I’m Nick Carstensen, a member of Illumio’s Cybersecurity Research Group in the Office of the CTO. For the past 10 years, I’ve been in Log Management/SIEM, but I have also worked in all the defenders’ tools from firewalls, EDRs, and vulnerability management to DLP.
My new blog series will be in response to Paul Dant’s series and will focus on the blue team side of security breaches.
Like Paul’s post, I want to focus on cyber resilience and detection. Cyber resilience can be in many areas, but this counter blog series will focus on techniques and tactics to help your organization stop an active breach as well as learn what to put in place to detect the breach as quickly as possible. I’ll be discussing how Illumio Zero Trust Segmentation be used for both detection and protection.
Let’s start at the beginning of how we can achieve this with Illumio and using existing toolsets you may have in your organization. With the right tools, you can be ready to prevent, detect, and respond.
Shut the front door!: Securing your critical assets
To start, let’s talk about a real-world example.
Everyone has something very special to them in their house. This could be a family heirloom, piece of jewelry, or a few gold bars, if you’re lucky. For this example, we are going to call them “critical assets.” These special items is always on your mind; it needs to be protected at all costs.
What do you we traditionally do to protect our critical assets?
Our homes have walls, windows, and a door to protect from rain, wind, and animals. If we think of this in a percentage, say this keeps about 50 percent of risk to your critical assets away.
The doors and windows are nice to have, but they can still be opened at any time – we add locks to them to keep the next 10 percent of risk out. We are getting a more secure perimeter now, but like anything, we can improve it!
Next, we need to see who is outside of our house, if they are sneaking up to the door or window at night. We put in some lighting with motion sensors to go off when they detect movement. Now we are getting up another 2 percent more protection, and slowly but surely, we are getting there.
But we can’t be up all night watching for the lights to turn on. We want to be notified and record it when it does happen. Off we go to the internet – a few clicks later, and the next day a new camera system shows up with motion-activated recording, a doorbell video camera, and door and window sensors! Now we are up to 70 percent coverage.
Your home’s perimeter is getting harder to breach, so you assume your critical assets are protected safely.
But when you come back home one day to find the backdoor has been left open by accident, you panic that your critical assets have been taken. This time, thankfully, nothing happened. Phew, safe this time – but it gets you thinking. If someone had found your home’s back door open, could they have taken your critical assets? You realize securing your home against a breach isn’t finished yet.
If your critical assets are only 70 percent secured, how can you completely protect your home from a breach? Let me be the first to bust your bubble: You won’t, and you can’t. Breaches are inevitable.
To prepare for when a breach does occur, you need to segment out your critical assets from the rest of the house. This ensures that when one part of your house gets breached, you can shut the door on your critical assets and ensure the bad actor isn’t able to get to them.
By now, you’ve hopefully started to see similarities between the above example and your organization’s cybersecurity strategy. We will go through how these steps tie to normal security best practices everyone should be following for cyber resilience and detection.
Using the MITRE ATT&CK framework to build cyber resilience
Paul’s post referenced the MITRE ATT&CK framework and for good reason. It is a blueprint of how attackers think, what steps they will take to get to your critical assets, and how to stop them during each phase.
Security teams can use this framework to learn how to protect their organization from the attack patterns that bad actors use.
Attacks reaching the far right of the framework below (Exfiltration and Impact) usually shows an organization early in their security maturity.
If an attacker is getting to the Exfiltration phase, your organization is in a reactive mindset to security breaches. You are likely hoping your EDR tools alone can stop a breach when it happens – but breaches rarely work that way.
At what level is your organization’s security maturity? Image by CISOSHARE.
When a breach does occur, stopping it as early as possible should be the goal – and Zero Trust Segmentation can help pick up where EDR tools end.
In fact, according to offensive security firm Bishop Fox, combining detection and response with Illumio radically reduced an attacker from spreading while detecting 4 times faster.
Where to next? Improving your organization’s security maturity
In this series, we will respond to Paul’s series and start outlining steps to improve your organization’s security maturity with help from cybersecurity best practices and Illumio Zero Trust Segmentation. While hackers are always evolving and changing how they attack, these blue team tactics can help you stand the test of time.
Before the next blog post, think about what the first step to improving your organization’s cyber resilience might be, and make some mental notes on your organization’s current security status. You can reference these as we go to see how you stack up.
Keep reading next month to learn how to stop breaches from spreading through your network as quickly as possible.
Want to learn more about Illumio Zero Trust Segmentation? Contact us today for a consultation and demo.