At the start of the RSA Conference last week, I offered a few thoughts about why it’s better to think like a defender instead of an attacker when designing security. RSA is now over, but the conversation continued throughout the entire conference, and keeps coming up back in the real world. Few people disagree that proactive control is an essential component of security – it’s a question of how to actually put something like this into practice. The key to thinking like a defender is about how your security organization combines proactive control measures with reactive security.
In my last post I proposed a defense chain – a model for how defenders protect their environments that encompasses the cyber kill chain, but goes beyond it to focus on proactive security work as well. Proactive security is put into place before an attacker ever shows up, and is not done in response to specific threats, but is aligned to a set of security principles. For example, a security team that patches a vulnerability based on a new threat indicator is operating reactively. A security team that aligns their users’ permission to principles of least privilege would be operating proactively.
"Thinking like a defender" is not about taking particular reactive or proactive measures. It's about how the organization combines the two approaches into an overall strategy. In particular, proactive control should be implemented before reactive security because it is more efficient. Reactive security is retail: teams close particular, identified threat vectors. Proactive control is wholesale: teams make structural and environmental changes that close a range of threat vectors (for example, limiting user permissions makes a wide range of blended intrusions more difficult). Beginning with proactive control enables a security team to establish a broad base of security through proactive measures, and then tunes that security to address changes in the threat landscape by taking reactive steps.
Some other examples of proactive control that fit this model include:
- Encrypting traffic between critical assets and data stored on those assets.
- Putting automated patch management systems in place and using them to keep systems up-to-date.
- Segmenting traffic into, out of, and inside important applications.
Each of these approaches drastically reduce attack vectors, without forcing the security team to identify and analyze each and every attack vector. This is a critical advantage, because it means the defender no longer has to find (and secure) every vulnerability faster than the attacker. This makes security faster and more efficient – it lets the defender use the scale of their operation to their advantage, rather than ceding that advantage of the attacker.
If you’re looking for ways to apply this approach to your security, it all starts with visibility. Do you know what’s communicating inside your environment? Do you know which devices are associated with your high value applications? If not, a capability that will show you the connectivity within your environment, and help you limit and control that connectivity, is a great place to start.
Building a Smart Segmentation Strategy
This guide outlines how to reduce your attack surface, frustrate intruders, and harden your data center—starting from visibility.