Over the years, we information security professionals have seen the change of the threat landscape. We have heard the vocabulary change from If to When. If we get attacked becomes when we get attacked.
We’ve all heard the same advice—we should be operating as if we’ve already been attacked and our systems are compromised. We’ve thought about it and considered this approach. We’ve seen the research that indicates it takes an average of 229 days for an attacker to be discovered on the network. So, at a high level, in our logical and reasonable thought pattern, we’ve conceded that this is likely true. But acting on that advice is another story entirely.
Most of our security operations teams take important actions, like building good defense-in-depth strategies, monitoring for security events, developing most of an incident response plan, educating users, completing assessments, and complying with audit standards. These are all best practices, but they don’t make your organization a smaller target, and they certainly don’t always stop the data exfiltration on day 230.
Having foundational security is important and necessary, but what is it that prevents us from acting on the idea that we need to operate as if we were already breached? For better security, it’s time for a game changer. If you’re familiar with American football, you’ll see how your cyber security program is similar.
Foundational security (as described above) is like the running game of football. In the early days of football, throwing the ball forward was against the rules. In order to win you had to run the football and play good defense. The game was good, but scores were usually low, and the action wasn’t very fan friendly. The rule change to allow a forward pass was a game changer. It made the game more dynamic, with more options, more scoring, and more fans.
It’s time for your security program to start using the forward pass. Be offensive in your approach to security. Want to reduce the number of days an attacker is sitting on your network? Get on the offensive—hunt them down. You know your environment the best; you know what your team is capable of, so use those skills to go find the problem.
I know what you’re thinking: “So if I go on the offensive and try to hunt down the threat within my environment, and I find something, doesn’t that make my team look bad? If we’ve done our jobs well, we shouldn’t find any issues. If we do find something bad living and breathing on our network, then it’s my fault.”
Herein lies the biggest problem. On the surface, we agree with the idea that we are operating in a new world, a world where attackers are already in our IT infrastructure. But we hesitate to apply this realization to our day-to-day operations, simply because of pride. So, in theory, we believe attackers are on our network, but in the application of our security, we don’t.
In the same way that the forward pass was a game changer in the game of football, changing our rules of engagement and launching an offensive attack is our cyber security game changer. The ability to actively pursue attackers in our own IT infrastructure is the next phase of security operations. Twenty years from now, CISOs are going to go to a security conference and hear stories about the early days of the internet, and how our only strategy was a good defense. It will sound as strange and ancient to them as playing football without the forward pass seems to us.
At this point in the discussion, we as security professionals feel like we understand the challenge and deep down, know we need to do something about it. But that pride keeps sneaking back into our minds. “How can I be on the offensive and ensure that I won’t find a hornets’ nest of problems in the process?” The answer is easier than you might think—the cloud. The cloud is one of the tools that can make the game changer happen. Migrating your systems to a hosted cloud environment opens the opportunity to go on the offensive. Any hornets’ nest found is for your cloud vendor to manage. Ensure a schedule for your hunt is part of the contract and get SLAs for mitigation. Game changer.
You may or may not be able to move everything into a hosted cloud environment, but migrate what you can, as soon as you can. If you’re able to move 50% or 70% or 90% of your IT to the cloud, then your traditional IT infrastructure just got smaller, lowering the likelihood of stumbling upon that hornets’ nest.
In football, you can still win with a good running game and a good defense (in-depth) strategy, but you have to pass the ball to open up running lanes. Having this effective combination helps keep the other offense off the field, making the target of opportunity smaller for your opponent. If we truly believe and operate in an environment where our systems are already compromised, then we need to add a passing game (hunting for attackers) to our already good running game and defense. A good defense will always be necessary, but just like in football, sometimes the offense is just too good. The game changer is to have a good offense and hunt down attackers and zero days in your environment. Migrating to the cloud is the offensive playbook that makes it easier for you to be the real game changer.
This article was originally published in the 2015 Winter Issue of Zero Day Magazine. Go to Zero Day Magazine and read more articles about IT security.