It’s after-hours on a Friday. You are talking a remote employee through installing a next-generation firewall. No traffic is passing through the network and now you’re stuck on the project until it’s fixed. Weekend off-hours maintenance windows in the name of improving cybersecurity posture can be some of the most high-stress, high-risk, low-morale projects undertaken by an organization. However, risk and stress can be reduced by applying the planning methodology used by United States Marine Corps (USMC) Reservists. USMC planning concepts can be readily adapted to cybersecurity projects, increasing the odds of success.
USMC tactical planning focuses on applying six troop leading steps. This is the fundamental approach Marines use for all operations. Marines have been using these steps (known by the acronym BAMCIS) for planning anything from the annual Marine Corps Birthday Ball on November 10th to an assault on an enemy sniper’s nest. BAMCIS is an acronym for: Begin planning, Arrange for reconnaissance, Make reconnaissance, Complete the plan, Issue the order, and Supervise, and it’s a core tenet of Marine Corps leadership. BAMCIS’ goal is to gather information, make a plan, execute and ensure the success of the mission.1
Using the installation of a next-generation firewall as an illustrative scenario, we’ll walk through these troop leading steps and identify how they can improve the odds of equipment working out-of-the-box and lower the chances of spending an entire weekend troubleshooting.
Step 1: Begin the Planning
Mission analysis (or project planning) begins here. The day the green light is given is the day planning should begin: Determine how long parallel infrastructure will need to remain in place. Identify what resources will be required during any hot-cut migrations. Quantify the impact new network security infrastructure will have on the organization’s users. Prepare many questions during this step. You will have to make some assumptions about the project in order to begin planning. If the remote office is outside the U.S., language barriers, cryptographic export restrictions, and customs issues must be addressed as early as possible. It’s difficult to successfully deploy network security infrastructure if the infrastructure or engineer is stuck in customs!
Step 2: Arrange for Reconnaissance
In conventional warfare, this step is where you would gather information about the enemy’s size, capabilities and weaknesses. However, what this step really answers is the question “What information am I lacking in order to achieve success?”2 Use all available methods of collaboration to ensure all information required for a successful network security infrastructure deployment is discovered long before go-live. Physical requirements such as power and cooling, security policies controlling access to the infrastructure, and pictures of the site should be obtained. Depending on the organization, getting the necessary clarifications might become a project in itself, but obtaining this information is essential to success.
Also consider information required from the equipment vendor. Whether you’re sourcing the next-gen firewall directly from the vendor and installing it yourself or relying on an outsourced solutions provider, having this information prior to the actual deployment of the infrastructure is critical for success.
Step 3: Make Reconnaissance
This is where leadership uses all available assets to fill any information gaps after the reconnaissance has been arranged. In the case of the next-gen firewall, this is where we would analyze specifications to ensure adequate space, power and security. Cybersecurity infrastructure located in a regular room with a drop ceiling, and behind a door without tailgating prevention, and not inside a locked cabinet is a problem waiting to emerge.3 If your reconnaissance indicates that the site is not up to the required physical security standards, this must be resolved before proceeding. Reaching out to those teams impacted by the security infrastructure is the key to filling information gaps necessary to preventing a painful weekend-long troubleshooting experience.
Step 4: Complete the Plan
In step one, many questions and assumptions were formulated to get the plan off the ground. Now is the time to answer those questions and examine all those assumptions. Do not fall in love with your plan. Peer review is critical. For example, when writing installation procedures, it might take five minutes to find a typo related to connecting the next-gen firewall. If that typo isn’t found, it could take many hours to troubleshoot why no traffic is flowing. Start thinking about all the potential failure modes related to the deployment.4 The last thing desired is to be less secure or for the maintenance window to go beyond expectations, having an immeasurably negative impact on the organization. The completed plan needs to account for changing the default administrative account credentials, disabling any unused ports and services, and the vendor’s recommended best practices. All too often these get omitted when trying to get the solution implemented before deadlines, so make sure to include them in the plan.
Step 5: Issue the Order
Most military operations involve the issuance of a “Five Paragraph Operations Order.” This is a clear and concise summary of the essential information needed to carry out the operation. We aim to have the same sort of clear and concise instructions.5 All information for a successful network security infrastructure deployment needs to be conveyed to those doing the work. This includes written instructions; the use of conference calls, virtual whiteboards and screen captures. A broad communications plan can solve many issues before they have a chance to become problems. While nobody wants to be stuck in meetings all day, after the final instructions are sent, take the time to ensure common understanding long before the network security infrastructure change begins. Assume nobody is actually reading your emails or listening to your ideas in the conference room, ask team members questions about the plan and make sure they reply with the correct answers!
Step 6: Supervise
Without supervision, the likelihood of Marines making poor decisions, such as not drinking enough water before a hot three-mile desert run to drunkenly setting off a fire alarm which covers multiple aircraft in foam increases.6 Proper supervision, on the other hand, can result in Marines making wise decisions that change the course of history. Network security infrastructure projects are no different. Supervision is critical to ensuring the job is done according to plan in accordance with the standards set. The USMC considers supervision to be the most important element in troop leading. Supervision is not just the responsibility of leadership. All project participants are responsible for speaking up whenever they observe something unsatisfactory, such as lack of documentation or poor implementation of a firewall’s traffic filtering rules – as they see it happening. It’s easy to correct documentation immediately after implementation when a supervisor demands insight into how the firewall is filtering traffic. It’s difficult to correct it years later when troubleshooting why a new application is improperly filtered.
The more team members are able to rehearse network security changes, the less likely they are to have production outages due to the changes.
Given the rise of virtualization and Cloud technologies, it’s becoming easier to rehearse network security infrastructure projects in a controlled environment before they are released to production. Just like an Infantry Battalion Commander would instill values of “train how you fight, fight how you train” in troops when preparing for battle, organization leadership must instill values related to proper testing and training before solutions are in production. The more team members are able to rehearse network security changes, the less likely they are to have production outages due to the changes. Most would agree that a new Marine needs to learn the basics of land navigation in a controlled training environment before being expected to navigate a patrol deployed in a warzone. Similarly, cybersecurity personnel need to be given the opportunity to learn how their network security infrastructure configuration will impact the organization’s data-in-motion in a lab setting before it is deployed to production cyberspace.
While every organization is unique, these six troop leading steps, originating with the Marine Corps, are applicable to other organizations. Even the most civilian of organizations can apply a few lessons learned from the military that just might lead to fewer painful off-hours troubleshooting experiences.
Disclaimer: The views expressed in this article are those of the authors and do not necessarily represent the views of any organizations they are associated with.
- Mitnick, Kevin D., and William L. Simon. Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker. Little, Brown & Co., 2012.