When something isn’t working, it pays to take a step back and look at your situation with a fresh perspective. That’s the simple yet powerful point that cybersecurity veteran Andy Ellis will make at RSA Conference 2022.
Ellis has worked in information security at organizations as diverse as the U.S. Air Force, built Akamai Technologies into an internet giant, and is currently an operating partner at YL Ventures, which funds and supports cybersecurity ventures, and an inductee into the CSO Hall of Fame.
As such, he’s a master of the big picture. He’ll be using that expertise in a panel at RSA 2022, “The Four Dimensions of Building a Security Program,” to urge CISOs and other security leaders to shift emphasis from focusing on whatever new technology is having its moment and instead take a hard look at the basics of good cyber hygiene.
Ellis gave Endpoint a sneak peak at what he’ll cover in his panel (Wednesday, June 8, at 8:30 to 9:20 a.m. PT, at the Moscone Center in San Francisco).
Absolutely. But let’s take a step back. All too often, the way that we approach security is through checklists. The ISO [International Organization for Standardization] hands security professionals a list of 900 things we ought to be doing. We end up just picking things off the list and go and focus on doing them.
Those are the only two metrics you care about: what you have and how hard it is to figure that out.
This talk asks us to take a step back from that and think a few things over. The first is: Do you even know what in your IT universe needs to be secured? Everybody always answers with, “Sure, we protect our most important assets first.” However, the reality is that your most risky asset is rarely your most important asset. The riskiest asset is the asset next to—and has access to—your most important asset.
But no one pays attention to that asset. No one even knows it’s there. That’s why it’s essential to first think about visibility and coverage, and that’s not only how many assets and what types of assets you have, but the process in which you know your asset inventory. And you’re going to have to learn to accept what you don’t know about your assets. Do you know how many cloud assets you have? Go find that number. Pay attention to how hard it is to get that number. Those are the only two metrics you care about: what you have and how hard it is to figure that out.
Yet, you can do another asset inventory count in 15 minutes, and it will be a different number.
But that’s OK; the actual number doesn’t matter. What matters is how hard it is to get to the number. Because if the cloud number is changing every 15 minutes, but it takes you six weeks to find the number, then you certainly don’t know your systems or what’s on them. After all, if that’s true, you can’t even get a high-level count of your assets regularly.
Next, once you have a way to get to your asset count, you should be able to prioritize the systems based on risk. Do you know which systems are your crown jewels? Which ones have access to your crown jewels? We’ll come back to that aspect in a minute. I describe this in terms of dimensions. We’ve been discussing dimension one, the breadth of security coverage.
That makes a lot of sense: First, determine what you need to manage and secure, and quantify your attack surface. What is the next dimension?
Dimension two is the comprehensiveness of your controls. I think of dimension two as height and what most people used to call depth.
The Maginot Line doesn’t work when the adversary moves fast. And, in cyber, the adversaries move infinitely fast.
I believe that the way most people use the term “defense-in-depth” is awful. I actually lead the talk by talking about the Maginot Line, the defenses the French built along the German border in the 1930s, as a classic defense-in-depth. But the Maginot Line doesn’t work when the adversary moves fast. And, in cyber, the adversaries move infinitely fast.
Dimension two looks at how well your controls stack. Let’s take multifactor authentication [MFA]. People often say they have two factors and consider two factors twice as good. Well, if the two factors entail typing in a password, and then the system sends a text message, and you type the number in the text into a field—there are many ways this can be compromised. First, the attacker gets the password, and then they social engineer a situation to attack the text message. This has happened many times.
We are always susceptible to things like man-in-the-middle attacks and social engineering. So, that form of MFA is maybe 25% better?
It might be 25% better, but the adversary has all the time in the world. Whereas, maybe if I have FIDO [fast identity online]-based MFA and an X.509 certificate that triggers it, it’s much harder for an adversary to separate and attack those controls. So those do stack, and maybe those actually are 100% better.
With that in mind, start to think through all of your system’s control areas. Do you know what’s on the system? From a vulnerability management perspective, do you know how well maintained the system is? Do you know how well configured the system is? Do you protect your identities on the system? Do you limit how many people have access to the system? A lot of this is just fundamentals. But if you don’t know that you have that comprehensiveness applied, you have a problem.
I also talk a little about the challenge of measurement. Let’s take vulnerability management. Ultimately, you want to measure something like an SLA [service level agreement], which measures the effectiveness of your process, versus any metric measurement that just shows how busy you are at the process. I think we have vulnerability management metrics all wrong.
