Make sure the doors are locked before trying to profile the burglar

For years we have been searching for a miracle cure for the common cold. Bizarrely, during 2020 almost no one had a cold, because of COVID we have all stayed away from each other, caught sneezes, worn masks and washed our hands. We have eaten better (some people have anyway), we have exercised more, in short, we have done all the things we should have been doing all along to prevent the spread of viruses. Unfortunately, life will be pretty dull if we carry on in this way and so we will need to continue to try and find a cure and balance the risk of contracting a cold with how ill it makes us feel.

Securing our IT infrastructure requires the same balance of risk vs access. Zero Trust tells us to never trust but always verify so what we have to do is work out where that tipping point between access and security actually exists. If we can apply some simple hygiene rules to our environment, then it will make the search for a cure much easier.

For many years we have been hearing about the death of the perimeter. I talk to people from vendors of security analytics companies who laugh behind their hands when firewalls are mentioned. The reality is that if we do not put a fence around our houses then a thief can just easily walk up to any entrance without being challenged. If we then do not have doors or windows, then they can walk straight in. Put simply we need to block off all entrances except for the one where we can check the identity of the visitor.

Identifying the visitor is a difficult task as not only do you need to verify their identity but check that they do not have anything bad in their bag or pockets. The easy task is to put up a fence and lock all the doors and windows so we should probably look at that first.

Let’s look at the steps we should take to secure our house.

1. The perimeter

Modern firewalls are brilliant they are fast, accurate and can provide a large number of services. You should put one at every point that your infrastructure comes into contact with the outside world. The first challenge is understanding where the outside world begins and ends. In the era of the hybrid cloud is it the edge of the cloud or closer to home. In reality, even though cloud-based workloads are part of the private cloud they are owned by someone else and so should be treated as being outside the perimeter.

The next thing we need to decide is which services we should run at the perimeter. Next-Generation Firewalls (you will struggle to buy a past generation firewall) work up to the application layer and to a certain extent beyond. If you want to apply an IPS / IDS function this is the place to do it. IPS can consume a lot of resources and so needs some dedicated computing. IPS should be used in unison with a threat intelligence function with some machine learning capability. Using a purely signature-based system is almost a waste of time and effort with the sophistication of modern attacks.

If you blend perimeter-based IPS with either a workload protection platform or an EDR system, then you have a chance of identifying a good percentage of attacks without consuming too many resources. Trying to introduce IPS functions in East-West traffic flows just consumes time, effort and will not produce the results you wish for.

2. The locked room

Although in recent years the focus shifted from prevention to cure and trying to persuade customers that a breach is inevitable so invest in forensic tools, we are now seeing a shift back. There is a battle taking place with companies trying to claim ownership of the perimeter and where it should be. The best answer is always the simplest and the perimeter has to be the computing is actually happening, whether that is the workload or the endpoint.

It is far too complex to try and install and manage virtual firewalls on every workload. The number of rules, filters and policies would be uncontrollable, and the system just would not scale. So, while the firewall is great for securing the boundary between what you own and what you don’t, it is not so great inside the data centre. This is regardless of whether it is on a VM or distributed among hypervisors.

The good news is that each workload does contain its own firewall which if we can simplify the management provides a theoretically infinitely scalable solution. What we are doing is moving from a model that looks like a castle to one that looks more like a hotel where you only get access to the rooms your key card will allow.

3. Now it is time for James Bond

Once we have locked down everything that is practical to control, we now have to think about how to control things after the attack has started. This part can be the most expensive and the most difficult to implement so tread carefully. Scope out the budget carefully because if you go down the big data lake route you will need to be aware of the potential cost of storage and processing.

It is worth looking at all of these solutions as a managed service as the expertise in interpreting the results and defining action could be extreme. A managed service also allows you to manage the cost of the storage in a more sensible way.

Learn from others experience

When you read the reports of recent high profile breaches a few things stand out:

1.    Systems were not patched

2.    Portals were not up to date

3.    Threats could easily move laterally

4.    Encrypted exfiltration was not detected

5.    The breach took months to detect.

Fixing the first 2 issues is a process issue as most of this should be covered in keeping a service contract up to date. Number 3 can be simple if you keep it separate and do not make it part of a bigger project. Focus on the simplest and quickest to implement a micro-segmentation solution. Most NextGen Firewalls have a decryption function. The final one which is the most difficult is best served by getting someone else to do it.