Traveling Back to the Age of Firewalls
Let’s step back in time 20 years and go to 2001. This is when Microsoft introduced ICF – Internet Control Firewall for Windows XP. And this was quite revolutionary, as firewalls were mainly used for the protection of sensitive data center servers and other devices.
These were the days when all focus was on firewalls and antivirus software (that one had to run manually at arbitrary frequency) for endpoint protection. These were the days of HTTP and PKI was still in its infancy.
Lock the Trailer Door
The world has changed since then. We have bought a trailer!
Consider the following scenario.
Joe Bloggs lives in a reasonably high crime area. He has a fence and gates around his house, but his front yard is too small for his trailer that is parked outside in the street. Obviously, Joe wants to protect his property.
He starts with his trailer and puts all necessary locks and security features on the trailer. Then he puts strong deadlocks on the gate and front door and motion-detection security cameras around the perimeter. Inside the house Joe puts a safe and locks in the doors between the rooms.
Joe does not leave his trailer unlocked with keys in the ignition. He does not keep a spare set of house keys in the trailer either. Joe also does not open the door without looking at who is at the door. He is very careful with which tradespeople he lets inside the house, and when he does let tradespeople in, he does not leave them unsupervised. Joe keeps valuables in the safe and does not leave them just laying around.
This all looks reasonable – doesn’t it?
Leaving the ICT Ecosystem Exposed
Well, if we see this as reasonable in our day-to-day life, then why for some reason do we refuse to apply the same logic to our high-value ICT ecosystems?
The trailer that sits outside the fence and is visible to everyone is your organization’s web presence, which obviously needs to be secured adequately. So, why do so many organizations leave their “trailer” (and in fact – multiple “trailers”) unlocked leaving a set of spare house keys inside?
The fence, gate and cameras are your organization’s internet egress/ingress points, firewalls (or similar appliances), EDR and they need to offer adequate protection for your organization. Do you control tradespeople (email, files, etc.) that come to your organization? How good is the fence and the locks? If you never watch what your motion-detection cameras show (or are too tired of false positives) you can’t expect a good outcome. Similarly, if you don’t patch holes in your fence and don’t replace broken locks, the outcome is also not likely to be good.
Now, on to your organization’s valuables. Are they being left outside the safe (read – unencrypted)? Are the doors between the rooms locked (read – ZTA)?
This may be an overly simplified picture.
Asking the Bigger Question
But this picture raises a question: why don’t we start a practical application of an evolutionary approach moving from the concept of perimeter security to the concept of concentric rings or a security in depth paradigm? It is, by all means, not a new paradigm. It was successfully used for home security and started to be defined for cybersecurity.
Although there were multiple attempts to define some kind of a framework for this (like, for example, “The Concentric Circles of Protection” or “Security in Depth” or “Layered Security”) there is still the widespread and common misconception that a perimeter security entity will stop a threat from reaching the perimeter of its target.
An underlying principle of Concentric Circles of Protection for providing good security involves the use of multiple rings or layers of security. The first layer is located at the boundary of the site, and additional layers are provided as you move inward through the building toward the high-value assets.
Rather than placing full reliance on a single layer of defense, these layers require an intruder to penetrate a series of layers to reach his goal. The more layers that exist between the outside world and a high-value asset, the better the security. The Concentric Circles of Protection concept is similar to the “multiple lines of defense” strategy employed by many military planners.
Security by Design
Layered Security is a design concept. This concept is part of the concepts included in Crime Prevention Through Environmental Design (CPTED), which originated in America around 1960 when urban renewal strategies were felt to be destroying the social framework needed for self-policing. It’s first illustration in Facilities Physical Security Measures, the recently released ASIS guideline, presents a simple, three-layered security concept:
• Outer Protective Layer – e. g. natural or man-made barriers at property line
• Middle Protective Layer – e. g. exterior of building
• Inner Protective Layer – e. g. doors within building
These early attempts offer a thought leadership foundation and are pointing us in the right direction.
However, there are a number of obstacles on this path that we need to overcome to achieve effective practical application of the framework when it is fully developed.
One of the most overlooked and unaddressed issues is the complexity of the ICT ecosystems in large enterprises. It is mentioned (though not very strongly) in the NISTIR 8286A – Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management:
2.2.3.3 Vulnerability Identification Automation
The complexity and interconnection of technology results in many thousands of potential vulnerabilities.
I would say that “many thousands” is actually a huge underestimation. For example, I am aware of a large enterprise with over 2 million critical and high vulnerabilities that are result of the complexity of the enterprise’s ICT ecosystem.
This particular issue has three aspects.
The first aspect is that complexity grows exponentially (not linearly) with increases in size and thus moving from an ecosystem with 10 components to an ecosystem with 100 components creates a 10x increase in interdependencies and thus has huge potential for a “spaghetti plate” – you move something here and unexpectedly something else moves elsewhere. This significantly impacts the complexity and cost of operations and quite often results in operational disruptions. I have personally witnessed how patching or fixing just one of the components breaks the operation of the whole ecosystem or creates other vulnerabilities elsewhere.
The second aspect is that complex ICT ecosystems evolve over time, creating significant interoperability issues, presenting the dilemma of whether to retain operational stability and sacrifice patching, or to go through a complex (and often expensive and lengthy) upgrade program in order to maintain correct cybersecurity posture.
I have seen enough post-EOL components in large ICT ecosystems that can no longer be patched.
The third aspect has surfaced in the wake of the recent supply chain attacks. This issue is that the more components an ICT ecosystem contains, the higher the risk of becoming a victim of a supply chain attack. Considering full trust in reputable software suppliers like Adobe, SolarWinds, Accellion that has existed in the past, now is the time to accept that any software supplier can be used to stage a supply chain attack.
The bottom line is that the current level of complexity of ICT ecosystems in large enterprises is unsustainable and we need to begin addressing the elephant in the room now.
What Can Be Done?
One can look at several pragmatic steps. The first step is to start practically applying the concentric circle cybersecurity paradigm. The second step is more complex and is lengthier – start conscious (and ruthless) work towards the simplification of our ICT ecosystems, and refuse the integration of new and shiny point solutions, unless they are deemed absolutely business-critical for the organization.
Review and simplify enterprise architecture. Some are advocates of the Zero Trust model popularized by John Kindervag – this will help with the simplification of your ICT ecosystem, which in turn will become the foundation of a well-designed and well implemented concentric rings security paradigm and the beginning of a cybersecurity defence model that will outperform our current approach.