Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Why You Should Put a GPS Tracker on Your Turtle

When the Executive Board Asks you Where your Turtle is, will You be Able to Answer Immediately and with Confidence?

I was outsmarted by a box turtle when I was a boy.

When the Executive Board Asks you Where your Turtle is, will You be Able to Answer Immediately and with Confidence?

I was outsmarted by a box turtle when I was a boy.

I caught the turtle down by the creek. (Is caught really the right word? It’s not like I ran it down, after all. I just walked up to it and grabbed it by the shell.) My dad had some chicken wire and posts left over from a garden fencing project so I improvised a pen for my new pet. The next morning, I went out and the turtle had broken out of his cage by sheer force, pushing his shell under the wire. Fortunately, being a turtle, he (she?) had bolted a full five feet. So I dug the wire down into the ground six inches; the turtle dug deeper and escaped again. Then I wired a bottom to the cage; the turtle gnawed through the wire—it took a couple of days, but it made off yet again. What next, would it find a way to jump out of the pen?

TurtleThe point is that a creature barely evolved since the dinosaurs and with the brain capable of only two thoughts, “Yum! Lettuce!” and “Yikes! Retract!” won against a homo sapiens. Why? Because I had things to do and a full calendar, albeit throwing rocks at random things and running after the ice cream truck, but the turtle had nothing but time and a dogged persistence.

We find ourselves in the same situation as security professionals, where we have project deadlines to meet and are either running around chanting “grow or die!” or being chased by executives shouting the same at us. But the bad guys are not under pressure to break through the security protection measures we put in their way; much like the turtle, they can nip away at the wire until they succeed. Granted, they’re breaking in, the turtle was breaking out (and I hope you don’t imprison your employees—physically, anyway. Unless you work in a prison), but it doesn’t change the principle. In fact, it works out the same when we consider insider threats. And while the malicious actors may in fact have job deadlines and soccer practices to drive kids to or whatever, their hacking activities are usually free of time pressure; it’s more like a hobby in that sense.

So we set and forget. Vendor X asserts that their security technology is a must-have component in a defense in depth strategy; consultant Y informs us the penetration test came up free of critical vulnerabilities and we just need to throw some endpoint protection on our systems; government organization Z tells us to implement the controls in the shiniest new compliance guidance. These all become projects with milestones and resources and costs, and we fund, staff, and execute them. Meanwhile the malefactors are nibbling away. X, Y, and Z may force them to change wires, but there are always new wires to try.

So what’s a frazzled CISO or security architect to do? The US government found itself in the same position a couple of years ago. The GAO (Government Accountability Office) noted that the result of existing compliance and auditing rooms and rooms filled with a bunch of paper that was outdated by the time someone tipped the day’s worth of report off the dolly. Thus the birth of FISMA 2.0 and Information Systems Continuous Monitoring (ISCM). In essence what the GAO and other federal lawmakers are saying is that, while it’s important to put technical security controls in place, you have to monitor them continuously for effectiveness and to evolve the controls to keep pace with ever-evolving threats.

In the case of my turtle, if I had the technology (and money) back then, I would have outfitted the cage with infrared surveillance cameras that send an alert when they detect a turtle-shaped heat signature (yes, they have a head signature even though they’re cold-blooded) outside the perimeter, and maybe a GPS tracking device on the turtle—a reptilian ankle bracelet, so to speak. Maybe even circuit continuity to detect when a wire is gnawed through. That’s continuous monitoring terrapin-style.

Of course, we’re in information security, which is scads more complicated than monitoring an animal that drags its mobile home around wherever it goes. On one hand we’re concerned about tracking the activities of the bad guys, and that’s essential to be sure, but continuous monitoring is really about ensuring your assets are prepared, and not just at a moment in time.

Advertisement. Scroll to continue reading.

For example, VA (Vulnerability Assessment) scanners are necessary and useful for profiling assets, but they only run every so often. In a large organization, it may take weeks or months to make a full cycle of the assets; a lot can change in that period of time. This is exacerbated by today’s mobile nature of assets: while some are static, like servers with fixed IP addresses and specialized purposes—the turtles of the information infrastructure—others like user laptops, mobile phones, and tablet computers, are connected to the corporate network one day and flit around like hummingbirds only to pop up the next halfway around the world through a VPN.

Configuration management suffers the same point-in-time problem. Your CMDB (configuration management database) contains the gold master definition of how your servers must be hardened, the rules in your firewalls or router ACLs, and the configuration mandates for end-user laptop system software and applications. Some configuration management solutions install agents on the endpoints to monitor them in real-time, but many take the same approach as VA scanners and poll asset configuration on a scheduled basis.

It turns out you probably have more than half of what you need already in terms of security infrastructure, especially if you bought into the defense-in-depth strategy; now it just needs to be glued together with security intelligence. For example, when an event from a firewall signals that a change was made to its’ rules, it’s time to initiate a configuration audit against your CMDB baseline: did the change expose PII in clear-text outside of the protected infrastructure? Quick! – alert your risk management folks and shut down FTP to that customer data. Did a new asset pop up on the network, or an asset not known to have a DNS service running on it suddenly start responding to name queries? Network flow monitoring, especially with application detection capability, can alert you in real-time.

Now that you know the benefits of continuous monitoring, you have to choose wisely when filling the gaps in your security infrastructure. Do you want to buy that risk management platform that only knows how to pull firewall and router configurations every 12 hours or one that’s integrated out of the box with network activity monitoring? It’s not just automation that you gain, but 360 degree visibility for analytic context at any given moment and post-incident forensics for immediate impact analysis.

When the executive board asks you where your turtle is, will you be able to answer immediately and with confidence or will you, well…turn turtle?

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture