Credit: ID 154117855 © Kulikovalex | Dreamstime.com
Cyber security is a really tough job to get right, we have a never-ending spread of infections or attacks and it would appear that nothing is working in the fight to stop it. Are we going about this the wrong way?
Most organisations work on a Castle and moat scenario whereas I am sure you can guess you have a large number of perimeter defences to stop attackers getting into your castle. You have the moat around the outside of the wall to make it very difficult to reach the castle walls to attack it, you will have one funnel point of access (or two) that allows you to direct all attackers into a smaller more defensible section of your wall that you can have many defenders and protections in place to stop any attack thrown your way.
This method of defence is solid and is the main approach used by most defenders for a long time now, but this is no longer a viable option. Perimeter defences are becoming useless to any organisation that is trying to protect their employees and their company/client data. Why? It is simple, how can you protect a wall or the castle itself from attack if there is no castle? Seriously let's think about this. 15 maybe even 10 years ago companies had a business site where all staff went to work and once the day was finished they closed off their machine and went home. All the data was at that site on the one system and the walled protections around these networks were perfect.
In today's environments, there is no real castle to protect, the company's employees and assets are spread all over the globe or country or even if it is just one site your business operates from primarily your servers or primary business applications are most likely cloud hosted. Your staff will nearly all have emails or some other business data access on their phones or tablets or whatever the latest gadget is that everyone is using at the time. So, if there is no boundary or site location how can you put up walled protections? Honestly, you can't.
We all need to look at our systems differently, we need to look at them as though they are a fluid environment with no beginning and no end. We need to think of every user and every device as untrusted because we can’t just put that wall up as we used too, we need to believe that everything could be a malicious actor. Now don't panic, I know that now means you need to be in a hundred places at once but there are ways we can minimise this mess.
Zero trust is not a new idea and there are some great platforms that can help create such a network, but I am not going to talk about those specifically as honestly, I am not a sales person for what ever blinky light solutions they are selling. I want to talk you through some basics that will help you build this type of network that is resilient to allowing malicious actors to spread unabated through your organisation's systems.
How about you first look at segregation? Break up your systems into departments or locations, isolate them from each other virtual networks or physical network breakups and stop them from seeing each other completely. They don't need access to each other's systems so why do we allow it? We shouldn't break them up, give each area/division/site access to what platforms they need to do their jobs and nothing more (I will come back to the nothing more point in a moment). Now you have the smaller segments, put your walls up around them to protect each of them. That is a good start.
Next, let's talk about the nothing more than required statement above, each user will need to have access to a set of things to do their job, they may like or even want access to other things but they don’t need them to do their jobs. So, don’t give them anything more than the bare minimum access they will require to do their jobs. Close off shared drives don’t allow them access to different applications that are used across the company. If they don’t need it they, don’t get it period. Its simple theory really, if a user is infected with a virus or falls victim to a malicious actor than if that user has restricted access it will minimise the ability for the malicious actor to gain access to company data. Yes, they still have access but the more restricted we can make it (without making it painful for users of the systems) the better we can slow the spread of a malicious actors reach. We may lose one division in an attack, but we may still be able to protect the remaining ones.
Now you have smaller pieces to protect and users only have access to what they need too. A good start don’t you think? Now I am going to tell you that none of this matters really because malicious actors will still breach your networks and will still break things that you don’t want them too, that’s what they do and at this time I really don’t see that changing but that doesn’t mean you should do the above. No, it means we should do it as best we can and make it so hard to move even an inch on your systems that it irritates the malicious actor so much that they just give up.
To do this we need to ensure the above has been done well, then we need to have systems that can monitor the network for any new device or software that hasn't been strictly approved and throw it back out as fast as it came in. We can do this with a good IDS/IPS with systems with that beloved AI that is touted around these days (probably just machine learning not really AI – but that is a different argument for another time). You could also use application whitelisting to stop unauthorised applications if users can’t install and run applications that you didn’t vet first than that will greatly reduce your threat surface.
Why don't we add in user behaviour monitoring why we are at it? Some SIEM's can help you with this, learn how they use the systems, where they would use them from and be notified if something isn't normal. It may be that missing piece that could stop a breach. If your team normally works between 6 am until around 8-9pm on occasion but you suddenly have a user that is logging in and accessing files at 3 am then it's likely you have a problem.
Look there is many things you can do and many systems that will help you do it but the point I want to make here is simple, castle and moat protections are over they don’t work. We need to always remember that every device could be malicious and design our protections that are based on the fact that the ones we want to protect our systems from are wandering around our systems as we speak. Systems in our network are no longer trusted.
Keep your fingers on the pulse, learn your systems behaviour's and respond as needed but more importantly do the groundwork so you can scrape back an ounce of control in the ever-evolving environment we are pledged to protect. Zero trust systems are not a silver bullet solution to all of our problems in cyber security (we have way too many to work on for that to be the case), but it can certainly help reduce our risks and allow us to respond faster to breaches (6-12 months is too long for breaches to undetected) that’s a good step forward.
As always tell me what you think, disagree with me, tell me a better way if you think you have it. I just want what you want to better protect our systems.
Till next time…