Time Based Security: Adding Measurement, Detection, and Reaction Time to Cybersecurity.

Time Based Security in a NutshellThe model for Time Based Security (TBS) originated with conversations with Bob Ayers, formerly of the Defense Information Systems Agency (DISA) over a period of years. As a result of many napkin drawings, especially in Warsaw, Poland, TBS was born. In the two years since we spent hours and days arguing over the principles, I have had the opportunity to develop TBS into a workable mathematical model for quantification of security.I have always maintained that to offer a reasonable defense, one has to know how to attack networks. So, TBS, here we go.Defensive Products Do Not and Cannot Work.The current and prevalent methods to defend networks against attack is an approach 10,000 years old based upon classic military strategy: build your defensive walls as high as you can to keep the bad guys out. This is also known as Fortress Mentality. However, it hasn't worked since the dawn of time and still doesn't work. Consider Troy: Odysseus and the Greeks camped themselves out on the plains of Troy for nine years before they screamed, "We give up And here's a horse as a present." We all know the results. The Great Wall of China was meant to keep the marauding Mongolians at bay yet advanced technology like the catapult, battering ram and bribery of guards won out. The Maginot Line; the Berlin Wall: none of them worked because they can't.This fundamental error in historical judgement, though, was what modern defensive information security was based on: how can we build the walls around our networks high enough to keep the bad guys out. Oops Wrong again. They began with the false premise that they could in fact keep the bad guys out and them compounded the error in the erroneous belief that everyone who had access to the networks was already cleared as a good guy; a pro-US gung-ho Marine-like good guy. However, this incorrect model was based upon another antique premise: computers operate in isolation -there is nonsuch thing as a network.When the Trojans let the drawbridge to their city descend to admit the horse, they were networking with the outside world. When the Germans bypassed the Maginot Line, they created a network with the French - right or wrong. When people sailed over or around the Berlin Wall, the network connection was made. Thus, the principle of Fortress Mentality began to collapse as a viable defensive posture. When the security pioneers began to develop security models, they took a similar approach because the network had not yet begun to live and expand as an independent entity. And then the hackers started at us.So, based upon the antiquated model of Fortress Mentality, our network defense program began. And the result? Use firewalls. Use passwords. Use Access Control Tables. But now the question: A lot of people have made a lot of money selling both the government and the private sector tons of firewalls another protective equipment to defend their networks. Sound like a plan, right? Well, maybe it isn't. Name me one company who guarantees their product Name me one company who will provide a warranty that if you use their products, they will legally accept responsibility for any losses you suffer if their products are compromised. Never mind that some of the most popular defensive products are created by foreign government sponsored organizations which do not release source code on how their products work.