A deeper look into Discover Your Business’s Unseen Attack Surface, published in Forbes.
To protect something, you have to know where it is. For data security experts and businesses that boundary is elusive. Try drawing a geographical boundary on wet gelatin and then building a foolproof, 360°, multi-dimensional wall atop said gelatin that can stop microscopic threats. Now imagine those threats are airborne.
As a result of digital overhaul, we have to rethink what a perimeter is. The building blocks of data security and the ways we protect ourselves have to become as nuanced and responsive as our environments.
Old strategies are simply playing on the wrong game board… Corporations have become a collective. They are a continuously changing body—a consortium of data streams, applications, APIs, and endpoints.Tweet
We’re going to cover real perimeter security by looking at:
- How a perimeter is not what anyone thinks.
- Why your perimeter is never going to sit still.
- How a diffused perimeter can be protected.
Your perimeter is bigger and more dimensional than you realize
Most readers understand what a perimeter is, in theory. Your data—whether you are a company or an individual—is something like the cells that make up your digital body. Staying healthy and functional means protecting that whole network against outside agents, environmental accidents, and internal weaknesses.
In the digital world, however, those cells are less bound to the originating host. They nonetheless carry bits of information about who the originator is. And that creates a problem. If a human being sheds a hair and it later happens to come in contact with the ebola virus, the human that shed it is in no way threatened. In the digital world, loose cells carry important information that can be used to harm or access the originator. We feel that it’s just a little tiny bit of information, but those shed bits of data carry the keys to much more.
Today’s businesses and users are no longer things, in the traditional sense. They are not entities that have a clear, independent and bounded body. It is extraordinarily hard to protect a perimeter because it is really hard to define a perimeter.
Eventually, we have to draw a line somewhere. In reality, a perimeter functions as many things. Different people see and define the perimeter from respective angles. That means the security boundary being drawn may be like a bunch of chalk circles drawn around watchtowers with gaps between each singular vantage area.
For Operations, a perimeter is technical—made up of things like numbers, such as IP addresses and networks. In DevOps, a perimeter is all their public-facing services, like web apps and APIs. A CTO may see a perimeter as data centers and network providers, plus and all first-line providers they use. A business may think of perimeter based on present needs, like compliance. For each, how they see and thereby define a perimeter, determines how they perceive its health and security.
By example, a business setting up in Europe may follow GDPR, set up a firewall, opt for a cloud provider and stop there. From their perspective: perimeter secured because they conflate GDPR with perimeter security. But, it’s not. What is covered by GDPR is not the total body of their company data. It’s a broad guideline that covers the bare minimum for respective agencies, like the E.U. and AWS, must standardly cover. In reality, a company’s data is spinning off into a great number of locations through web microservices, APIs, and a multitude of connections. That effective extension of the perimeter (and vulnerability) will go dangerously unnoticed if the only thing you pay attention to is GDPR.
Complicated, isn’t it? If we are not all seeing the perimeter the same, how can we strategically plan and protect it?
So where is the real perimeter?
Security has to include the above technical and business perimeters, plus all the data about that company available online. Today’s businesses are connected to a tremendous amount of third-parties (and their third parties, and so on). You start a business. You get a web service to help with your email. You take orders that are processed through another service. Then you send out a parcel through UPS, who creates an account with your company information. And each company has a supply chain and their own services. In reality, each one of those places can be exposure points for data. Each sparkling new connection that makes your company sizzle, like a SaaS web application, also leaves it vulnerable to burn.
Every piece of your data floating out there extends your perimeter. Any cloud-based service means that is also your perimeter now. Their assurances about your data safety won’t really matter if while under their custodianship it gets out, posted to GitHub, put up on the cloud. Consider them in your perimeter because technically they are. If somebody can compromise them it will be possible to compromise you as a customer. Big hacks, like Equifax, are stark reminders that our perimeter is not what we thought.
