Here at LMNTRIX, we are committed to improving cybersecurity, and one way we do that is by disseminating security knowledge and techniques through this blog. In the spirit of that, today we are going to talk about the most glaring error consistently made by companies trying to improve their network security, and what can be done to correct that error. But first, a math lesson (don’t worry, it’s short!).
It is an interesting mathematical fact that the most stable stools have three legs. Any fewer number of legs is unstable, while small aberrations in additional legs can upset the balance struck by any given group of three. Stated in mathematical terms, three arbitrary points define a plane, while two define a line and four or more do not necessarily lie in the same plane. Regardless of the unevenness of an underlying surface, a three-legged stool will balance without wobbling.
(You can relax now, the math lesson is over!)
The glaring cybersecurity error we’ve noticed is that organisations are trying to balance on a one-legged stool, and then are surprised when it tips over. This metaphorical image would be comical if the security of an organisation’s network and sensitive customer data wasn’t critically important. If the one-legged stool tips even a single time, it could spell the end for an organisation; customers have a tough time trusting an organisation that can’t protect the private information to which they are entrusted.
The solution to this issue is probably obvious; unbalanced security operations need more legs! Any company can sit comfortably on a stool mathematically obligated to be stable. Just as a reliable stool has three legs, reliable cybersecurity practice has three “pillars,” and any organisation can rest easy by implementing all three pillars into their security policy.
Pillar 1: Protection/Prevention
This is the leg most organisations balance on exclusively, and their mantra is “keep the threats out.” This pillar is a firewall, or AV, or a web/email security gateway or anything designed with the purpose of protecting your network from unwanted connections. There are three main reasons so many organisations rely on the first-pillar security exclusively. One, prevention-based security makes intuitive sense; an impregnable network wouldn’t require any other security practices, because it is impregnable. Two, prevention-based security is effective to a point. A properly configured NextGen firewall, for example, is sufficient protection from most common attackers (also known as script kiddies due to their lack of technical know-how). If an attacker is looking for easy prey, any amount of security could cause them to decide your network isn’t worth the effort. Three, it’s what everybody else does. If it works for most people, won’t it work for you, too?
Sorry to burst the bubble, but as technology continues to proliferate, as more data is stored online, and as computers become more essential to the running of a business, more networks become worth attackers’ effort, and the number of technically-knowledgeable attackers increases. Possession of any data whatsoever puts a big target on your organisaiton, and eventually hackers will take a shot at that target. And while your prevention-based security can protect against generalized scans and unskilled attackers, it’s only a matter of time before a technically-proficient adversary takes a crack at your network. Don’t rely on obscurity to protect your data; supplement your security stool with the next two pillars.
Pillar 2: Detection/Monitoring/Intelligence
Of course, we all hope the first layer of protection is strong enough to prevent breaches, but the reality of modern cybersecurity is that defenders are at a huge disadvantage. Organisations have a lot of obligations in addition to protecting their networks, while hackers have nothing to do but check every inch of your network for security flaws. Furthermore, it can be much harder to spot security holes from the inside; the holes are lost in the sea of devices that are properly configured and secured. For the attackers, it’s the holes that stand out. Lastly, organisations have all the responsibility to their clients to remain secure, and everything to lose if the attackers succeed. For these reasons, it’s best to have a backup plan if your preventative tactics fail.
The second pillar of cybersecurity is that backup plan. This pillar entails monitoring of your internal network and endpoints, detecting attackers hiding in your network, and using cybersecurity intelligence to improve your overall security level. The second pillar is your failsafe. For Pillar 2 to work best, a security team imagines an attacker hiding in their network and covering his tracks, and tries to hunt him down every day. This way, if the time comes that your organisation is the victim of a security breach, the culprit will quickly be discovered and the damages from the hack will be reduced massively. And the amount of damage breached organisations suffer cannot be overstated. Here’s a frankly horrifying statistic: 229 is the median number of days before most organisations detect a breach. That’s more than 7 months, during which time every single file is potentially compromised. No part of your organisation for over half a year is private. You probably have malware. This is the kind of breach that destroys reputations, and it’s the norm.
Don’t let this be you. By implementing Pillar 2, you’ve assumed that Pillar 1 will be insufficient, and established monitoring, detection, and intelligence tools accordingly. Now you’re prepared for a breach, and the number of days a hacker can hide in your network will blow the median out of the water. A Pillar 2 security system isn’t paranoid, because eventually the imagined attacker is a real attacker, and through constant monitoring, detection, and prediction, real attackers are located as quickly as possible after a breach.
Here is the bottom line. Pillar 2 does not mean buying an expensive sandbox, EDR, SIEM or an IPS and hoping for the best. Nor does Pillar 2 mean outsourcing to an MSSP. Why? Because if you run a red team exercise on your network in either of these scenarios, threats will still go undetected for several weeks, proving just how easy it is for attackers to steal your data without being detected. From our experience, most organisations that make such investments still have no ability to detect and respond to advanced threats that bypass their perimeter controls.
Pillar 3: Response
Aha! You have a threat in your network after all, as discovered by your Pillar 2 practices.
… Now what?
Hunting down security threats isn’t like a game of hide and seek. A threat isn’t just going to throw his hands in the air because he’s been discovered, and your data isn’t safe just because the threat disconnects from your network. A smart attacker will fiddle with your network while he’s in there, allowing future access at his leisure. A smart attacker might have downloaded large quantities of sensitive information, to later be sold to the highest bidder. A smart attacker necessitates a response plan.
Most organisations have no response plan at all. For example, after Yahoo was breached in 2014, the attackers sifted through the company network, downloaded proprietary software and massive databases, and gained the ability to access a billion user accounts. Two years later, when Yahoo made this information public, they basically shrugged their shoulders and said, “It happens, what can you do?”
Well, here’s what you can do: implement the third pillar of cybersecurity, a response plan. An effective response plan should block and contain an attacker in your network, patch the discovered security hole, prevent the spread of malware, and recover stolen data. You should quickly and efficiently remove the threat from your network (which you will be able to do, because you’ve also implemented Pillar 2!), figure out exactly what the hacker did while connected to your network, and quickly notify affected parties so they can ensure their privacy and security if necessary (change passwords, alert banks, etc.).
Put It All Together
The response plan completes the cybersecurity stool. Secure organisations divide their energy (and budgets) evenly between all the three pillars to best protect their network and data. By supplementing your perimeter controls with monitoring/detection tools and your new response plan, your organisation will boast next-generation protection that will ease the mind of any security specialist and confound any attacker.
Finally, a brief plug. If you like to see how Gartner recommends you should make these three pillars work together then purchase the Designing an Adaptive Security Architecture for Protection From Advanced Attacks or read a summary of how LMNTRIX Aligns with Gartner. If you already have Pillar 1 nailed down, and are looking to balance your security by implementing the other two pillars, LMNTRIX can supplement your existing security by providing the tools and expertise in the areas where you feel your organisation is lagging behind. You can contact us through our website here.
If you enjoyed this article and you would like to learn more about our thinking, the following articles are a good start:
- SIEMs, EDRs, SOCs, MSSPs – cyber security’s false prophets
- Is Microsoft one of the most effective AV vendors on the planet?
- If vendors spent less on marketing and more on capability, our job would be a lot harder
- Why SIEMs Are the Achille’s Heel of the Cybersecurity World
- VIDEO – WHY YOUR SIEM MIGHT BE AS USEFUL AS A SELFIE-OBSESSED CELEBRITY
- The Three Pillars of Cybersecurity
- Stepping into the Breach
- LMNTRIX: Security Done Different