Recent news coverage has not been kind to the Secret Service, but when it comes to the organization’s core mission – protecting the President – it is hard to argue with its record.
In the 110 years since the Secret Service began protecting the President, only seven assailants have actually reached their target, and only one has accomplished his goal. The Secret Service has maintained this record despite the President meeting tens of thousands of people during his term, and speaking at hundreds of public events every year.
Cybersecurity defenders face a similar problem: they are defending high-value assets that must be protected, but also have to speak to hundreds or thousands of other servers. But our cybersecurity record doesn’t look as successful – 2,260 data breaches in 2015 alone, with the majority of intruders taking only minutes to compromise systems, and the majority of defenders taking days to identify a breach.
The Secret Service has faced major challenges, and will likely continue to do so. But any organization that has so successfully used institutional paranoia surely has lessons to teach others in the security profession.
Here are four lessons that cybersecurity defenders can learn from the Secret Service:
1. You can’t protect what you can’t see
The first step to securing any location is to identify likely paths of attack. But even today, most cybersecurity defenses are based on the equivalent of a network map drawn from memory on the back of a napkin.
Virtually every major intrusion in recent years has relied on the attackers having a better understanding the target network than its defender did. The 2014 Carbanak bank robberies are a perfect example – hundreds of intrusions, stealing as much as a billion U.S. dollars, each of which took up to four months of reconnaissance inside the target network. More recent intrusions, from the Bangladesh Central Bank to OPM, fit the same mold.
Often defenders have minimal visibility into the real-time operation of their data center, which means they know how their systems are supposed to operate, not how they actually operate. Attackers exploit this gap. The Secret Service maps its operating environment from an attacker’s perspective, and defenders that don’t do the same are especially vulnerable to the well-researched, targeted intrusions that are so prevalent today.
2. Visibility alone isn’t enough – you must reduce your attack surface
Whether using ropes, fences, walls, or canopies, the Secret Service rarely leaves a location untouched. Every environment has many attack paths, and monitoring all of them would strain available resources beyond capacity. But by limiting the pathways to the President, the Secret Service reduces risk and can concentrate its resources where they will be most effective.
In my current role, I lead a team that regularly analyzes data centers and cloud environments to help organizations identify and shut down their attack surface. We’ve found that even data centers with as few as 100 servers regularly have hundreds of thousands of open, port-to-port communications pathways between servers. Monitoring so many pathways risks burying defenders in alerts and false positives, which leaves organizations unable to determine which ones matter most. We’ve also found that many organizations use fewer than 3 percent of their pathways, which raises a simple question: why leave the others open? Adaptive segmentation is the digital equivalent of barricades and rope lines, and it’s essential to enabling cybersecurity defenders to cut out the noise and focus on serious threats.
3. Prioritize your security
By limiting the number of attack paths, the ones that pose the greatest risk quickly become obvious. The Secret Service places its valuable resources – agents, surveillance cameras – at the most important intersections and pathways.
Many cybersecurity defenders still try to protect the interior of their data center as if every server is equally important. If you don’t visualize your data center and take steps to reduce your attack surface, you have no choice but to do this. Doing so, however, places defenders at a huge disadvantage, because with hundreds of thousands of pathways between all your servers, it’s incredibly difficult to identify the most important ones. But once we take control of the environment and reduce those paths, the riskiest open pathways become obvious: which paths enable attackers to move from dev to prod? Which paths allow attackers to access high-value assets?
Just as simplifying its environment enables the Secret Service to protect it better, simplifying the communications paths between your servers means you can quickly identify the riskiest points in your data center and use all your other security tools – honeynets, intrusion detection systems, behavioral analytics, hunt – more effectively.
4. Focus on security consequences for your most valuable assets
The Secret Service is primarily worried about the proximity of threats to the President. Someone jumping the fence at the White House is a problem because it gets them closer to the President. But that doesn’t mean that the Secret Service expects no one to jump the fence. In fact, an intruder jumping the fence and getting tackled on the lawn is exactly how the security is supposed to work. The fence stops many would-be interlopers, and slows down the more determined ones so they can be stopped before getting far.
Cybersecurity defenders still frequently think of any intrusion into their data center as a failure. But statistics increasingly demonstrate that stopping all intruders at the perimeter is impossible – one recent study found that 75 percent of organizations had been breached at least once during 2015. The Secret Service understands this challenge, because they never rely on only a single layer of defense. Defense in depth is a concept that cybersecurity experts have been talking about for some time, but many data centers are still largely unprotected once an attack crosses the perimeter.
Intruders have two goals: gathering information about a target environment, and exploiting that information to cause damage to a high-value asset. Instead of focusing on the perimeter as being the most important defense, we should reorient ourselves to think of the “ringfence” we draw around our high-value assets as our highest wall. The further a line of defense is from high-value assets, the more important identification – as opposed to 100 percent impermeability – becomes as our goal. If intruders jump the outer perimeter, but are tackled before they make it across the lawn, that isn’t a sign of failure – that is a sign that the security system is working as it should.