Security: Look within, not just at the edge
04/19/15 Category: Security
For effective detection, we have to move our view beyond the perimeter and look within.
The entire premise of defense in depth is focused on withstanding numerous attacks to keep the attacker "outside." There are many flaws in this approach:
- It assumes we have clear perimeters
- It assumes the attacker is on the outside
- It assumes a 100% success rate (the greatest lie of all)
- It assumes we can sustain any barrage in volume or intensity
- It assumes we'll pay attention to all traffic while under a shock and awe attack
- It assumes we'll detect a slow and quiet recon mission for subsequent deferred attack
- It assumes the attack isn't being launched from inside
- It assumes the attack isn't being done by approved users
- It assumes all VPNs are secure
- It assumes we don't already have a breach internally (VERY flawed assumption)
- It assumes that we're on the inside looking for things coming "in"
- It assumes we're just looking at what devices are connecting to the internet
- There is an implied assumption that roaming devices will remain secure while "off the ranch"
That's a short list and yet way too many assumptions, lets instead assume:
- We may already have a breach
- We need to look within
- We need look instead from the inside at what is leaving and where it's going to
- We need to not only know what device/IP address, but also what programs are connecting to the internet
In other words, we need to assume there may already be a problem and start proving to ourselves we've been breached until we can prove otherwise. However, this does assume that what we're looking for is a longer time problem still "dwelling" in our environment that is communicating with a command and control system versus a smash and grab.
The good news is that is quite doable with continuous monitoring of the endpoints and:
- Knowing what programs are installed with vulnerabilities
- Knowing what programs are making outbound connections
- Knowing what IP addresses are being communicate too and if they are a known bad address
- Knowing what programs are talking with the known suspect IP addresses
- Knowing what new programs appear in the environment
The tools and techniques exist, are relatively affordable, but we most now look within.