Sunday, 18 December 2022

The solution-focused approach to mainframe security

Solution-focused techniques originated in the 1980s as a form of therapy that helped people to achieve their goals and live the kind of life they want. Since then, it has been used with many other aspects of people’s lives, and there is even a solution-focused manifesto that suggests “solution-focused practice can help people to cope with the world and function within it. Sometimes, though, it is the world that needs changing.” It goes on to talk about using the solution-focused approach in the pursuit of social justice. We’re going to use it to look at mainframe security.

Where did the solution-focused (SF) approach come from? In the late 1970s and early 1980s, at the Brief Family Therapy Center in Milwaukee, Steve de Shazer, Insoo Kim Berg, and their colleagues created the radical new approach of Solution Focused Brief Therapy (SFBT). Their core idea was that whatever problem a client had come to therapy with, there always seemed to be an exception to the problem, a time when it didn’t happen, or happened less or with less intensity. And this led them to believe that the client already had the seeds of a solution and didn’t need the therapist to get them to do something different – all they needed was to do more of what they were doing during these exceptional times. The therapist’s job was simply to find out what people were doing that was working, then help them to do more of it.

According to Steve de Shazer: although the “causes of problems may be extremely complex, their solutions do not necessarily need to be”. In fact, one of the great ‘discoveries’ of de Shazer and the Milwaukee team was that ‘solutions’ had more in common with each other than they do with ‘problems’.

When working in a solution-focused way, it’s all about the questions that you ask. All too often, people are focused on their problem, and can’t see a time in the future when they have the solution. Solution-focused therapy uses problem-free talk and lets the client focus on their desired outcome. In our case, that would be a ransomware-free mainframe. But hold on! That is couching the solution in terms of the problem. So, our goal must be a completely secure mainframe.

Let’s look at the main categories of solution-focused questions. They are:

  • Exception questions – ie when doesn’t the problem happen or when is it less severe?
  • Coping questions – given how bad things are at the moment, what strengths have you used to be able to cope?
  • Scaling questions – on a scale of 1 to 10, where 1 is bad and 10 is brilliant, where would you say you are now in terms of x?
  • Miracle question – if, while you’re asleep tonight, a miracle happens and your problems are gone, what would you be different; what would you be doing; where would you be doing it; who would notice; and how would they feel?

Let’s see how we can apply those to our mainframe security.

Firstly, is there ever a time when your mainframe and network aren’t likely to be attacked by bad actors or disgruntled staff. I think, realistically, the answer to that question is never. If you think your mainframe isn’t a potential target, you could be in for a nasty wake-up call very soon. For some sites, this is a very real wake-up call, but not a great start to our SF questions.

Let’s look at the coping question – how have you coped? There are probably three strands to this answer, software, hardware, and people. In terms of software, there’s good old SMF to record everything that’s happened. There are SIEMs like Splunk, QRadar, etc that can report about mainframe security. There are backups and restore software packages. And there’s Integrity Monitoring (IM) software like FIM+ that can keep a whitelist of permitted applications and can identify when critical files (eg parmlib etc) are altered without authorization. In terms of hardware, many people are looking at air-gapped drives storing immutable copies of files (snapsets or safeguarded copies). These can be used to restore the system. And in terms of people, there may well be a recovery team that has practiced recoveries in the event of files becoming corrupt. Because they practice regularly, the recovery can be quick and efficient.

For the scaling question, various groups within an organization need to be involved. It’s not just the IT team, it needs to include people from the teams responsible for the data. In the event of a ransomware attack, how quickly can the data be restored, and how recent is that data? Will an hour’s worth of updates be lost? Or six hours? Or a day? For some companies, one day’s worth a data loss may score 5, but for a bank, for example, that may be a 1. This leads nicely into the follow-up questions, such as, “what would have to happen for the score to be a 6 (or a 2 in the bank’s case). The strength of this question is that it begins to help the mainframers visualize the first steps they need to take in order to overcome the problem. These are the first small step in their journey towards a score of 10.

The miracle question may not seem like a very useful question for mainframe security. It may be nice to visualize a day in the future of world peace and harmony where no nation states, criminal gangs, or disgruntled employees want to steal/damage/encrypt your data. But it can be a useful question for the business team – what do they see as the future of the business, how will things look, what will they be doing, how will their customers feel about it?

For most sites at the moment, those first small steps will be to start using multi-factor authentication (MFA) if they are not already. The next small step might be to investigate the use of immutable copies as backups (again if they haven’t already). A third small step might be to get the recovery team to practice and practice their response to a data breach. The fourth step, as part of a bigger move to a zero-trust approach, is likely to be to use IM software to identify changes (such as backdoors and timebombs) being made in the early stages of an attack.

There’s more to solution-focused questioning than just these basic four questions. Using solution-focused questions can help move the discussion about mainframe security away from focusing on the problems, and help organizations start moving towards the solutions.

No comments: