This article was originally published on Forbes.com.
The best security professionals are those that can think like a hacker. Their perspective on defense is based on a fundamental understanding of how to scour a system for weaknesses that can be easily exploited. Are there obscure entry points that aren’t secured? All it takes is one overlooked device with default passwords connected to the outside world and attackers are in, despite all the resources dedicated to protecting the main entry.
That’s why modern security teams no longer fixate on the front door (aka the network perimeter) and instead apply more sophisticated techniques to limit the damage criminals can inflict. They also take into account the value of the assets being safeguarded, knowing that attackers tend to take the path of least resistance. That means they will move on to lower-hanging fruit — whether it’s a less secure enterprise among others or less secured server within one organization.
Weighing all these variables requires knowledge of all your critical applications and data, where they reside and all the pathways that connect to them. When you know where the high-value targets are and the pathways that lead there, you can make intelligent decisions about where to prioritize your defensive efforts. Now you’re thinking like a hacker.
So how do we increase security in this environment? One technique is to reduce the available attack paths. The safest place for your valuables (your applications and data) would be in a reinforced bunker underground, surrounded by armed guards and lasers (if you’re going to build a bunker, you must have lasers). There’s one way in, and the cost of entry to the attacker is high, meaning they’re likely to go somewhere else. That might keep your assets secure, but it’s hardly an affordable or practical option.
One way to think about this is to use an analogy in the real world. Let’s say you’re in the physical security business and your job is to protect Steph Curry when he gives a speech at a local venue. You can’t easily control the venue, because lots of people need to get in and out, and you can’t hide Steph in a bunker because the whole point is for people to see him. This is akin to the problem facing a chief information officer (CIO) or a chief information security officer (CISO) charged with securing an enterprise data center or a cloud.
What we can do is evaluate all possible access points to the venue and lock down those we don’t need. Maybe the two side doors and one of the back doors aren’t needed, so we can barricade those completely. The remaining back door might only be open to Steph and his team and requires a badge for access. The only public entry point is now the front doors to the venue, where we install five metal detectors.
We’ve thus reduced the attack surface significantly by analyzing all the pathways and deciding which ones we can block off and where we limit access. In the security world, we apply the same technique to data and applications, identifying all possible pathways and closing off all but those that are essential. Micro-segmentation applies the principle of least privilege to accomplish this in the data center and cloud and it’s used by organizations to secure some of the most sensitive applications and data in the world.
But what happens when you find out that two of your metal detectors aren’t working, and lines for the event are starting to wrap around the block? Do you weaken your security to keep the lines moving, or do you prioritize Steph’s security above all else? I’ll answer these questions in the second part of this series.