Murphy's Law, Cyber Defense and Blue Team Operations

How Murphy's Law Ties into Blue Team Cyber Defense

Since Murphy's Law means that anything bad can happen at anytime to anyone, and there are no guarantees, we must base our cyber security philosophy, psychology, strategies, policies, plans, methods and tactics on that exact premise and assumption.  

We must work and plan from the assumption that there are no guarantees, when we can.  This can be our strength, rather than our weakness.  But also, we must be careful so this does not paralyze us from taking risks, because not doing something can also make things worse.  That is also a catch-22 of Murphy's Law.  

This means we should, wherever and whenever possible, forbid “riding on luck” and instead deliberately assure as much as we can, however we can, and wherever we can.  It means we take smart, calculated risks and build in countermeasures and compensating controls, rather than not, in our most critical places, and then wherever else resources allow.

We must find the right balance of “good enough” based on what's at stake, i.e. risk management, cost, resources, etc.  This requires what's called, at a minimum, “due diligence” and "due care".

For example, we should not have any important person, node, process or thing exist as a “single point of failure” or SPoF in our lives or organizations, or in our cyber security processes (if that is possible) especially in our most critical places and things, our COGs or centers of gravity.  

We prevent SPoFs and COG exposures by having backups and practicing “defense-in-depth”, "defense-in-breadth", and "CLASP security" so our defenses do not just rely on one single thing, method, person, technology or process.  

One of my previous roles was that of a cyber defense and capabilities facilitator for an organization that had a 24/7 mission-critical global operation which required ultimate levels of up-time and survivability, in a no-fail environment.  This was not easy, but I achieved great success and was able to eliminate some of the most significant risks.  

How did I eliminate such great risks?  By planning against Murphy's Law, which became a way of life for me.  The principles for how I succeeded is what I share with you here, in articles like this.  Be wise, and learn these things, they are based on experience.

Overcoming Single Points of Failure to Counteract Murphy's Law

A single point of failure is best described in this Risk Management definitions handbook that I wrote (coming soon).  Suffice it to say that the definition of an SPoF is a single point that can cause failure, along any path, whether a person, equipment asset, location, process or technology.  

For cyber security, having no single points of failure means that no person or place, no process, technology, node, cable, source of power or whatever – for anything “mission critical” - should be single-dependent, without a backup.  

We should have a primary, and alternate, and if needed a tertiary and even a fourth level of backup.  This is the same as the philosophy two is one, and one is none.  

We must have at least one backup, and maybe more, depending on the level of criticality the function serves or supports.  We must also be careful about dependencies of our backups so they're independent of each other.  

Having a backup, or two, or three (the more the better, as long as it's affordable and worth it) provides us with greater assurance about mission assurance, continuity of operations and disaster recovery.  

That way, when things go wrong, and Murphy's Law comes knocking on the door, we can at least survive, even if we are degraded or not otherwise "fully mission capable", because we should have enough capability to survive until things are restored

This process of mapping our risk, our backups for vital points, and then our decision for how many backups something should have (and where we allocate our funds and priorities) is called risk management.  

Finally, we must be highly competent risk managers as cyber security professionals, managers and leaders.  

Stay tuned for more Blue Team philosophy, concepts and tools for successful planning and countering the tendency of things toward chaos, complexity, disorder and mishap in the world of cyber security.