Defense Lives Here: What a former B1G Ten Defensive Player of the Year can teach us about defensive cybersecurity?
In 2015 Purdue University’s perimeter was secure. The necessary controls in place demonstrated to our most sophisticated adversaries that nothing would be “easy” from the outside. To match this secure perimeter, our interior defenses were equally strong. An elite level of perimeter and interior defense is a luxury not easily achieved. So how did Purdue do it? Was it the best technical and administrative controls? Was it a breakthrough by our world-class researchers? Did we deploy military grade crypto and concrete bunkers to protect our assets? No, it was none of these things. It was a duo of physical controls named A.J. Hammons and Rapheal Davis. Are these two cybersecurity experts with whom you are not familiar? Perhaps, I’m not sure how they spend their downtime, but I know them as two of the best defenders the Purdue basketball team has ever had, and they were often on the court at the same time, causing defensive nightmares for their adversaries.
I love Purdue basketball, and since I can’t be in Mackey Arena, the loudest arena in the country, I’m typically in front of the TV on game day. A few games back, I was watching one of the most recent additions to Purdue’s lockdown perimeter defenders, Eric Hunter Jr. He was absolutely stifling one of the best guards in the B1G Ten. It reminded me of players like AJ, Rapheal, and Chris Kramer, all former B1G Ten Defensive Players of the Year (DPOYs). These gentlemen helped establish and certify one of Purdue’s trademark phrases, “defense lives here.”
As I watched the game and thought about these Purdue greats, I wondered to myself, what does it take to be an elite defender at this level? Then I had a more curious thought. I wondered if there was any correlation between being good at defending the court and being good at cyber and information security defenses? My mind flooded with basketball and cyber puns; control the perimeter, manage your opponents’ movement, take the charge, recover, prepare, defense to offense. I had so many ideas, but one problem, while I’m a fan, I’m no basketball expert. The guys I mentioned have forgotten more about basketball than I’ll ever know. My solution to this, I’ll ask one of them, and that’s just what I did.
I reached out to Rapheal Davis, the 2015 B1G DPOY, and he graciously agreed to an interview. Over the phone, I asked him just one question, “What traits, skills, or characteristics are needed to be an elite defender at the highest levels of college basketball?” Raphael provided insights that immediately started to resonate with me, a cybersecurity professional... so here are the four key aspects of defense, and spoiler alert, they work for both basketball and cybersecurity.
#1. The “Want-To”
Rapheal explained to me that the first aspect of being an elite defender is the “want-to.” This is the idea that, first and foremost, a player must have the desire to be good at defense. You have to commit yourself to the idea of defense, the discipline, the science, the study, and the purpose. They must be willing to invest what it takes to be a great defender, not just enough to stay on the court, not just enough to be passable as a defender, but a true investment to the very concept of being elite at this one thing, DEFENSE.
This is exactly what an organization must do to have elite cyber-defenses. The organization has to want it. They have to recognize the value, see the need, and make the investment. It is an attitude. It is a culture. If your organization, from the top down, does not have the “want-to” you may be doomed from the start.
It’s not easy to build the culture and motivate the “want-to” in an organization. It takes time, and it takes champions. Purdue has the most men’s basketball conference championships in history, 24. It takes the individuals with the “want-to” to champion the culture of defense to bring home those trophies. Your organization will need champions of defense with the “want-to” and you will have to invest the time and resources necessary to be an elite defender of cyber threats.
#2. Preparation
Proper preparation was the second point Rapheal offered on what it takes to be really good at defense. There are several things that a ballplayer must do to be prepared to defend, and it boils down to two areas, body and mind. First, Rapheal said you have to get your body “right.” You have to eat well and hit the weight room. Physical strength and conditioning are critical to being a defender. Just as important though, you have to have your mind “right.” A defender has to study film of their opponents and their own game. They also have to study the science behind defense; how to move, how to adjust, what is the game-time situational awareness, etc.
Of all four items in this list, preparation is probably the easiest to connect to a cybersecurity concept. Any cyber professional worth a nickel will tell you that the vast majority of cybersecurity defense occurs in the preparation. Eating well is the same as introducing only sound cybersecurity principles into your environment. You can’t introduce vulnerable systems and flawed processes into your environment, the same way you can’t introduce too many slices of pizza and too many scoops of ice cream into your diet and still hope to be a finely tuned athlete.
Hitting the weight room is like beefing up your infrastructure right where it counts the most. Perhaps your edge defenses are weak. This is analogous to guarding the perimeter in basketball. You need to work the muscles that help you move laterally to cover that perimeter. In cybersecurity, you need to put in tools and processes that control the ingress and egress of traffic.
Now that your body is “right,” you have to feed your mind. Whether we’re responsible for cyber defense or simply need general cyber awareness, we all need to train. It is critical for organizations to determine what knowledge is required by all employees to ensure better cyber defenses. Your organization needs to study how adversaries attack and be ready to respond. This is just like watching a game film.
