It was about 3 in the morning when the phone’s ringtone blasted into my sleep with an urgency that sat me bolt upright in bed. I stumbled to find my face-down iPhone to discover the emergency that could possibly be important enough to cause a call at this hour. One of my kids? Parents?
“What is it?”
“We’ve been breached. They got everything.”
Fortunately, that hasn’t happened to me. But, I think about it. I measure the likelihood every day. I put in place processes and systems to limit my exposure. But, I do so because I recognize that it’s possible, and I don’t want to get that call.
The biggest challenge with networks today is the interconnected complexity. The very characteristics that make them reliable and resilient also make them very difficult to comprehend. Early in the Internet era, we put a single firewall at the edge of the network connecting our enterprise to the big, bad world. Today, we have dozens of Internet connections, connections to customers and suppliers, connections for employees to connect to the corporate network, guest networks, and pockets of the network intended to have limited access from the rest of the network. These are all interconnected with multiple links to multiple subnetworks, routers, firewalls, and load balancers each with their own configurations that may or may not reflect our intentions at any given moment in time.
How do we know?
How do you know?
The recent public analysis of point-of-sales breaches indicate the level of intricacy attacks have reached: using an initial, externally-accessible vulnerability, the attackers breached a server. Using that system as a jump server, the attackers pushed malware to point-of-sale systems. That malware collected pre-encrypted customer information and placed it on a commandeered server (either the same server or a different one; the specifics aren’t clear on this point), and from that server, the data was transferred in bulk to a destination in Russia.
To be clear, these attacks were carried out on organizations that invest in network and systems security. But, somehow, they couldn’t see this potential attack path. Analyzing how they missed it will help you avoid their experience.
First and most importantly, you cannot possibly see the potential for a multistep attack without a holistic view of your network and access across the entire infrastructure. If, for instance, there are paths through routers that circumvent firewalls, knowing that your firewalls provide the exact controls you intend will simply leave you with a false sense of security: your network can be breached by going around them! Furthermore, you need to analyze the as-built network – what are your devices really doing in concert with each other, rather than your intended “as-designed” network? Using analysis tools, I have yet to see a single network that doesn’t have at least one major unintended issue, ranging from external access directly into the network to default usernames and passwords on network devices.
In addition, networks are not static. They change. Tomorrow, your network will be different – perhaps by a little, perhaps by a lot – than it is today.
How will you know?
The most effective answer is automation. You have to collect the real, current state of your network configurations, analyze them in context, determine whether or not the results match your intentions, and then report and remediate based on the findings.
I have found only one way to do this. There are many solutions that will help you look at devices one-by-one, but only one network infrastructure security management system provides you an end-to-end view of your network, measures the implications of vulnerabilities within your network, and communicates the reality of whether or not your network provides you with the segmentation and isolation you intend.
Automate, avoid that 3am phone call.
For more from Steve, you can follow him on Twitter @shultquist.