Principles of Patrolling Applying Ranger School Lessons to Information Security

Principles of PatrollingApplying Ranger School Lessons to Information Security

Patrick Tatro

Table of Contents

• Introduction• Overview of Ranger School• Army Doctrine and Frameworks• The Five Principles of Patrolling• Applying the Principles to Information Security• Conclusion

Principles of Patrolling

Introduction


Everyone off and Follow Me!

Introduction• Graduated from Ranger

School in December 2004.• Best Leadership training I’ve

experienced.• The lessons I learned in

Ranger School contributed to my success as a platoon leader in Iraq and as an Information Security Professional.


Overview of Ranger School

• One of the Army’s most difficult schools.• Approximately 62 days long• Training the Army’s leaders by simulating

battlefield fatigue through physical exhaustion and lack of food and sleep.

• Benning Phase• Mountain Phase• Florida Phase


Army Doctrine and Frameworks• Field Manuals dictate tactics and

maneuvers for situations leaders may face.

• Army doctrine identifies organizational structure, procedures, and standards.

• Similar to: – Frameworks such COBIT, ISO, and

NIST.– Regulatory standards such as HIPAA

and PCI.


The Gap Between Doctrine and Reality

• Things never go as planned and leaders need to be able to adapt to the situation.

• Situations we face don’t fall neatly into a category or under a standard.

• Doctrine and frameworks provide a foundation but lack in providing decision making factors.


The Five Principles of Patrolling

• Ranger School teaches the five principles of patrolling.

– Planning– Reconnaissance – Security – Control – Common Sense


The Five Principles of Patrolling• Principles provide leaders with:

– Basic criteria for evaluating different courses of action.

– The ability to adapt tactics to the situation.

– Guidance in addressing “grey areas.”

• Similar to:– Confidentiality– Integrity– Availability


Planning• Ranger Hand Book

“Quickly make a simple plan and effectively communicate it to the lowest level. A great plan that takes forever to complete and is poorly disseminated isn’t a great plan. Plan and prepare to a realistic standard, and rehearse everything.”

• Information Security:– Checklist in place of a plan.– Plans reside at the framework level and do not

get communicated to everyone at the different levels.

– Decisions are at individuals discretion and don’t account for future events or developments.

– Plans are not rehearsed, reviewed, or tested.


Reconnaissance• Ranger Hand Book

“Your responsibility as a Ranger leader is to confirm what you think you know, and to find out what you don’t.”

• Information Security:– Threats and technology are constantly

changing.– Decisions are only as good as the

intelligence they are based on.– Confidence crosses into arrogance leaving

organizations vulnerable.– It is difficult to maintain accurate depiction

of internal network and situation.


Security• Ranger Hand Book

“Preserve your force as a whole, and your recon assets in particular. Every Ranger and rifle counts; anyone could be the difference between victory and defeat.”

• Information Security:– Tunnel vision on edge appliances and

systems.– All controls play a role and serve a purpose

in the event of a breach.– Your security posture is constantly

changing and requires vigilance. – Difficult to impart a security mentality

outside of Information Security team.


Control• Ranger Hand Book

“Clear concept of the operation and commander’s intent, coupled with disciplined communications, to bring every man and weapon you have available to overwhelm your enemy at the decisive point.”

• Information Security:– What is most important to the

organization?– What is the end state or mission?– The ability to communicate during tense

situations is often underestimated.– Lack of planning, procedures, and clearly

defined roles make it difficult to ensure controls are implemented in overlapping layers of defense.


Common Sense• Ranger Hand Book

“Do what you’re supposed to do, without someone having to tell you, despite your own personal discomfort or fear.”

• Information Security:– Availability and lack of time make securing

the little things difficult. Leaders need to be supportive in providing staff the opportunity to do the right thing.

– Leaders need to make tough on the spot corrections. Taking care of subordinates sometimes means making them do what they don’t want to do.

– IT staff don’t address network weaknesses that reflect their lack of knowledge.


Applying the Principles to Information Security

• As technical professionals, we want black and white answers. Leaders exist because reality isn’t black and white.

• The principles of patrolling are a technique. – Augment them or incorporate the CIA triad.– Identify your own principles to reflect yourself or

organization.• Use your principles to constantly evaluate situations,

recommendations, and decisions.– Does this vendor relationship violate common sense?– Does this employee request fall outside of your

framework? – Does it violate one of your principles and what can you

change to meet the request and maintain your principles?


Conclusion

Every leader, staff, and organization is different. Frameworks provide the foundation to build your Information Security Program upon. Leaders need to augment their experience and knowledge with principles that enable them to plan, lead, and make decisions under pressure.


Questions


Rangers Lead The Way


Documents

Principles of Patrolling Applying Ranger School Lessons to Information Security