Information Security... an ever-evolving road trip that has been taking us mostly uphill for well over a decade and a half now.
As the threats have changed and evolved over the years, so too has the thinking behind what security really means, and what the goals of information security truly are.
What started out as an endeavor to build an impenetrable perimeter has evolved (or devolved, as you see fit) into protecting individual pieces within our borders. We've not only give up on the secure perimeter theory, but acknowledge that it's become impractical.
As technology evolves, and consumer-minded techno-gadgets proliferate throughout the enterprise world with your employees, we can only assume that some of these devices will be used for nefarious purposes, and some will be unwilling pawns in the games hackers play. Globalization of the virtual workforce, and let's not forget cloud too...
These all combine together to shatter our previous notions of security. So here's my take on the 3 evolutionary stages of security, and why I think we've arrived at something we can finally adopt long-term.
Stage 1: Defend the Perimeter
Think back with me to the late 90's when we were busy probably connecting the cutting-edge companies that we were working for with the mythical Internet. At the head of the ".com boom" everything was on the Internet, every business was Internet-enabled, and having a DSL link at home was your goal. No one cool was on dial-up anymore.
Right around this time the mentality of security professionals... actually, security didn't really exist as a discipline back then, so we were just paranoid network operators and server jockeys, was that we needed to build a virtual "Great Wall of China" around our company.
We could actually define, and draw, a perimeter around our piece of the world, and more importantly we knew how the bits from the Internet were getting in, and leaving our network. There was usually a router, or two if you were lucky, and a firewall type device behind it which served as the gateway to our corporate intellectual property and secret sauce.
You'll probably remember thinking that you have to put a very tight policy on that network firewall, because that's the only way in or out, and that was our defense. Many of us even installed crude anti-virus on our desktops just in case something got through on those rare occasions. Many of us even had an IDS (Intrusion Detection System) monitoring the ingress and egress points.
My point is we had the delusion that the battle for our corporate network would be won or lost at that network gateway... more importantly, we were delusional enough to believe there was a snowball's chance in hell we could 'win'.
Fast forward a decade of so...
Stage 2: Mixed defenses, the perimeter is disappearing
At some point, probably after the 3rd or 5th piece of 'malware' (or virus if you prefer) ravaged our network we began to come to the startling realization that the perimeter had started to dissolve.
Employees were starting to carry laptops regularly, and the shift to being 'mobile' was on. That carefully guarded network ingress/egress point had multiplied overnight and there were probably 3 or more ways into your 'corporate network'.
In fact, the corporate network was probably more than 1 office, and your network was spanning multiple locations, LAN segments, and some of you unlucky ones even had VPN endpoints all the way out to a home office of a VP. You're probably nodding right now... me too.
Oh, and let's not forget we discovered that VPN was not a dirty word, and it wasn't just for the corporate privileged ...everyone was getting a VPN client and their RSA token! This completely blasted your network-based defense methodology to hell.
What's worse, maybe better, was that we were evolving our thinking from perimeter security to defense in depth. That cliche took on new life as we piled on the agents onto desktops, laptops and servers. Personal firewalls, anti-virus and who knows what were piled on and slowed down every machine and mobile user in your enterprise.
Sadly though, this didn't limit the number of attacks or successful intrusions -because the threat was evolving as well.
People were starting to write highly customizable malware which could devastate because it was purpose-built. It was time to give up on the fact that we could 'stop hackers' and start thinking about how we could slow them down, and force them to work harder to get at our goodies.
With the delusion of the network perimeter fading like a summer romance, security truly began to evolve to think about how we can protect assets ...only to realize we didn't know what the assets were.
At this point many security organizations started behaving erratically, putting protective measure in places that made little sense, adopting policies that were disruptive to the business, and focusing on technologies that weren't going to really raise any bars.
It doesn't take Einstein to realize while our thinking was moving forward, our actions were moving us backwards. We can call this security's dark ages.
Fast forward to the last 18 months or so...
Stage 3: Purposeful risk management, focus on minimizing damage
Unless you're still stuck in the dark ages (in which case it may be time to start looking for new employment options), you're probably living in a whole new reality recently. We've moved on from security to primarily risk management as our drivers.
We've given up on the notion of securing things and are starting to focus on the idea that security is a journey, and that while we're keeping things safe to a pre-defined level of risk tolerance, we need to minimize the damage that will be done when the bad people find their ways in and start to kick down doors.
If you think I'm being defeatist you're wrong... I'm more realistic than ever. If you think you stand even the slightest chance of keeping 'hackers out' of your intellectual properly, customer records, or systems... you're either delusional or entirely clueless.
You're never going to stop a determined attacker, especially not when we keep saying that the weakest link is often the human element - haven't you read Chris Hadnagy's book on Social Engineering yet? Forget about it.
Anyway, the biggest part of this whole awakening is the enlightened realization that we need to minimize damage. It's not that we can keep the attackers out, it's that we need to know when they've broken in, find out what they're up to, and stop them before they walk out with too much important stuff. We in modern information security would rather tell the business that someone broke in, compromised a server and stole 10 records rather than 10,000,000... right?
While this isn't always possible, that's our goal. This comes with the mindset that the perimeter is all but dissolved entirely, faded into memory like bell bottom jeans and slap bracelets from our youth.
What we're doing now is designing protective measures for the data at rest we've managed to identify, and encapsulate the data in motion such that it's not useful for theft without some additional information someone has to come to us to get.
Encryption is a big part of this, as is endpoint protection, data isolation and segmentation, least-privilege models of authorization, and things like data governance. Yes, these are big scary things, and they're not quite as simple as installing a firewall or scanning the network for open ports.
Yes, applications pop up faster than anyone has time to even scan, and the budget you have now barely covers your operational costs... but let's make do with what you have and stop crying that it's not getting better - this is the reality we live in.
Summing it all up...
So, here we are. What's to save you now, Alice? How do you find your way?
There are a few things you can do right now to make your situation better. Here, try this:
- Stop trying to say 'no' to everything the business asks, they'll do it anyway behind your back. Find a "yes, but" strategy that doesn't cost a small fortune, and fits nicely to mitigate the additional risk this thing you're staring at adds to your business.
- Consolidate the blinky lights. You've got probably no less than 30 security-related technologies in your enterprise or medium size business ...think about making that number a lot smaller. I'm not saying you'll be able to retire that IDS, but make it work for you more. Gather, filter and centralize that data everything generates and get a platform that will give you ACTIONABLE intelligence. This means that you can get timely data to help you make decisions in real-time on what's good, bad, and what you should put down the cookie for.
- Roll up your findings. Make what you do understandable to your CIO and business. How does security impact the business ...really impact the business? Try not using any security-related buzzwords like 'vulnerability' and 'threat' ...now automate it, and see if your CIO "gets it". If not, try again until he or she does. There are technologies out there that help you do this, they're maturing fast.
- Ask your peers, please! There are still far too many of you who read blogs like this, go to conferences and are quietly lurking. The security community has far, far too many people who simply float by - I know we're all shy in nature but please participate. Challenge your peers, ask questions, go to someone you trust for help ...heck tell those of us that teach that we're wrong when we are. Step up, seize the day... do something, anything that's more productive than the same old thing.
Good luck out there. You know how to find me if you want more info on any of this, or want to challenge some of my thinking!
Oh... and if this makes sense to you - go join this group on LinkedIn... and participate.
Cross-posted from Following the White Rabbit
Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!