Since enterprises must maintain information about their customers, why is it that breaches happen constantly?
In my conversations with network and security engineers responsible for security in dozens of companies, I have verified that it's not a lack of knowledge about how to build controls that limits security. It is, in fact, the overarching complexity of an environment that is constantly expanding and evolving to provide the capabilities the business needs. In doing so, however, it inexorably obfuscates the security reality.
The primary paths for attack are well-known and relatively simple. However, a forgotten back-door, unpatched server, or the oversight of authentication on a host that's been deprecated turns into a multi-million dollar nightmare on an incredibly frequent basis.
So, what can you do?
First, understand the reality: very smart programmers are being paid a nice salary to sit in an office cubicle and create software to break into your network.
If youre willing to face that truth, it will change how you think about the security of your network. Since people are working hard to build automation to break into your environment and steal or destroy what they can, your defensive efforts must be at least as sophisticated to protect it.
Second, use honest reconnaissance: using automated tools, analyze your network and its systems, including all of the software on systems involved in handling, transmitting, or storing critical data and all of the components that make up your network.
This analysis is done by attackers once they get into your network. They map out your network using automated tools. In most cases, attackers have a better and more current map of a network than the organization does. In working with over 100 organizations as a security consultant, the average age of a network diagram is five years. Many of the devices in networks today didn't even exist five years ago, yet the most current visual representation of the network is that old. To be able to defend your environment, you must have a clear map of it that represents how it's really implemented, not just how it was designed to work. Every engineer knows that networks begin to change the moment after the design is published. Demand during installation and ongoing business needs create changes that start right away and continue relentlessly into the future.
Well-designed modern networks are segmented to isolate and protect. However, mistakes and oversights can break this segmentation, as seen in virtually every reported breach. The only way to determine potential access in violation of the segmentation architecture is to analyze every potential path, taking into account potential network dynamics in the process. Having a picture of the state of network security policy compliance every day is vitally important.
Third, recognize and address errors: network device configuration instructions are the modern equivalent of writing in machine language.
Network device configurations are highly detailed and subject to minor typing errors creating dramatic impacts. In addition, the sheer volume of devices and the voluminous nature of the configuration details makes it impossible to review even a small subset of them without detailed software analysis. It is software that analyzes both the details of the individual devices as well as all of the devices in the context of the end-to-end network implications of those complex configurations that can report the ultimate implications of the network as its built.
Fourth, prioritize intelligently: deciding which network and system fixes and changes to make when and in what order is the most important first task once the information is available.
Consider which you think is more important to address: a very high score vulnerability on a system in an isolated lab or a low score vulnerability on an externally-facing mail server. When asked this questions in training sessions, students quickly answer that the one on the mail server is more important. However, a vulnerability scanner is only able to prioritize host issues based on the common vulnerability scoring system (CVSS) score of a vulnerability. They cannot tell where the system is in a network or how accessible the vulnerability might be. This is another function provided by automated network path analysis to shine light onto the best way to defend an environment from those automated attacks.
Fifth, quickly determine impact: when alarms sound in the environment, use automation to assess the potential blast radius.
From information available publicly, it seems that the earlier Sally Beauty breach shares a characteristic with other widely-publicized recent breaches: an alarm sounded, but it took time for processes and procedures to take action. Its not uncommon for considerable time to pass, so having a rapid picture of the possible radius of destruction helps limit damage.
The same network analysis that determines possible access for the initial attack also illustrates the potential impact patch of any violated system, showing what it can reach directly, and whether or not there are any exploitable vulnerabilities on the systems it can reach. This provides prioritization of breach damage control.
The good news is that organizations can build much better defenses than many are today by responding to the reality of ongoing automated attacks, using automated visualization and analysis of their environment, addressing mistakes and errors, prioritizing wisely, and responding appropriately to any incursion. With this strategy, any organization will be able to stand far longer in the face of the ongoing challenges of an ever more connected world.
Steve Hultquist is chief evangelist at RedSeal, a security analytics company.