#3. Attention to Detail
Attention to detail is the third item on the list. In basketball, this means you need to know the percentages. What are the tendencies of the person I’m defending? How often to do they go right, when do they go left, how do they use a screen, what do they do in late game situations, will they pull up, or will they drive? My head hurts just thinking about it. In addition to knowing your opponent, you have to know your own teammates. When do we switch screens, where is my help defense coming from, who am I on the floor with, and how will they provide help-side D? Now take all that and mix in-game situations. How much time is on the clock, on the shot clock, what’s the score, how many timeouts do we have left, what is the foul situation, are they in the bonus, do they need a quick bucket or are they working the clock? All these factors come together in a split second and your defensive decisions need to happen just as fast. This shows why preparation is important and furthermore, why you need attention to detail.
In cybersecurity, this is akin to adversarial thinking and that often starts with risk analysis. Risk is the calculation of threats x vulnerabilities x impact. Who are my threats – who am I guarding against, what are their tendencies, will they phish, do they use drive-by downloads, are they going to social engineer my staff, do they plant adware? What are my vulnerabilities – have I patched, is my staff trained to ID phishing attempts, are my edge mail filters strong enough, are my people susceptible to social engineering, have I identified my most critical data, is my team ready? Then you have to consider the what if – what if we’re attacked, how do we respond, what do I do if I suffer a data breach, what do we do if we’re ransomwared?
The risk calculation on the courts takes place in a matter of seconds. There are 30 seconds on the clock, your team is up by 1, the shot clock is off, will my opponent drive to the rim or step back and pull up for a jumper? It’s no different in cyber. A phish came in and a user clicked. A ransomware message appears on a user’s screen. Then another. Are you ready to execute your playbook? Have you prepared and studied for this situation? What do you do? You need to pay attention to the details and be ready to respond.
#4 Toughness
The final aspect Mr. Davis shared is the idea of toughness. This may seem obvious at first glance, but this is not just physical toughness. That sure helps, especially when taking a charge or sprinting up and down the court. No, what Rapheal is talking about is mental toughness. Mental toughness is about doing the hard things well and often with little recognition. For Rapheal, AJ Hammons, Chris Kramer, the recognition came but not initially. Purdue fans see the effort and understand the game, but your stat line may not always look sexy. You didn’t score 17 with 7 boards and 4 assists. Your contribution isn’t always tracked and touted, and that can be hard. You may have forced 6 turnovers and held your opponent to 10 points under their average, but the player of the game went to someone else with a gaudy stat line. We all love dunks and three pointers from the parking lot, but games can be completely changed by the defense. Are you mentally tough enough to know your role and accept its importance without recognition, without the sexy stats? That’s toughness according to Rapheal Davis.
It’s the same in cybersecurity. A lot of professionals want to fill up their stat line. They want the sexy jobs; pen testers, threat hunters, and cybercrime analysts. They want to throw down nasty cyber dunks, hit long-range security bombs, and slip no-look passes past the blue teams. But we need blue teamers. We need security professionals dedicated to the less “sexy” parts of cyber. We need defenders, we need policy experts, we need GRC specialist, we need L1 SOC analysts, we need cyber communications, we need cyber educators, and the list goes on.
My team is often asked by companies to perform a penetration test. Somewhere, someone told them that you needed one. In reality, their policies are a mess or non-existent, and they haven’t assessed their general cyber risk. They’re not following any cyber frameworks and their controls are few and far between. In these cases, I almost always recommend a risk assessment instead. We can bang on the perimeter and find a few holes, I have no doubt, but the outcome may not be enough. I’d rather this company have a cyber risk assessment using controls from any identifiable framework. The risk assessment may include vulnerability scans, traffic monitoring, and other tech assessment. But it will most assuredly address the less sexy parts of cyber; polices, procedures, GRC, data labeling, training. Companies must be mentally tough enough to do the hard parts, including the less sexy parts of cyber.
Summary
The mind of great basketball defenders calculates the on-court risks in a fraction of a second. They do it because they have the "want-to", and they’ve done the preparation. They have studied the details and are mentally tough enough to get the job done. Does your company have what it takes to be an elite cyber defender? Can you protect your customers? Can you protect your own trade secret, intellectual property, your employees? Do you have the desire to defend, have you done the level of planning required? Have you looked at the details and calculated your risks? Are you tough enough to do the hard jobs? The “want-to”, the preparation, the attention to detail, and toughness; that is what makes an elite defender, and that is what will make your company elite at cyber defense.
I’d like to thank Rapheal Davis for his insight and for agreeing to chat with a fan. You can find him on Twitter @RaphealDavis3 (a fun follow), listen to his excellent Boiler Up Podcast (incredible Purdue guests), or connect with him via his website https://raphealdavisbasketball.com (check out what he’s doing in his community).
