When the Executive Board Asks you Where your Turtle is, will You be Able to Answer Immediately and with Confidence?
I was outsmarted by a box turtle when I was a boy.
I caught the turtle down by the creek. (Is caught really the right word? It’s not like I ran it down, after all. I just walked up to it and grabbed it by the shell.) My dad had some chicken wire and posts left over from a garden fencing project so I improvised a pen for my new pet. The next morning, I went out and the turtle had broken out of his cage by sheer force, pushing his shell under the wire. Fortunately, being a turtle, he (she?) had bolted a full five feet. So I dug the wire down into the ground six inches; the turtle dug deeper and escaped again. Then I wired a bottom to the cage; the turtle gnawed through the wire—it took a couple of days, but it made off yet again. What next, would it find a way to jump out of the pen?
The point is that a creature barely evolved since the dinosaurs and with the brain capable of only two thoughts, “Yum! Lettuce!” and “Yikes! Retract!” won against a homo sapiens. Why? Because I had things to do and a full calendar, albeit throwing rocks at random things and running after the ice cream truck, but the turtle had nothing but time and a dogged persistence.
We find ourselves in the same situation as security professionals, where we have project deadlines to meet and are either running around chanting “grow or die!” or being chased by executives shouting the same at us. But the bad guys are not under pressure to break through the security protection measures we put in their way; much like the turtle, they can nip away at the wire until they succeed. Granted, they’re breaking in, the turtle was breaking out (and I hope you don’t imprison your employees—physically, anyway. Unless you work in a prison), but it doesn’t change the principle. In fact, it works out the same when we consider insider threats. And while the malicious actors may in fact have job deadlines and soccer practices to drive kids to or whatever, their hacking activities are usually free of time pressure; it’s more like a hobby in that sense.
So we set and forget. Vendor X asserts that their security technology is a must-have component in a defense in depth strategy; consultant Y informs us the penetration test came up free of critical vulnerabilities and we just need to throw some endpoint protection on our systems; government organization Z tells us to implement the controls in the shiniest new compliance guidance. These all become projects with milestones and resources and costs, and we fund, staff, and execute them. Meanwhile the malefactors are nibbling away. X, Y, and Z may force them to change wires, but there are always new wires to try.
So what’s a frazzled CISO or security architect to do? The US government found itself in the same position a couple of years ago. The GAO (Government Accountability Office) noted that the result of existing compliance and auditing rooms and rooms filled with a bunch of paper that was outdated by the time someone tipped the day’s worth of report off the dolly. Thus the birth of FISMA 2.0 and Information Systems Continuous Monitoring (ISCM). In essence what the GAO and other federal lawmakers are saying is that, while it’s important to put technical security controls in place, you have to monitor them continuously for effectiveness and to evolve the controls to keep pace with ever-evolving threats.
In the case of my turtle, if I had the technology (and money) back then, I would have outfitted the cage with infrared surveillance cameras that send an alert when they detect a turtle-shaped heat signature (yes, they have a head signature even though they’re cold-blooded) outside the perimeter, and maybe a GPS tracking device on the turtle—a reptilian ankle bracelet, so to speak. Maybe even circuit continuity to detect when a wire is gnawed through. That’s continuous monitoring terrapin-style.
Of course, we’re in information security, which is scads more complicated than monitoring an animal that drags its mobile home around wherever it goes. On one hand we’re concerned about tracking the activities of the bad guys, and that’s essential to be sure, but continuous monitoring is really about ensuring your assets are prepared, and not just at a moment in time.
For example, VA (Vulnerability Assessment) scanners are necessary and useful for profiling assets, but they only run every so often. In a large organization, it may take weeks or months to make a full cycle of the assets; a lot can change in that period of time. This is exacerbated by today’s mobile nature of assets: while some are static, like servers with fixed IP addresses and specialized purposes—the turtles of the information infrastructure—others like user laptops, mobile phones, and tablet computers, are connected to the corporate network one day and flit around like hummingbirds only to pop up the next halfway around the world through a VPN.
Configuration management suffers the same point-in-time problem. Your CMDB (configuration management database) contains the gold master definition of how your servers must be hardened, the rules in your firewalls or router ACLs, and the configuration mandates for end-user laptop system software and applications. Some configuration management solutions install agents on the endpoints to monitor them in real-time, but many take the same approach as VA scanners and poll asset configuration on a scheduled basis.
It turns out you probably have more than half of what you need already in terms of security infrastructure, especially if you bought into the defense-in-depth strategy; now it just needs to be glued together with security intelligence. For example, when an event from a firewall signals that a change was made to its’ rules, it’s time to initiate a configuration audit against your CMDB baseline: did the change expose PII in clear-text outside of the protected infrastructure? Quick! – alert your risk management folks and shut down FTP to that customer data. Did a new asset pop up on the network, or an asset not known to have a DNS service running on it suddenly start responding to name queries? Network flow monitoring, especially with application detection capability, can alert you in real-time.
Now that you know the benefits of continuous monitoring, you have to choose wisely when filling the gaps in your security infrastructure. Do you want to buy that risk management platform that only knows how to pull firewall and router configurations every 12 hours or one that’s integrated out of the box with network activity monitoring? It’s not just automation that you gain, but 360 degree visibility for analytic context at any given moment and post-incident forensics for immediate impact analysis.
When the executive board asks you where your turtle is, will you be able to answer immediately and with confidence or will you, well…turn turtle?