Considering Alternatives to Secure a Nation’s Crown Jewels
Although mandatary breach notification legislation was only recently introduced in Australia and will come into effect in New Zealand by the end of this year, intruders regularly gain access to sensitive data and impact key missions in public safety, finance, and national security. They also continue to manipulate data in political campaigns, alter research institution data, and impact public health security.
In part one of this Securing Australian Government Assets series, we reviewed the recent findings of The Commonwealth Cyber Security Posture in 2019 report and the government’s announcements regarding increased attacks targeting Australia government agencies and enterprises.
A key element of those findings describes that whilst improvement is being made, we are still vulnerable to cyber offenses as a nation. There are existing tactical recommendations that focus on the types of threats recently seen, and long-standing advice around essential security disciplines that all non-corporate commonwealth entities should embed into their IT practices. However, planning beyond inevitable breaches and striving for Zero Trust under a holistic strategy to contain and prevent the damage of such events is paramount to limiting the exposure of personal, financial intellectual property and data in the national interest.
In response to the recent events, a government plan under the banner of “the best defence is offense,” designed to bolster the Australian Signals Directorate’s (ASD) ability to disrupt cyber criminals, has been announced. Recruitment and funding are earmarked to build offensive capabilities to go after cyber attackers offshore, as well as share intelligence about cyber activity to react in real time. But what can each agency or enterprise in Australia and New Zealand do to take proactive steps to limit the impact and spread of a breach so that reaction is left to examination rather than the panic associated with trying to stop the propagation?
We promote raising the priority of the Australian Cyber Security Centre (ACSC) recommended “excellent” but not yet “essential” practice of network segmentation that underpins the Zero Trust philosophy, to rethink the “keep the bad guys out, and detect them as quick as we can if they get in” paradigm to one of “the first system compromised should be the last”.
All the patching, multi-factor authentication, and intelligence sharing partnerships in the world can't stop attacks directed at critical and sensitive infrastructure if we continue to maintain an eggshell computing or networking model and rely on reactive detection to prevent the damage.
Cirrus Networks’ Andrew Weir suggests that “As a defender, getting the basic mitigations right can save a lot of damage later on. As a stakeholder in your organisation’s security you cannot afford to be complacent and should look at building coherent layers of ICT defence. Understanding how your applications work and minimising the attack surface through segmentation significantly reduces the options and reach available to an attacker when they do manage to breach one layer of your defences.”
Micro-segmentation is simply the application of the Zero Trust principle of “least privilege”, denying by default the machine-to-machine and application-to-application traffic inside a data centre (or the laptop to laptop, workstation to workstation traffic in client or employee space) that has not been explicitly authorised. Planning beyond a breach event changes the mindset to one of assuming that a breach will occur, but preventing the compromise of a system from spreading to any other. Put another way, practicing the principle of least privilege ensures that malicious malware or a bad actor accesses the least number of systems possible by applying the same approach to trust within our environment to outside it. The compromise stops with the first system it takes hold of, as it can’t spread anywhere else.
With the evolution of segmentation technology away from the traditional, complex, costly and infrastructure-dependent ways of firewalls, SDN, EDR and NAC, it is now possible to thwart or significantly oppose attackers through isolating and containing applications and protecting corporate issued equipment.
Not only did our recent report with Bishop Fox highlight the efficacy of micro-segmentation as a security control, but it also uncovered forced changes in the behavior behind attack strategies that, without insider knowledge, may not be possible. Micro-segmentation raised the resistance and detection levels to a degree that may mean less motivated parties would simply give up and divert attention to easier targets. The report also highlighted that the level of detection through an effective micro-segmentation solution dramatically increases the efficiency of detection and incident response allowing for a “contain first, ask questions later” approach to keeping you away from the headlines.
Micro-segmentation is no longer an emerging feature or niche solution available to only those large and mature enough. It should be considered a fundamental and essential capability for both networking agility and information security today. As Forrester, a leading advocate and definer of a Zero Trust framework states in The Forrester Wave™: Zero Trust eXtended (ZTX) Ecosystem Platform Providers, Q4 2019 report, “there’s now no excuse not to enable micro-segmentation for any company or infrastructure. It’s no longer a question of whether you can do it.”
Cirrus Networks’ Weir also emphasised the continued need for security solutions to facilitate DevSecOps and drive for simplicity and automation: ”For a long time we’ve spent significant effort adding manual tools and processes on top of applications in an effort to secure them. These efforts often done in isolation from the application owners, mean lost-in-translation and configuration mistakes add cost and time to application deployment. As infosec professionals we should be building automated and scalable guardrails for our application teams which they can consume in real-time as they deploy. Organisations which effectively build security into their deployment pipelines will see faster more productive teams with a security first mindset.”
With the increases in fast and extremely destructive attacks like ransomware that can take down the global IT infrastructure of enterprises in minutes, and the increased pressure and interest from cyber criminals and nation states on government agencies, the ability to contain the spread of any attack could not be more urgent – and the opportunity to do so is more accessible than ever.
So, let’s enable security teams to refocus and measure the success of their practice away from keeping bad guys out, to assuming breach but making it significantly more difficult to be owned.
Ready to see the benefits of micro-segmentation? Sign up for a free 30-day trial today.