Secure Beyond Breach
Introduction: The Evolving Cybersecurity Landscape
In this chapter:
- Why micro-segmentation tops the new security stack
- How it solves the problems that lead to high-profile breaches
- The importance of leadership
Organizations are being taken apart in cyberspace. Across the globe the total number of internet users has increased to four billion with an expected addition of one to two billion new users in Asia and elsewhere by the end of the decade. More data is being created and stored across more devices and data centers around the world than ever before. Yet access to data has increased without a commensurate or popular understanding of cybersecurity risk. The result is that the world is behind in cybersecurity and vulnerable to a range of digitally enabled attacks.
Intruders regularly gain access to sensitive data and impact key missions in public safety, finance, and national security but also manipulate data in political campaigns, alter research institution data, and impact public health security. Every day we learn about another intrusion and mass data theft.
Why are breaches having such an impact? Part of the reason lies in how organizations secure their data behind the perimeter defenses along the border between an organization’s network and the open internet.
Consider the case of the Chinese hack of the U.S. Office of Personnel Management in 2015. One of the smallest agencies of the U.S. government, OPM serves as the chief human resources agency for governmental personnel. Among other personnel duties, OPM handles the sensitive personal information of anyone who holds a position involving national security or law enforcement, from the federal courts to the Defense Department.
In 2015, OPM repelled over 10 million attempts per month to hack its networks. An advanced adversary broke past OPM’s perimeter defenses, moved laterally throughout the internal network, and found the servers that held the nation’s most sensitive data regarding U.S. government personnel. How? The intruders gained a foothold on a low-value server. Once inside the network, they began to steal credentials, eventually stealing those of a system administrator. From there they used trial and error to find the credentials required to implant malware on the “jumpbox,” a key server within the OPM network that connected to many other servers across the data center. By controlling the jumpbox, the intruders gained access to every part of OPM’s digital terrain.
The intruders were inside OPM’s networks for months and the jumpbox held the keys to the kingdom. From there the Chinese gained access to some of the United States’ crown jewels: all of the personally identifiable information for 21.5 million employees across the U.S. federal government.
The OPM hack is one of the most well-known cases of an intruder gaining open access to an organization’s crown jewels by moving laterally throughout a network. But it is a common story. In 2013, a hostile actor stole over 11 gigabytes of private data for 70 million Target customers. The intruder began by conducting reconnaissance through open source reporting of Target’s pointof-sale system, ran a phishing campaign against a refrigeration company contracted by Target (from which the intruder stole credentials and gained access to Target’s network), and broke into a low-value server of the refrigeration company. Once inside Target’s network, the intruder moved laterally throughout the data center until they made their way to a server holding mass quantities of customer data.
Like OPM, the Target intrusion could have been limited had Target implemented micro-segmentation across its data centers and cloud environments. Similar stories play out in every instance in which an advanced intruder breaks into an insecure cloud or data center environment. The 2018 hack of the Singaporean healthcare provider SingHealth involved a nearly identical problem, and the attacker gained access to a treasure trove of data.
The Call for Micro-Segmentation
At its most basic level, the goal of micro-segmentation is to put walls around vital applications to segment them away from the rest of the cloud environment or data center (and therefore to put some distance between an organization’s vital applications, its “crown jewels,” and the open internet). Cybersecurity is partly a statistical problem for the defender. A government organization like OPM has to have its perimeter defenses set to defend itself correctly millions of times per month and hundreds of millions of times per year. Yet an intruder only has to get it right once to break in and gain access to an organization’s crown jewels. Micro-segmentation assumes that at some point you are going to be breached. It establishes an internal defense to prevent breaches from spreading.
Micro-segmentation provides a deep foundation for cyber resilience within a suite of cybersecurity investments that an organization can make, from multi-factor authentication to malware detection to encryption. Installing micro-segmentation software on key enterprise applications improves their security posture, but for critical infrastructure, it also improves the overall cybersecurity and health of the nations that it serves.
Securing the perimeter is not enough. Today organizations need to be secure beyond breach. That’s what micro-segmentation is about.
This first chapter explains the benefits of micro-segmentation for companies and countries, describes how it helps keep intruders from gaining access to critical data, and recommends that companies take the next step in their cybersecurity journey by securing their interior. From this point forward, the book explains how organizations can implement an effective microsegmentation strategy across their network enterprise.
Protecting the crown jewels
History shows that it is not a question of if but when an intruder will break through an organization’s network defenses. This is what people mean when they say “assume breach.” Security capabilities like multi-factor authentication and firewalls help keep intruders out by securing the perimeter and closing off points of entry wherever possible. Perimeter defenses and internal analytic tools won’t help secure an organization if an intruder breaks in, however, and absent an internal defense the intruder will move laterally throughout a cloud environment.
Prioritization matters for any effective security strategy, but especially when it comes to protecting an organization’s most important data. Consider the analogy of a country. Within any nation-state, some organizations matter more for national security than others; public health, safety, finance, energy, and military organizations often fall under “critical infrastructure” that deserve extra cybersecurity protections. Since 2012, the United States government has regularly conducted an annual survey to identify the most cyber-vulnerable organizations in the country, and those organizations fall onto a designation known as the “Section 9” list.
By analogy, every organization has its “crown jewels” within the information technology and data infrastructure that are vital to the organization’s overall mission. For OPM, the crown jewels were the database and data for the national security community of the United States. In the United States’ nuclear enterprise, they could be the data that underpins national communications and command and control to maintain deterrence and ensure stability. For Target, the crown jewels were the database that held credit card information for 70 million customers. The security of all this vital data can impact the well-being of organizations and countries, so it needs extra protection in case perimeter defenses fail.