Do you recommend moving away from metrics like mean time, the average time it takes to remediate critical vulnerabilities, and other common key performance indicators [KPIs]?
Well, I like to use an SLA. Meantime is a tactical one. And the meantime basically says, well, what would my median be if I met it 50% of the time? And so that could be useful, but what you want to do is pick an SLA and measure what percentage of the time you come in underneath it.
If you use mean time and have a thing that you never patch, it keeps adding to the mean time. Or it might never add to the mean time, depending on how you calculate it. It is the most used standard metric. And it’s an awful one because it creates weird externalities. If you have remediated and non-remediated vulnerabilities, do you measure them differently? Now you have two different metrics for them, and at some point, you can game the system by refusing to move them from one column to the other.
That’s fascinating. So, what’s the third dimension of building a security program?
The third dimension is about depth—understanding the attack path of the adversary. And you can do so by telling stories about how your defenses stop them.
To succeed, you need to do a couple of things. The first is to create narratives that detail attack paths. A tactical narrative may detail something like this: One of your internet-facing machines has vulnerable software and insecure keys that give access to a more sensitive machine. Boom, here’s an attack path, and you should maybe patch it faster or deal with the insecure key.
Consider the narrative around ransomware. Everybody freaks out about ransomware. Nobody talks about the very crisp narration of what ransomware is. Ransomware is malware that compromises one machine and then moves laterally, most often using administrative credentials or widespread and well-known remote vulnerabilities in common operating systems.
That’s it; that’s the ransomware narrative. You’ve now just told the whole depth story, so you can talk about defenses that break that chain. This lets you revisit the height of your defenses and ask if you have a way to stop lateral admin movement. Did you implement three-tiered active directory administration? If not, maybe you should just get rid of [Microsoft’s] Active Directory. That’s because you are not as brilliant as you think you are.
I’ve seen surveys where some 80% of respondents hit with ransomware say the attackers targeted the Active Directory, which lets IT manage users, applications, data, and such. These same surveys showed that about 90% of organizations couldn’t effectively manage Active Directory.
Right. Ten percent of the companies that deploy Active Directory have enough skill to manage it safely. And I’m just pulling that number out of thin air. I think it’s actually lower than that.
Do both of those—MFAs and anti-phishing services. You just made the life of most advanced persistent threat actors much harder.
In this day and age, because of how Active Directory out of the box does domain administration, you end up with administrative credentials on edge machines ephemerally. Still, the malware knows how to read them. That’s what [hacker tool] Mimikatz does. It looks at and identifies admin credentials. When it finds one, great, it now owns your whole network.
If you want to get rid of ransomware, solve the admin problem and put MFA on all of your administration systems. It’s similar to how if you’re going to solve phishing, it’s not that you should buy more anti-phishing services. It’s that you should implement a good MFA.
And, by the way, do both of those—MFAs and anti-phishing services. You just made the life of most advanced persistent threat actors much harder. And you even made the life of your users easier in some senses. That’s your third dimension.
And then, the fourth dimension is time. Security controls are like businesses. If a business isn’t growing, it’s dying. If a security control isn’t maturing, it’s decaying. What is your narrative about how you’re improving? If you’re measuring SLA compliance for vulnerability management, is that going up over time or down? Does this require executive involvement to be maintained or not? Are you improving
Where do you think companies are making the biggest mistakes in building a security program? And why is the talk you’re giving important now?
We all come to RSA, and what do we buy? We buy whatever’s on sale at RSA. That tends to be what happens.
But we need to step back and ask: What do we need to secure our enterprises? What is the right next thing? And then build that from first principles. I’m not suggesting that people freeze and don’t do anything until they have a perfect plan.
Consider asset identification. The easiest way to do asset identification management is with a spreadsheet. Just open one up and type in your public cloud servers, with a field for how many you have. Suppose you don’t know right now. That’s OK, great. What else do you have? Do you have enterprise desktops? Put that in there. Enterprise services? Just start listing them all, and as you get answers, put them in there. Worry about how you systematize this.
I think that a big challenge is that we’re still maturing as a profession, but the first way we’re maturing is through a cargo cult mentality. And I don’t mean that in an entirely negative fashion. We have a lot of great talented security professionals. But we, as an industry, have to break from what’s trendy and focus on what will reduce risk.