In the first two posts of the Dynamic Security Assessment series, we delved into the limitations of security testing and then presented the process and key functions you need to implement the concepts.
To illuminate the concepts and make things a bit more tangible, let’s look at a plausible scenario involving a large enterprise in financial services with hundreds of locations. The organization has a global headquarters on the West Coast of the US and 4 regional HQ locations across the globe. Each region has a data center and IT operational folks to run things. The security team is centralized under a global CISO, but each region has a team that works specifically with the business leaders to ensure proper protection and jurisdiction. The organization’s business plan includes rapid expansion of its retail footprint and additional regional acquisitions, so the network and systems will continue to become more distributed and more complicated.
From a technology standpoint, new initiatives are being built in the public cloud. This was controversial at first, but there isn’t much resistance anymore. Yet migration of existing systems remains a challenge, but due to cost and efficiency needs the strategic direction is to consolidate their regional data centers into a single location to support legacy applications within 5 years. This centralization is made possible by moving a number of back-office systems to SaaS as their back office software provider just launched a new service and using the SaaS offering makes deploying in new locations and integrating acquired organizations much easier. They are heavy users of cloud storage, as initial fears were allayed due to the economic leverage of not having to continue investing in their complex and expensive storage architecture.
Clearly security is both an area of focus and a big concern, given the amount and sensitivity of financial data the organization manages. They are constantly phished and spoofed and their applications are under attack daily. There are incidents, but nothing rising to the need of disclosure to customers, but the fear is always there regarding adversary activity that they miss.
From a security operations standpoint, they currently scan their devices and have a reasonably effective patching/hygiene processes, but it still takes on average 30 days to roll out updates across the enterprise. They also undertake an annual pen test, and to keep their key security analysts engaged, they allow them to spend a few hours a week hunting for active adversaries and other malicious activity.
CISO Concerns
The CISO has a number of concerns regarding the organization’s security posture. Compliance mandates require vulnerability scans, which find what is theoretically vulnerable. But working through the list and making the changes takes a month. They always get great information from the annual pen test, but it only happens once a year and they can’t invest enough to find all of the issues.
And that’s just the existing systems spread across the existing data centers. The move to the cloud is significant and accelerating. As a result, sensitive (and protected) data is all over the place and they need to understand which ingress and egress points present risk of both penetration and exfiltration.
Compounding the issue is the direction to continue opening new branches and acquiring regional organizations. Doing the initial diligence on the newly acquired environment takes time that the team doesn’t have, and they usually have to make compromises on security to hit the aggressive timelines to integrate new organizations and drive cost economies.
To try to get ahead of attackers, they do undertake some hunting activity. But it’s a part time endeavor for their staff and they tend to find the easy stuff since that’s what their tools identify first.
The bottom line is that the window of exposure is open for at least a month, and that’s if everything works well. They know it’s too long and need to understand what they should focus on knowing they can’t get everything done and how they should most effectively deploy their staff.
Using Dynamic Security Assessment
The CISO understands the importance of assessment (given they already scan/patch and undertake an annual pen test), and is definitely interested in evolving towards a more dynamic assessment methodology. DSA would look like this in their environment:
- Baseline Environment: The first step is to gather network topology and device configuration information and build a map of the current network. With this data, a baseline can be built of how traffic flows through the environment and what attack paths could be exploited to access sensitive data.
- Simulation/Analytics: The financial institution cannot afford downtime, as their business is 24/7. So a non-disruptive, non-damaging means of testing the infrastructure is critical. Add to that the ability to assess the impact of adding new locations and (more importantly) acquired companies/networks helps understand what needs to be addressed before going live with an integrated network. Finally, being able to have a presence in cloud-networks provides another means of understanding the security posture of the organization, since an increasing amount of sensitive data is being moved to the cloud.
- Threat Intel: The good news is that our model company is big, but not a Fortune 10 bank. That means it’ll be targeted, but not at the front end of any large scale attack using very sophisticated malware. This provides a window to learn from other financials, seeing how they are targeted, the malware used, the bot networks they connect to, and other TTPs. This provides the means to both put workarounds in place preemptively and understand the impact of the workarounds/fixes before actually committing time and resources to making the actual changes. In a resource constrained environment, this is absolutely critical.
So bringing to bear the new capabilities associated with Dynamic Security Assessment can provide a clear advantage over traditional scanning and pen testing approaches. Again, the idea isn’t to supplant the existing method, but supplement in a way that provides a more reliable means of prioritizing effort and detecting attacks.
Bringing It All Together
So in our sample company, the initial step is to deploy sensors across the environment, in each location and within all of the cloud networks. This provides the initial data to model the environment and build a map of the networks. Once you have the environment modeled, then you can start analyzing the risk for sensitive data stores. Identifying a handful of “missions” that the adversaries would likely undertake helps to focus efforts on clear and present danger, as opposed to every potential hole in the environment.
This initial assessment and resulting triage helps the organization focus their efforts on the attacks that can really cause a bunch of damage. The CISO understands there is a 30 day window before everything can be addressed (optimistically), but can ensure the team is focused on eliminating the issues with those high profile networks and devices that put sensitive data at risk.
Once the initial triage is done, the team can undertake a more detailed analysis of the environment turning the map into a baseline, understanding the typical traffic flows and activities within all of the organization’s systems and networks. This allows both the simulation activities and ongoing assessment activities to be able to identify anomalous activity, which warrants further investigation and/or immediate action.
The leveraging of threat intelligence data also plays into the ongoing assessment enabled by DSA. Instead of just patching everything, the CISO can marshal resources to address new attacks that are seen in the wild and would be successful in their environment, based on the ongoing simulation. This again helps the CISO focus resources on the issues that could the most significant damage.
DSA also helps with change control. As new changes are requested, driven by business needs and application upgrades, the impact of those changes can be modeled and the risks understood. So when an application is deployed into the cloud, the network map can be updated quickly to factor in these new potential exposure points. Similarly, diligence on opening new offices and integrating acquired companies is accelerated since the new locations can be easily modeled and the risks evaluated. What used to be an ad hoc, unscientific process can be quick and fact-based. Thus the CISO can present concerns not based on a gut feel, but with hard data about potential risks.
Finally, the DSA capability ensures that changes are made completely and accurately, as the ongoing assessment will identify whether issues found previously have been remediated and if not, what else needs to be done. The CISO is able to address the biggest concerns, which are to ensure they focus on the biggest risks and they get a full view of their entire infrastructure, including the resources that now run in the cloud.
So with that, we wrap up the Dynamic Security Assessment series. We’ll be assembling the paper over the next couple of weeks, so we’re always happy to get feedback on any of the posts to help us improve our research.
- Mike Rothman (0) Comments Subscribe to our daily email digestfrom Dynamic Security Assessment: In Action
No comments:
Post a Comment