Each sparkling new connection that makes your company sizzle, like a SaaS web application, also leaves it vulnerable to burn.Tweet
So, from a security perspective, we need to care about everything: suppliers, providers, sub-project providers, and all the data about your company wherever it goes.
Your security perimeter is dynamic, super elastic, and impossible to contain
The above definition of a perimeter is nebulous. You are everywhere your data is. Even if you could codify that diffusive boundary, defining a perimeter also has to include that any modern perimeter is and always will be dynamic. For example, if you’re using cloud providers with elastic IP addresses or a DNS server, everything within the cloud and DNS server changes all the time. Everything in your and third-party APIs also changes all the time. The bigger digital environment is continuously changing in overall structure and the inner-workings and composition of its combined minutia.
In layman’s terms that means: trying to download the list of IP addresses and scan them (as done in the paleolithic era of data security), is like trying to count raindrops in a tsunami. At any particular moment in time, Amazon, Google Cloud, or Azure provides a particular IP address for about an hour. Tomorrow, or even the next hour, that address will be outdated.
Wake up to your new perimeter and new attackers.
We have to control the perimeter in a continuous way, monitoring a network perimeter as well as data. Time between scans is deadly. Here are a few examples of how old ways of monitoring are not enough. If hackers used to be akin to cat burglars, today’s hackers are now full-on embedded foreign spies seeking secrets instead of trinkets.
Simply battening down your standard security isn’t going to work against today’s threats and newly uncontainable perimeter, especially for cloud.Tweet
Brute force is passe. Today’s cybercrime is:
Hackers are quick. Once a hacker is in, even for a couple of seconds, they can find a way to download data or install backdoors where your perimeter was unwatched. By the next scan, the hack may be unnoticeable. Scanning is moot.
Even if you can scan frequently enough, it will not show you hackers hiding inside your system or subtle forms of access. It may only show you recognized attacks, like seeing muddy footprints and stolen goods instead of fingerprints and hiding lurkers.
Say somebody puts company info on GitHub with an SSH keys. Security needs to know about that immediately. Even then, fixes cannot happen quickly enough. You may regularly backup your server and feel comfortable with any corrective measures. In this case, you delete the SSH key. However, it’s already on GitHub and the server is already compromised.
Hackers are advanced. They use automation, AI, and small attacks powered by bots. They have realized ways in through the new proliferation of access points and unwatched scions, like web apps. Getting through the timed marches around a walled city is not hard. Using advances, like automation and AI, hackers can generate a lot of hits with minimal effort.
Hackers are also opportunists. Every time you connect to the internet, there is an opportunity—like a thief who jiggles the handles of every door it passes. Forgetting to do procedures correctly or taking the wrong shortcut is bound to backfire.
Ever follow the instructions?
Hackers can, too.
Let’s imagine you buy a new network device, like a server or router. You innocently install it, connecting to the Internet for a couple of seconds before changing from the default to a password and adding extra security. In parallel, attackers can do the same.
Today’s hackers know how to play a longer game, hiding inside your system like a retrovirus. They can take little by little and hide inside smaller components.Tweet
Configure everything before you put in protection methods, regardless.
The bitter pill is that for the cloud configuring first is actually impossible. If you want to run new service or servers, you have a heightened level of risk during setup before security is configured. Keep that in mind as you move from the default password into configuration. Take extra precautions to secure efficient and safeguarded processes around cloud installations.
Hackers can be subtle. Breaking down a door is cloddish and likely to get you caught.
Today’s hackers are increasingly sophisticated. They know how to play a longer game, hiding inside your system like a retrovirus. They can take little by little and hide inside smaller components.
Instead of relying on known libraries of attacks, protecting data with this subtlety in mind is going to mean running faster and smarter. Smarter security technology can employ artificial intelligence, machine learning, and targeted security solutions (like understanding newer API protocols). As part of a larger security strategy, new solutions can learn from your data to better detect anomalies. They can be deployed in areas where the hackers are exploiting high levels of scaling or varying data. Or, they can work inside your DevOps CI/CD cycles to intelligently test new code before it goes into production.
