular account, you don’t even need a tool to do this. You can set an alert in your SIEM to see when that account has been touched, for example. Some of the deception tools out there will create a completely fake active directory domain or network.
Again, attackers are doing a kind of activity that your employees just don’t do. And that should be the key giveaway there. So, I like the idea of creating a minefield, not some
pristine firewall, lockout thing, and perfect policies. If the attacker can’t trust any of the information they’re getting in recon, that is a really good defensive capability.
[David Spark] And also should scare the attackers, too, for that matter.
[George Finney] That’s absolutely right. I think the NSA did back about ten years ago…did an assessment on the effectiveness of deception. And they had hired some pen testers to get in and see if they could do whatever they can. They had a control group that didn’t know.
They had a couple of different test groups. And the hackers getting in, when they knew, especially when they knew that there was deception, they questioned every result they were getting. So, I think that’s a great approach. And, again, we need to think differently about defense.
Not just the pillars of identity, or antivirus, or firewalls. There is so much more out there that we can do, to leverage to really protect our organizations.
[Sean Walls] I would agree with George. Not only the complexity of the technical environments that we’re in today lend us opportunities to frustrate the threat actors, but things like deception technologies, honeypots, and segmentation, zero trust networks.
These all are opportunities to create friction for threat actors and to cause them to expose themselves. We want them to be noisy. We want them to let us know that they’re there. And by putting honeypots or deception technology place, fake accounts, zero trust networks, it just makes it that much more difficult and noisy for them to move through our environment and easy for us to detect.
It’s an underleveraged capability and technology in today’s world, in my opinion. Very few organizations actually invest and go that far to actually do technology, like deception technology and honeypots. 100% encourage folks to explore those.
[David Spark] Just one last thing I’d love to hear from both of you on – one of the things I’ve heard from deception people is if you just think of it as a way to distract the attacker, you’re missing the opportunity. Because detection tools can tell you a lot about behavior.
And learning from that can help you build a greater defense [Inaudible 00:18:12] There’s a lot more you can get from this, yes?
[George Finney] Absolutely. I think a lot of folks focus on the MITRE ATT&CK framework. I had a really awesome opportunity to talk with the gentleman behind the MITRE Engage framework. It’s not an attacker’s mindset, it’s a defender engaging the adversary.
And I think the really incredible thing about that engagement idea with an adversary is you learn about the adversary through it. It’s not just wasting their time. You’re getting to know in a much more close sense what their capabilities are, what they’re after.
So, you can take that active information set and your defense to help modify your other controls. I think that’s really incredibly powerful. So, it’s not just about confusion. I’ve had arguments with CIOs about, “Oh, gosh, deception really is an attractive nuance and attracts more bad guys.” But I think, again, if you do it right, to Sean’s point, you don’t want to have an open honeypot to the internet.
But if you have an open honeypot within your internal network, that’s going to provide a lot more insight and value to you and a lot less false positives.
[Sean Walls] Yeah, I would agree with that. And I think above and beyond what George just said is that this gives us insight not only into legitimate threat actors in our environment but even malicious employees, or contractors, or folks that are just in our environment helping us from a third party
perspective. Are they poking around? And this will give us an opportunity to see and catch those things early.
What aspects haven’t been considered?
22:08.445
[David Spark] Satish Govindappa of Indrasol said, “Even with strong infrastructure, attackers often bypass technical defenses by exploiting people—through phishing, deepfakes, or insider threats.” Now, George alluded to this at the very beginning of the show.
Satish goes on to say, “So, while multiple failures are needed on the technical side, sometimes just one well-placed manipulation can open the door.” Very true. Noam Zolberg of Cubic said, “Totally agree that breaching the layers and motes of tech security takes a very talented and experienced hacker with considerable investment in time and tools.
At the same time, ‘hacking’ user’s minds and cognition is by far less expensive and requires lesser skills set. That’s why the biggest attack surface is us, humans and our ill-equipped minds and poor habits. Without strengthening human cognition resistance and enhancing cyber risk awareness, all the hundreds of billions of dollars the cyber tech industry is about won’t move the needle or change the success rate of hackers.” This goes into something we’ve talked about – that so much of cyber security has nothing to do with technology.
What do you think, Sean?
[Sean Walls] Well, I think they’re 100% true. Now, I don’t think that that’s the only thing that they can exploit, but hackers notoriously choose the path of least resistance, and humans are that path of least resistance. And it’s not always because they don’t think right or they don’t make good decisions.
It’s usually because they want to help. It’s usually because they have a good heart, and they want to help. And threat actors take advantage of that desire, as well as creating a sense of urgency and authority to force them to make poor decisions. But there’s a saying that I’ve always had, that’s like our employees can be our biggest liability or our greatest asset.
Right? They can be our human firewall. They can be our network sensors out in the environment. And it behooves us and it’s upon us to train them to make sure that they’re aware. Not just the employees but the help desk, for example, as well. So, they’re cyber aware of techniques for changing passwords and MFA capabilities.
