You are here

How to boost your breach defense: A three-part plan

public://pictures/chas.jpeg
Chas Clawson, Cloud SIEM Engineer, Sumo Logic

Defending one's castle used to be simple: Build a wall, and add a moat and a big, heavy door. Place guards at the few egress and ingress points. Get a good vantage of the surroundings by having watchmen on the wall or in towers. The concepts were well understood and employed as far back as the ancient Egyptians. Things have changed.

Not too long ago, I was a red team member acting as an adversary going against some of the most secured networks in the world. What struck me was how uneven modern cyber warfare is. Adversaries only have to find one way in, one unpatched system, one unsuspecting user to click a seemingly harmless link, one curious admin to insert an unlabeled USB drive, one well-meaning employee who used the same strong password on a compromised site that was used on an enterprise system so that his or her credentials are now leaked onto the web.

Even the strongest, most protected networks can be brought to their knees with just one minor misstep. Even if you have a solid plan in place, mistakes happen that open your organization up to attack. The annual Verizon Data Breach Investigations Report report (PDF) states that errors were at the heart of almost one in five (17%) breaches. Thus, the cyber defender has to protect against all attack vectors, 24 hours a day, seven days a week, while the attacker only has to find one way in.

It doesn’t help that defenders are often working without the tools or visibility needed to be effective. It’s simply not a fair match, and that's not going to change any time soon. That's why you need to adopt a trichotomic, or three-part, security model, consisting of security in depth, DevSecOps, and security validation.

[ Effective security operations requires staying ahead of threats. Get up to speed with this upcoming Webinar: Next Level SecOps with UEBA and MITRE ATT&CK ]

What is at risk?

One thing that has not changed from ancient days is that once the enemy is inside your gates, the battle is all but lost as you strive to suppress and terminate the efforts of the enemy within your walls. Intellectual capital can be stolen. Systems can be brought down, causing extremely costly outages. In some cases, companies’ reputations can be permanently damaged as customers lose confidence and trust.

Simply hoping you won’t be the next target is not a wise defensive strategy because everything is at stake, and chances are you aren’t prepared to handle a serious breach.

Move 'left of bang' with your security strategy

The cyber-defense strategies of yesterday preached “defense in depth.” The logic was sound. Expand your perimeter security so that if any one protection failed, you had additional layers of protection to fall back on. Build a moat. Build a castle wall. Have sentries standing guard inside these walls, etc. This was effective in the past for the most part, but it doesn’t address all of the issues today.

In today's interconnected world, an enemy can often bypass all defenses without detection, since there is no longer a clearly defined perimeter. The endpoint is the new perimeter. The user is the new perimeter. The apps are the new perimeter. If enemies seemingly have a teleportation machine, building a stronger wall isn’t a wise use of resources.

Security in depth would also incorporate a solid data encryption strategy so that even when a breach occurred, the data that was exfiltrated would be less damaging. Sadly, many enterprises aren’t aware of where their “crown jewel” data resides, or what new technologies such as format preserving encryption (FPE) can do to ease the pain of encrypting this data.

In short, you need to move your strategy “left of bang.” In terms of warfare, this means using improved tactical cunning and awareness to address problems before the damage occurs and having a good lessons-learned program to prevent similar weaknesses in the future.

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

Enter DevSecOps

According to the DBIR report, 68% of breaches took months or longer to discover. Once attackers are in, it’s very difficult to remove them with certainty. One approach that addresses this challenge from an application vulnerability perspective is the security strategy du jour: DevSecOps.

By deeply integrating security controls and checks into the application development and operations process, many of the vulnerabilities are discovered before the bad guys exploit them. This requires a concerted and determined effort by developers and operations teams. So by combining DevSecOps with security in depth, have you solved the problem? Not quite.

Despite your best efforts, you will still feel as though cyber adversaries are one step ahead of your controls and defenses. That's why you need to add one last component to your security program: security validation. The focus here is to design ways to test what you think is already secure. Red teams, penetration tests, audits, and bug bounties are good examples. When the rubber hits the road, was the castle defended? Are the expensive tools and supporting SOPs achieving what they claim?

Only when you have all three areas working together do you have an effective breach defense. By framing your security programs and solutions into this three-part security model, your organization can better see where it is lacking.

Many businesses do well in one area. For example, they may have a great SecOps defense team, but they fail to validate their security posture by using red teams or code analyzers. In such cases, they will likely find themselves in a continuous firefighting mode, as one area must make up for the other.

SOCs take a team

A key element of a successful three-part approach is that each team must continuously work to move left of bang. This means that SOC analysts are in communication with system stakeholders and developers, who are in communication with security auditors, and so on, building security into their processes to prevent and detect issues before breaches occur.

Resources are always a limiting factor, and every organization must determine how far it can stretch security operation protections across the enterprise while still providing adequate protections.

For companies that want to conduct a comprehensive review of their security programs, being able to separate discussion around the three areas of DevSecOps, security validation and security in-depth is very helpful.

There are, however, more thorough frameworks out there to consider. Starting with the NIST cybersecurity framework, for example, and mapping all of your current tools, programs and procedures to its standards and guidelines is a great start.

A complete breach defense strategy

Frameworks simply provide a common lexicon to consider internally, and with customers or investors, the cybersecurity risks and priorities that challenge the enterprise. It helps you validate the controls and processes already in place and identify which areas require more investing to improve technology, people, or processes.

So, does your organization’s security strategy adequately cover the three security focus areas? Are you actively scanning for vulnerabilities and utilizing your data to track down both known and unknown threats? Are you managing and monitoring the identities and behaviors of your users? And when a breach does occur, does your data remain secure and encrypted?

It may not happen today or tomorrow, but eventually your enemies will find and exploit gaps in your defense. But this is a battle that we are all fighting together. Defending your castle may not be a simple feat in today’s world, but through best practices and frameworks, you will be able to more effectively stretch your allocated security budget into a more comprehensive and effective security strategy.

[ See Guide: Best Practices for GDPR and CCPA Compliance ]