Look for new ways of securing the data that continually move in and out of your system. Solutions have to be as responsive and continuous as the attackers.
Process is part of the problem (and solutions)
In summary, we know that:
- It is crucial to understand: perimeter is dynamic.
- Monitoring a perimeter as though it’s static is a fool’s errand. Monitoring has to be continuous.
- The old vanguard is blind. New solutions are necessary.
Simply battening down your standard security isn’t going to work against today’s threats and newly uncontainable perimeter, especially for cloud. What companies can do is: improve processes and understanding; and work new solutions into their modern environments based on the reality of what a perimeter is.
Start with the processes that secure perimeters at the start. Configure isolation into separate segments and restrict any access to that configuration setting whenever possible. (As we said, cloud need not apply to isolation.)
Isolation and restricted access together because one without the other is pointless. Both fall under truly creating and enforcing solid internal processes. More companies than you’d expect are sloppy about both isolation and restriction.
Even with the Skynet of security tools in your arsenal, if you never configure the tools correctly and/or build the process wrong, you’ll never achieve sound results. It is always more related to the process.
Other ways to increase security health by bolstering good security processes include:
- Organize and train more real time processes that avoid oversights.
- Take security health into a company-wide initiative, including safe user practices and tests.
- Create distinct roles and processes that ensure safe, documented security procedures.
- Schedule and routinize security health checks.
- Invest in continuing education and R&D around cybersecurity solutions, trends, and professional development.
- Integrate security practices (not just tools) into other teams.
- Create cross-department conversations that give security a seat at the table to understand and, in turn, integrate other business goals into routines.
Once again, you can never be 100% certain of what your perimeter is. Think about it: people are part of your perimeter’s boundary. People are absolutely unpredictable and do lots of little things.
If a developer installs something (for example a Docker container) or does something with your app somewhere outside the technical resources that belong to the company, he or she will incidentally connect that particular instance to the internet. It could be benign. They could be trying to run into production faster. Or, they may take lunch to buy a birthday gift on Amazon with their personal credit card. Even if a bot is installed separately on Amazon, technically, since your code was there, that bot is part of your perimeter now.
Modifying your workforce for better work-life balance isn’t going to boost your perimeter security either. In fact, it may make matters worse. Humans look for smarter, faster ways to do things. With the speed of CI/CD, those shortcuts and nuanced ways of meeting goals create well-intentioned vulnerabilities.
Learning from the Unsafe Processes Underlying the Uber Hack
Look at Uber. Hackers downloaded the user data because the developer database was available on GitHub.
“[H]ackers accessed the data through a third-party, cloud-based service. According to Bloomberg, they got into Uber’s GitHub account, a site many engineers and companies use to store code and track projects. There, hackers found the username and password to access Uber user data stored in an Amazon server.”CNN Money, from Uber’s Massive Hack: What we know
In the Uber hack, access came through a real copy of a real production Uber database and it was protected well. As CNN cites, “this was not a sophisticated hack. Companies frequently accidentally keep credentials in source code that is uploaded to GitHub”. The developer/s needed easy application availability and it wasn’t already available in a way that allowed them to conveniently meet their work goals. They put 10 minutes of user data up and attackers got it.
Even huge companies, like Uber, may not know where their perimeter is.
Restricting the developer is unrealistic for securing this new type of perimeter. First, people get to be people at work. Second, many of those connections are to apps, web services or applications, and tools that help developers and others meet their work goals. Huge restrictions will disable developers much-needed ability to add their apps, cutting down on productivity. The things that make their job easier end up changing your perimeter in a way that leaves you open to vulnerability.
Huge restrictions will disable developers much-needed ability to add their apps, cutting down on productivity.Tweet
This is where processes can only go so far. Because people exist, Security needs to account for them and work inside the systems, routines, and patterns that people do.