When you train your employees… And I’ve seen this time and time again, and I’ve done it time and time again. They step up. And often times, we get reports from employees of suspicious behavior, emails, phone calls, texts, or whatever before we even see those in our sensors.
As a matter of fact, those would bypass us if they were hacked that way. So, having our employees be aware of what a threat looks like, how to respond to that threat, how to escalate and engage us is probably the most important and significant investment with the greatest ROI that you can invest in.
[David Spark] All right, good point. George, I’m going to let you have the last thought on this.
[George Finney] I’m so happy that nobody said people are the weakest link.
[David Spark] Yes. Working as a cyber security professional, I’m sure you hear it all the time. I’m sure it makes your hair stand up every time you hear it. And like you have to sort of like… “All right, breathe. Breathe. Now let me respond.” And how do you respond, George?
[George Finney] I argue that people are the only link.
[David Spark] And they’re also the number one attack vector, too.
[George Finney] Again, I really appreciated the way Noam said it. People are the biggest attack surface for sure. We talk about security like it’s people, processes, and technology. Like they’re three equal slices of some pie. But really it’s people that make the technology, that use the technology.
People make the processes and follow them or not. It’s 100% people. Again, I think in security, we need to be in alignment with our CEOs who will say people are our greatest asset. And I think when you double down and you think about how you can interact with people in a positive way, I think that goes so much further.
Again, to Noam’s point, we need people to do things proactively. We need to inspire them to want to do security, not just like a hot stove. You know, just avoid that. Again, I think there’s so much more we can do, but it’s harder work. I think from a technical perspective, I’d just love to block something.
But so much of what we need to be doing around humans is engineering their human experience. It’s still crazy to me that anybody in the entire world can send me an email. I’m sure yawl use Signal, or WhatsApp, or some of the secure communication tools.
But what do those things do today when someone new tries to reach you? It doesn’t send you the email. It says, “Hey, so and so is trying to connect with you. Do you want to allow this or not?” Wouldn’t it be amazing if we did that with email? The technical controls like SPF or DKIM, rolling multiple sometimes email security tools to catch what things are getting through.
That is an incredibly challenging technical process that we have engineered for ourselves for an insecure protocol. And I think it’s maybe time to think human design and security into some of these basic things, not just have it be a bolt on afterwards.
[David Spark] Very good point.
Closing
24:19.577
[David Spark] All right, we are coming to the portion of the show… We’re going to ask you which was your favorite quote, and why. And I loved a lot of these quotes. So, take a moment, but I’m going to go to you, Sean. Let me know which was your favorite quote and why.
[Sean Walls] I like the first quote by Rick Carville, when he talks about the attackers need to be persistent, and defenders need to be resilient. And I think that really kind of epitomizes the landscape that we’re in today. And from a technical, from a cyber defense perspective is that we have the capability to be resilient, and we can measure resilience.
We can measure resilience in terms of time to detection, time to containment, time to respond, time to recover. I think that’s a better measure than just did the hacker get in once. Was the attack material? Did it have a material impact on the organization?
If we can say someone just connected to RDP. We saw it. We disconnected them within five minutes. No impact. Zero impact. They did not win. So, the fact of the matter is having layered defenses with resiliency baked into it to ensure that we see lateral movement, we see the attacker going
through that kill chain, and can see them and stop them in real time, probably the most important point in this entire podcast, in my opinion.
[David Spark] Very, very good point. All right, also great quote. George, your favorite?
[George Finney] I really like Noam’s statement, the biggest attack surface is us. That just resonates so much. Again, it’s all about protecting our community – the people we work with, our customers. We know the biggest attack surface is us, and we have to come together to address that.
[David Spark] Very good point. Well, that brings us to the very end of the show. And I want to thank our sponsor, and that would be Native – the cloud security control plane for the enterprise. If you’re using multiple clouds, you should be looking at what they’re doing at Native.
Make your life a lot easier. Instead of hiring all this expertise, get the one expert device that will do it for you across all the platforms. Go check out what they’re doing. Native.security. And let them know that you heard about them from the CISO Series.
I want to thank my cohost today, that would be George Finney, who is the CISO over at the University of Texas System. And also our guest, Sean Walls, the CISO over at Bob’s Discount Furniture. Thank you both for coming. Thank you for participating in this conversation.
Your favorite part, George, was?
[George Finney] The biggest attack surface is us.
[David Spark] Yes. And your favorite part, Sean, was?
[Sean Walls] We need to be resilient.
[David Spark] We need to be resilient. Just echoing what they said earlier. I appreciate it. Thank you very much, our audience. We greatly appreciate it. I say it again and again, and I mean it again and again. We greatly appreciate your contributions and for listening to Defense in Depth.
[Sean Walls] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review. Leave a comment on LinkedIn or on our site, ciso-dev.davidspark.dcgws.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense in Depth.