TORONTO — The biblical story of David versus Goliath is often understood as being about the underdog, the little guy who beats the big guy, but that’s not necessarily the lesson that cyber security professionals can or should take from the story, according to Allison Miller, product manager for security and privacy at Google.
Miller presented her views during a keynote at the SecTor security conference titled, “Winning Defense.”
“David was a hacker, he adjusted to the situation and figured out his opening and then he went for it,” Miller said.
Miller explained that at that point in history, it was a normal thing to have opposing armies send out champions to battle each other. She added that what typically happened was that the opposing armies would send out like-to-like, that is similar types of champions to face each other.
“It turns out that this was really more of a game of rock, paper, scissors, with three different types of soldiers,” Miller said.
Goliath would have been a foot-soldier and suited to hand-to-hand combat. There also could have been cavalry, with a mounted champion. Finally, there would have been range fighters, like slingshots that would be effective at a distance.
“So one army sent down their champion, sending down their rock and they were expecting a rock in return,” Miller said. “What did they get? They got paper instead.”
The reason Allison brought up the David versus Goliath story is because as cyber security defenders, the focus should be on the end goal and not the technology.
“We learn from David versus Goliath that different tools suit different situations,” Miller said. “We learn that speed and adaptability is a core value that is really important.”
She added that what David also did was to flout social norms to get the win. As a corollary, when cyber attackers strike, they go after both vulnerabilities in software and in people via social engineering.
“The final and most important lesson we can learn from David versus Goliath is about catastrophic failure, when you load everything into one decision or one flow or one battle,” Miller said. “We as defenders cannot live by breach alone and when that is the one metric we have to understand our success or failure, I think we miss a lot of opportunities to make improvement, because all our energy is focused on preventing this one thing from happening.”
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.