Security Posture 101: Do You Know Who, Where and When, What’s It Doing?
In our first post in this series, we covered a better way to think about your security posture. (Hint: controls maturity evaluations are about as effective as an umbrella with holes). Our last post on security posture covered requirements for running tight IT asset inventory and discovery, and how this relates to security. This is an increasingly daunting task in the age of cloud infrastructure and work-from-wherever. Getting a handle on the assets running on your networks and systems, however, is only half the battle for nailing down security posture.
If you have a fleet of planes or boats, and you can count them, you are still missing critical information about where they are located, who is piloting them, what they are carrying, and more. That information is what lets you make an educated guess that, say, your container vessel (IT pun intended) which seemed to have dropped anchor off the Horn of Africa maybe is making an unscheduled stop due to some extra-judicial activity (pirates that is). In other words, knowing ownership, location, privileges and expected behaviors is crucial to understanding whether the IT assets that you have counted are on the straight and narrow and your security posture is holding. The window of time you might have to block network access for an erratically behaving accounting software server somewhere in the Ukraine (Hello, NotPetya!) is small and growing smaller all the time.
Because so many breaches and security incidents start with user devices and accounts,the very first question any cybersecurity team must be able to answer when something looks odd is “Who owns that box/smartphone/tablet/cloud instance?” Answering this question ASAP is important for security posture not only because it can help identify whose system was compromised; It also allows security teams to quickly shut, or put under a higher degree of scrutiny, all systems associated with this person. Even if the system breach was not intended by the victim or was the result of social engineering and trickery, then smart criminals would still likely attempt a horizontal traversal. Any systems where the compromised user has privileges should be assumed compromised, as well.
Now, one would think that quickly tying any asset to a human or business unit should be no problem. That’s not always the case. Data gets garbled. Multiple systems of record may have conflicting information. In the cloud, every virtual server must faithfully carry some sort of identification or tag indicating the responsible human party. And in newer cloud technologies, like serverless computing or Kubernetes, containers that contain servers or other forms of disposable compute may be running and then gone in a matter of minutes. Translation? Even though the “who” question is crucial to creating a defensible security posture, answering the question is getting harder and harder and requires more and more acumen and system integration.
Ability to determine where each asset is located is also crucial to maintaining a strong security posture. When an identity or device or server is spoofed, it usually gives off telltale signals that the spoofing is geographically inconsistent with the normal location patterns of the asset. Unfortunately, attaching an accurate geolocation to each asset is much harder than it used to be. Not too long ago, employees were expected to connect to company networks and critical systems largely from within specific physical work environments - more precisely, from the office. This made the old “hard perimeter” paradigm defensible and sensible. With smartphones and ubiquitous broadband, people started working more in other places. To a certain extent, they were expected to connect via VPN to enterprise networks. But that requirement began to fade when more corporate software applications were offered via a web browser as SaaS. With the old perimeter model of security posture looking like Swiss cheese, answering the “where” question became harder and required better technological solutions.
As more and more employees perform work outside the office on laptops,tablets or mobile phones, the question of asset location has become more challenging. For example, in the wake of COVID employees might be logging in via home wireless networks, via tethered data connections on cell phones, or at their local Starbucks. This introduces confusion because, for example, cell phone networks can mask location data by bouncing traffic across multiple IP addresses. Or an employee logging into a WiFi network in a strange city may inadvertently mask their location when the WiFi is managed by a service provider that proxies all WiFi traffic through a security appliance. Then there’s the cloud, where applications might move from one data center to another, following the traffic and the workday, to deliver better performance at the right time. All of this makes answering the “where” question more complicated - but still critical to keeping a strong security stance. Asking the “where” question of all assets and seeing what comes back is a gut check for the efficacy of security stance. Assessing security posture requires proactively validating that security controls can detect, alert on or block traffic if the "where" question results in behavior that matches likely attacker methods.
Related to the importance of knowing “where” for spotting anomalies (and assess security stance) is the importance of knowing when a device or asset or process is supposed to be working. If the Treasurer’s cell phone starts sending emails at 3 in the morning while she is on vacation, then something is likely wrong. Attackers like to mask data exfiltration and network probing in off hours when security teams are less likely to respond or notice. So knowing when something is supposed to happen is a crucial part of maintaining a proper security stance. What an asset or device or network system is doing is also a crucial piece of security stance info. While perimeter defenses consistently look for anomalous traffic indicating attacks, compromised systems inside the firewall are much harder to identify as they attempt to horizontally traverse inside an enterprise and escalate privileges to gain access to critical systems. Another sign of trouble is when systems are performing a permitted and expected task too frequently. For example, a financial system issuing too many small payments can be a sign of a smart attack that is attempting to leverage the lack of rate limiting on the system. As we witnessed with the rash of ransomware attacks, which often happen in the middle of the night and demonstrate strongly anomalous behavior, answering when and where can be the difference not just between a strong and weak security stance but also between a catastrophic versus merely annoying cyberattack.
None of this is to say that answering any of these questions definitively is easy and that building an accurate picture of security stance is as simple as querying a few systems. In fact, the reality is that perfect security is impossible and perfect accountability and capture of security posture information is a moving target. That said, the first step towards this level of improved security posture is to stop thinking in “industry-speak” around security controls maturity analysis or other semi-useless frameworks and to start thinking about your security posture through the lens of how well you answer the questions that anyone would ask to identify the root cause or kill chain of a breach or attack. Learn more about how to better manage your security posture.