Traditional Cyber Security: Like water leaking through a dam.
With so many of the 'Big Players' (Facebook; Equifax; Macy's; Adidas; Delta Air; etc.) announcing that they have fallen fowl to the actions of an attacker, is it time for an alternative approach to Cyber Security? Is it that the traditional way of securing your perimeter is no longer sufficient? Much like a dam, when your network perimeter is designed and implemented it is built to be extremely robust. However, without regular checks and maintenance, over time the water flow (insider threat) will undermine the integrity of the dam and the water held behind will start to permeate through the weakened areas. Unfortunately, in the Cyber environment you also need to deal with the endless opportunist outsiders who are prowling the internet for signs of leakage or weak areas that they are able to exploit.
Technology has moved on and, as such, so has the cyber environment and the cyber threats. Now, much like the Romans did, it is time for the security industry to consider moving away from the traditional 'ring-fencing' your perimeter and apply additional inner layers of protection. Much like a prison, the focus of traditional defences encompass a thick perimeter wall, a heavily fortified gate access and perimeter detection. However, the failing of this type of model is what it is designed for:
"Slowing/deterring assets (prisoners) from breaking out of the environment!"
In an effective network defence, you should be looking at effective defensive layers that help you to Detect, Deter, Delay, Disrupt or Divert someone breaking into the environment.
Lessons from the Physical World
I recall an occasion when a non-specialist had the idea of tasking me to upgrade the perimeter of a military airfield. Formerly a 'cold war' airfield, with numerous Hardened Aircraft Shelters (HAS) secure compounds, security lighting and dog patrols, the perimeter only consisted of a demarcation (<3ft high) fence. Following the Unit's role change to a telecommunications base, the HAS buildings lay empty and the dog section closed as part of a cost saving exercise. Feeling vulnerable to incursion, through a darkened and isolated 15 square km airfield being protected by a sole, ageing, 1960s demarcation perimeter fence, the Station Commander had the idea of upgrading the perimeter fence to a Class 2 fence (2.8m with an anti-climb device).
Although dubious of the value of this, I set about carrying out a physical security survey of the perimeter to deliver a RAG (Red, Amber, Green) status report, to demonstrate the integrity of the existing perimeter, the approximate costs of the enhancements and the potential value that may result. Having concluded that the enhancements would cost around £1 Million to £1.5 Million to implement and (without security lighting) would only delay an intruder by only 20 mins (maximum), and would be further undermined by the requirement for 15 'Crash Gates' to allow access in the event of an emergency, the decision was made to adopt an alternative approach.
Funnily enough, the chosen option was to leave the perimeter fence as it was but to enhance the defences by identifying critical assets and creating secure silos where they were to be securely housed. Each silo was fitted with security lighting and alarms, and was subject to periodic checks. However, the responsibility and accountability for ensuring that the inner sanctums remained intact and the physical access to both the silos and the assets was strictly restricted became the responsibility of the asset owner. Augmenting these internal citadels, was centralised monitoring and patrolling to help identify and quick response to instances of potential 'Kill Chains'.
"Think WHEN an attacker gets in, not IF, and attacker gets in. How quickly will you identify and respond to this, and will you be able to isolate your silo before the attacker can gain access?"
Business networks of today are like this military airfield example, but on steroids, with numerous 'Super Users' possessing authority to control the keys to the airfield crash gates (as well as far more ways to exploit your users, to circumvent the perimeter (e.g. Phishing)). Therefore, much like the advice of NCSC's Sociotechnical Security Group (StSG), businesses need to have a more balanced approach, with responsibilities and accountability being shared across the business - providing greater resilience and improved identification, and response capabilities.
Consequently, as well as looking at your perimeter inwards, businesses need to start looking outwards from their critical assets ensuring:
Infrastructure is built securely.
People are encouraged and trained to behave securely.
The silos are securely managed.
Changing the thought process of a team effort, looking inward and outward, will help provide a more resilient defence, making your organisation a less vulnerable to opportunist attackers and therefore more secure. Such a change of approach should include the following areas:
Asset Management. Taking ownership and control of your critical assets and responding to potential incidents that are not normal (e.g. Detection of rogue devices on the network, Unexpected movement of critical assets, etc.).
Controls Management. Assignment of baseline controls to responsible persons, based upon their roles, and measuring their adherence to these controls (e.g. Ensuring strict control of firewall rulesets, Adherence to email policy, etc.).
Configuration & Change Management. Ensuring the integrity of your critical assets.
Vulnerability Management. The Identification, Analysis, and Management of vulnerabilities within your operating environment.
Incident Management. The identification and analysis of events, the declaration of incidents, the determination of a suitable response and the improvement of your incident management capability.
Service Continuity Management. Ensuring the continuity of your essential services.
Risk Management. Ensuring the timely identification, analysis and management of any risks to your critical services.
External Dependencies Management. With businesses having an increasing reliance on the use of outsourced support, ensuring that an appropriate level of controls are established for the management of any risks that are related to the critical services.
Training & Awareness. Probably the area that receives the least amount of attention but which provides the greatest value to your defences, by ensuring skills development and promoting awareness for people with roles that support the critical service.
Situational Awareness. Are you able to recognize what is normal and responding to the abnormal? This is achieved through the discovery and analysis of information related to the immediate operational stability of the your critical services and to coordinating such information across the business. Much like your personnel, attackers are creatures of habit and will employ Tactics, Techniques & Protocols (TTPs) that they have successfully used before, whilst your authorized users are likely to set patterns.
With an increasing number of people having access to internet-connected devices (23 billion devices versus 7.7 billion people (2018) to 75 billion devices versus 8.1 billion people (2025)), it is likely that there will be a significant increase in the volume of sensitive data being processed, stored and transmitted by these increasing number of systems. Consequently, it will become near on impossible for organisations to ensure the management of a fully secure perimeter and they need to create responsive systems, which are capable of effectively identifying and responding to potential incursions. A resilient defense will help protect your most critical assets, providing a cost-effective and manageable approach, allowing for scale-ability and flexibility that will help future-proof your defensive efforts.