With all the changes to infosec technology, here is a not-so-outrageous idea: maybe you should take a page from the US Secret Service playbook in how you run your IT security department. Actually, this idea didn’t come from me, but from someone who actually is familiar with both roles. Nathaniel Gleicher is trained as a computer scientist and a lawyer, and currently is the Head of Cybersecurity Strategy at Illumio, a security vendor. Previously, he prosecuted cybercrime at the US DOJ and served as Director for Cybersecurity Policy at the White House National Security Council. While he worked at the White House, he saw multiple data breaches. “Every breach relies on lateral movement, and instead of attackers being at risk once they get inside, they’re able to take all the time that they need to identify high value information and cause damage.”
He thinks organizations need to take a different, simplified approach and go back to the basics: get visibility inside the data center and cloud and then be able to truly lock the doors inside.
In a blog post for his firm, he writes: “Like the Secret Service, cybersecurity defenders face a similar problem: they are defending high-value assets that must be protected, but also have to speak to hundreds or thousands of other servers. You have to have visibility, and reduce your attack surface, and focus on the security consequences for your most valuable assets. Shutting down the attack surface constrains attackers, makes lateral movement harder, forces attackers to risk exposure, and makes other security tools more effective.”
Sadly, most organizations focus their cybersecurity spend today at the perimeter, making no effort to secure or even understand the interior of their data centers. After reading Gleicher’s post, I asked him if there is a difference between interior and exterior networks any longer. He told me in a phone interview, “Everything is a potential threat. One difference is that you can have greater control around an interior network. And your network visibility is much more limited with exterior ones. But that’s missing the point. An intruder can find something once they are inside your network and can look around. Organizations are trying to layer defenses at the fortress wall, while the cyber attackers are parachuting inside and then free to move around as they want inside the data center and cloud.”
He continued, “I still have conversations with CISOs that don’t know how their devices are connected to their networks. And I don’t mean just a list of these devices, but how they are related to each other, both logically and operationally. This is the kind of information that attackers can exploit.”
His work with the Secret Service has him focused on understanding some of these lessons from providing physical security to protect the President. “People don’t see the Secret Service advance work that was done months before any presidential visit. They had to map the location and understand the physical space. The same is true for cybersecurity, because we need to identify the attacker quickly and respond fast too. This means that any cybersecurity effort should start months before any potential attacker actually shows up.” In other words, it isn’t just about stopping someone from getting across the White House fence, but understanding what will happen once then enter the grounds and what they might end up doing.
He agrees that good security isn’t easy. And he started early in his career with his first IT job for the Peace Corps. There he created a created a campus-wide network to connect 85 machines that were located in the different buildings of a college on a Caribbean island. Less than five minutes after it was first connected to the Internet it was breached. It took him several tries to close various ports and other vulnerabilities before he could defend the network properly. “This was an early lesson on how hard it was to do security properly: there are way more people trying to get in than keeping them out. It also showed me that the steps to strengthen data security aren’t rocket science and are very straightforward. It is a lot more how to orchestrate them and use them efficiently across the enterprise.”
Instead of focusing on the lack of response, he says we should be doing a better job of evaluating the highest-value targets, which is another lesson he learned from watching the Secret Service in action. He said, “You shouldn’t be in the business of protecting the app that handles your employee’s lunch request.” And not everything in the data center should be treated equally, too. “There are some things in your data center that are more valuable and you have to focus on what needs the most protection. If a burglar gets into your house and gets into your basement that is different from him getting into your bedroom where you keep your jewelry.”