People problems: Integrating Security into human workplaces
Let’s go back to the app-using developer from the previous section. Developers need to do their job. If the developer is not given the right tools that are configured in safe ways, they will go out on their own to meet their job goals. And basically they accidentally weaken the employer they’re trying to make happy.
In other words, if our developer was a toy-making elf, the children waiting for toys would be their goal-setter. The toy workshop would be the province of Security, complete with the right tools and conditions to safely work to deadline.
That means Security needs to understand the developers, the environment, the goals, and the tools/resources that all go into making the production process move along. Security’s job should not be (as it has been in the past) a separate environment that’s set up like a triage center. Even beyond operating in an integrated way, Security has to help make the processes safer and safety more convenient as things are running.
Imagine if security made an announcement,
“To all employees, email is super risky. So is personal business. Understanding that risk, we’re making a policy that you no longer use personal email. Instead, use only the internal email system and never send to an external or unapproved contact (via forms 348A and T100B). Please use the honor system not to log onto the web.”
A more realistic approach would be to allow people access to their personal email, acknowledging that this is part of their work-life function, instead of assuming that they’ll comply with bad policy and inefficient tools. We need to look at user behavior and how people really work within a workspace and then build security around realistic things.
Cybersecurity is no longer a map-based quest.
Clearly, the new perimeter is no longer containable. It is not even trackable.
All companies are faced with high numbers of assets outside of their security groups. These could include certified providers or SaaS companies that are connected to company assets. It could be internal IoT or services. Each connected company is in turn connected and has a lot of gearwork moving inside of it. They may buy a new media management account or geolocating web app and suddenly, your perimeter is extended. If somebody hacks one of those apps and downloads all the API keys or local emails, it’s possible to recover all the passwords in that system and download data that can lead, like cellular data breadcrumbs, into your data.
Having an accountability map that trusts each provider or connected party to be responsible may not be possible, if it could even help.Tweet
It isn’t even your direct suppliers. It could be integrated with other suppliers, not even your third party. It could be a second or third party to your supplier. It’s almost like a Russian doll probably you don’t really know what’s in that stacking doll with the next layer.
Having an accountability map that trusts each provider or connected party to be responsible may not be possible, if it could even help. There are too many connections and the risk is not worth trusting outside parties.
Obviously the solution can’t be to not engage with third parties.
Go forward and conquer, intelligently.
So what can you do? One thing is to really become data-minded. You know your data is going out there and that any data attached to you can be used to invade your system. It may even accidentally go places, as we have mentioned. Obviously, looking at traditional security models that rely on known boundaries, periodic monitoring, heavy manual resources, and practices like domain isolation. Data-centered thinking is necessary.
Another cardinal rule is to keep compliance and make sure suppliers and third parties do, too. Oversight and security compliance came because of the need to mitigate risk and build some level of best practices. Be proactive about both your own compliance and the measures others are taking to meet compliance. Compliance is a minimum requirement.
Finally, have the right resources to be vigilant. Track and monitor the data you produce with the best possible tools and teams. Speed is essential, so running in real-time, intelligently is as true of your toolset as your practitioners. Whether people or tech, integration is key to properly equipping your defenses.
As part of vigilance, adopt new tools and practices like:
- Test in-CI/CD to remove obstacles to DevOps cycles, increase adoption, and quicken fixes.
- Monitor for abnormalities by employing toolsets that can cope with big and scaling data, like AI-powered engines and machine learning tools that can learn from your baselines.
- Pay attention to your architecture. Building a wall doesn’t matter if you don’t check for drones and air traffic. If you rely on APIs and web applications, make sure you have solutions that are targeting those layer-7 vulnerabilities.
- Finally, really try and get continuous, real-time security running with strong policies and processes. Responsiveness is survival.
Evolve to respond to the fact that we can’t really understand or know our perimeter. We need to listen to it and continually keep track of data as much as humanly possible.
Remember, a company can no longer function as a thing. The metaphor of the corporate entity is more like corporate AI. Watching security health means paying a lot more attention to the things outside your immediate purview, monitoring the environment and climate that affect your data.