Inspired by Euro 2020, Raghu Nandakumara at Illumio draws a comparison between the way countries play football and the way organisations defend themselves against cyber attacks.
“In most scenarios it isn’t the player on the ball who decides where the ball goes, but the players without the ball. Their actions determine the next pass.” – Johan Cruyff, Dutch Football Legend.
We are in the middle of a glorious month or so of international tournament football – Europe’s top nations have delivered a cracking Euro 2020 which is now almost at its end, while down in South America the Copa America brings its usual range of attacking flair. And given that football mirrors life (or is it the other way around?), let’s look into football’s tactical variations and see how they resemble approaches to enterprise security.
Looking back at the 1960s and 1970s, we see at least 3 different ways of playing adopted by the great teams of that era:
- The Italians perfected the system of ‘catenaccio’, with a 3rd defensive player (sweeper) acting as the failsafe should an attacker break through the ranks – akin to an infected workload being quarantined.
- The Germans took this sweeper system and evolved it so that it became the foundation of their entire attacking play – offensive security if you will.
- The Dutch reinvented football in the form of Total Voetbal (Total Football) – where every outfield player was able to perform the functions of attack and defence, depending on what was happening in the game and where they found themselves on the pitch.
The foundation for a football team that is looking for long term success is an effective defensive system. The era defining teams (AC Milan in the late 80s / early 90s, the great Arsenal teams of the Arsene Wenger era, Chelsea under Jose Mourinho and the most recent iteration of Man City to name just a few) have found a way to build a defensive system that is both robust and provides a springboard from which to launch an attack.
The defence is not just about stopping goals (though that is its key purpose), but about being adaptive to the variety of attacking threats without losing its shape and effectiveness. All of which doesn’t sound too dissimilar to what we are looking to do when we build enterprise security architectures – we are facing a variety of threats, with different attack vectors and highly variable levels of sophistication, and we need to be able to defend against all of them: there’s no point in being able to stop a highly a complex APT if we leave the front door wide open for the most basic ransomware to intrude, spread and lockout users.
So back to football, as that’s what we’re all really here for. If we look at the organisation and approaches adopted by most modern football teams, we see a few common themes:
- They adopt a high press – the attacking players are expected to aggressively chase and try to win the ball back if they lose it far from goal – the idea being to not give the opposition the opportunity to build an attack and keep the ball as far from goal as possible.
- They tend to play a single (but more increasingly a complimentary pair) highly dynamic midfielder whose role is to close space as much as possible, forcing attacking teams wider and making it easier for the defence to detect danger.
- They play with a low block – which means the defensive line doesn’t aggressively push forward and leave themselves exposed to balls over the top and the exploiting of the offside trap. This forces attacking teams to have to be more intricate in tighter spaces to craft an opening, something which is significantly harder than being able to run in wide open spaces behind a defence.
So how do these approaches align with security in the enterprise?
- The high press – this is like our traditional perimeter, essential at keeping the attackers outside (is that even a thing anymore?) but knowing that at some point they will find a way through as not everything can be blocked.
- Dynamic midfield snuffing out space – these are like the Zero Trust controls such as identity and access management and micro-segmentation, that crop up constantly and without fail to prevent the attacker advancing to their target, forcing them to constantly change their tactics and thereby creating more signals through which to be detected.
- The low block – this is like EDR / XDR and the SOC who are able to observe the various signals being generated on the network and the workloads and respond accordingly, taking place as close to the asset being protected as possible.
- The goalkeeper – this is the failsafe, whether this is quarantining the workload, taking the device offline, or some other extreme action, with the decision being informed by observing what’s happening in the rest of the environment.
England, in their 4-0 victory over the Ukraine gave a perfect demonstration of this combination of defensive techniques – as an organisation, are you equally well defended?
Raghu Nandakumara, Field CTO at Illumio
Main image courtesy of iStockPhoto.com