In part one of this two-part series, I talked about the similarities between protecting high-value assets in public spaces in the real world and in the enterprise. This includes the need to understand the value of the assets, how to reduce available pathways to the assets to minimize the potential attack surface and use security controls on the access points.
I used an analogy that revolved around Steph Curry, whose long-range scoring has forced opposing teams to change their tactics on defense. One of the greatest shooters to ever hit the court, Curry’s value to the Golden State Warriors is unequaled. Unguardable on the court, how do you protect him off the court? I painted a scenario in which Steph is giving a speech at a public auditorium, where a security plan for him is developed to lock down the venue’s side doors and a back door and restrict the other back door to him and his badge-carrying staff. Five metal detectors provide protection at the front doors to ensure the venue’s security. In the enterprise, you would use micro-segmentation and the principle of least privilege to accomplish the equivalent in a data center or cloud environment.
Just like in the real world, last-minute security issues crop up all the time in the enterprise. Let’s say one of the metal detectors is found to have problems shortly before the event is to start. For some reason, it isn’t working properly and misses certain metal objects, which means it’s not reliable. You can’t repair or replace them because you don’t have the time. If you shut them down entirely, you will create major congestion for the remaining metal detectors that are open. People will be stuck in long, slow-moving lines, and many will still be in line when the event starts. If you keep the metal detector doorways open and have security guards do physical pat-downs, you risk missing hidden weapons and could put Curry at risk. Clearly, protecting Curry outweighs the inconvenience that attendees will suffer.
This is the equivalent of discovering an application or security control with an unpatched vulnerability in an enterprise. Shutting down critical applications and access points in an enterprise for security reasons can seriously impact network traffic, workflows and business operations, affecting productivity, customer service and the bottom line in the long run. If you can’t quickly fix the problem (e.g., patch the software), you put your customers and your business at risk.
There are other options that compensate for such breakdowns in security controls. For the Curry event, you could put more guards at the detectors to do pat-downs, but while that may help move the lines a bit faster, they are just as likely to miss hidden weapons. Another idea is to have the guards at the broken metal detectors use hand wands to detect metal objects. This may increase the financial investment, but it serves as a solid security backup solution and will help keep attendees happy. In the enterprise, security teams may not be able to wait to patch, but they can use micro-segmentation in order to create a compensating control that eliminates the possibility of the vulnerability being exploited.
These scenarios address security vulnerabilities in a control system to an asset, but what about if the vulnerability is associated with the asset itself? Let’s say one of the VIP badges, which gives direct access to Curry, goes missing. You need a way to quickly identify the problem and address it. In this case, security guards with wands could be added to the VIP entry.
The key is to understand the risks and be able to act quickly to address the vulnerability, without shutting systems down or adding additional burden to your infrastructure. The one critical insight is you need to be able to see which pathways exist (your “exposure”), identify that you have a vulnerability and determine what measure to put in place to compensate for it. You don’t need security controls everywhere. You can deploy resources efficiently and put them only where you need them most – at the access points to the most critical assets.
Security teams have to make decisions like this on the fly all the time, and the more data they have access to about the situation, the better decisions they can make. New tools are becoming available to help security teams offload the burden and complexity of some of that real-time decision making and allow them to instead focus on higher-level business logic that they would like to enforce.
In the future, there may be a way to address the broken metal detector problem without having to manually replace or repair machines. What if the hardware platform became smarter and metal detectors were programmable? Settings and functionality could adapt in real time, including software security updates. Micro-segmentation does the same for policies and security controls in the enterprise – which is a slam dunk for security professionals.