Imagine hackers as mouths waiting under a faucet of your data, and the ideal security solution as a solid, bottomless bowl that keeps the falling data droplets from quenching their thirst. In reality, security solutions are like sieves, slowing but not blocking their access to your water. Sure, you can stack 100 sieves on top of one another, and make it nearly impossible for water to get through, but in some cases, it will. Security today makes the best of this dilemma.
Security has never been a thing of certainty, where the presence of certain security solutions meant safety from attack, while the absence of these solutions meant that hacks were inevitable. Human nature is at the core of this idea. People writing software make mistakes, and there will always be others to capitalize on them. Addressing security gaps is then an exercise in manipulating human nature: To build the stack of sieves intelligently, so that the gaps only let water through in the most involved, long-tail cases. This is defense-in-depth.
Defense-in-depth succeeds because it wrecks the ROI of a potentially successful attack for the hackers. Its comprehensive nature impedes them at the various stages of the attack chain that together comprise a successful breach. Getting past a well-planned defense-in-depth approach is not economical for hackers, and is such a successful deterrent that it’s the primary strategy for security professionals. But if one looks at the current security market, they may be convinced that there are shortcuts. It’s easy to understand why, yet this would be a costly mistake to make.
The Tip of the Iceberg
On the average day, more than 50 new Common Vulnerabilities and Exposures (CVEs) are logged in the National Institute for Standards and Technology’s NVD database. Each CVE reflects a zero-day vulnerability that was discovered in popular commercial or open source software components. As we know, all software components have vulnerabilities. Some have more, some have less.
The software development world has been trying to address this fact in myriad ways: Teaching secure code, running various code scanning solutions, and more. But the fact remains that there will always be vulnerabilities. Compounding the problem is that at the time one vulnerability is fixed, others are discovered, and the overall average keeps growing year over year.
While they shouldn’t be ignored, vulnerabilities are just one small component in a full attack. To exploit a vulnerability, it must be weaponized. Weaponizing vulnerabilities involves other various steps in an attack chain that capitalizes on many gaps aligning in just the right way. Accordingly, incident response might uncover where the attack occurred, but it’s important to recognize that this is often just the visible link in a full chain of less-than-visible weaknesses. These attacks might start with vulnerabilities but are often complemented by other methods like phishing, and involve other various steps, sometimes instantaneous and other times taking months or even years.
Vulnerability Isn’t a Synonym for Attack
Cyber attacks aren’t isolated, standalone steps out of context with anything else happening in the network, data center or on the endpoint. It’s therefore important to keep in mind the idea that a vulnerability doesn’t guarantee that hackers can kick off a successful chain of events leading to a full-scale attack. Of all the many vulnerabilities being discovered every year, not all need to be equally considered when it comes to security.
Researchers spend time and effort to identify, create POCs and publish such vulnerabilities. Some do it for financial gain, others do it to enhance their reputation, still others do it to ensure vulnerabilities are fixed by vendors before they are exploited by hackers, for the overall security of users and organizations. For whatever reason, uncovering a vulnerability is not akin to detecting and preventing cyber-attacks: Oftentimes it’s a theoretical exercise, unrelated to the circumstances in which a vulnerability can be exploited, and is hard to act on.
For more proactive vulnerability awareness, vulnerability management solutions are focused at locating and patching software components, operating systems and libraries once vulnerabilities are identified and fixes exist. This is one step, but a step that is sometimes meaningless – patching vulnerabilities that can never be weaponized. When it is harder than ever for organizations to keep up with the need to prioritize and patch vulnerabilities, many see a point solution as a potential savior. These are especially effective at preventing exploitation from a certain angle of attack, but can’t by themselves deter hackers.
Defense in Expense
Some vulnerability management solutions are great, many researchers are exceedingly wise, and there are point solutions out there that work well, but even together they can’t prevent water from draining out of the sieves. Individually or together, none of these are a silver bullet like defense in depth because they each focus on one place in the attack chain and not them all.
Too many enterprises are led to think they can replace defense in depth by using multiple point solutions together. The unspoken truth is that the difficulty of managing these solutions together requires immense investment, and results in gaps that make them less than effective anyway. In the case of IoT, many firms might think to use a single point solution to cover these devices because they can be distinguished from regular IT.
But IoT shouldn’t be siloed from IT, and in fact this runs opposite to true defense in depth. Real defense in depth is seamless and holistic, and in lieu of the latest or most powerful point solutions, prefers basic tools that are designed to work together, keep maintenance and management costs low, and make it easy for the organization to enforce security policies.
Ideally, security for all devices and data should be centralized under the same mechanism, and that mechanism should be whatever enterprises prefer. This is why Firedome focuses on making the security of even the smallest devices like IoT light bulbs manageable in any SIEM, and brings them into the fold of any enterprises’s defense in depth strategy.
How to Think Securely
For cyber protection solutions that work, it’s not the vulnerability or the point of entry that matter most, it’s the attacker’s state of mind. When is a motivated hacker willing to give up? Clearly not when they can infiltrate, nor when the attacker can exploit a vulnerability, but only when the attacker can either achieve their purpose or determine that lining up a successful hack is too difficult to justify.
Protecting the entire attack chain in a smart, low-maintenance way is how you can inexpensively show hackers how expensive it’ll be for them to attack you versus another target. That means being aware of which vulnerabilities really matter, prioritizing easy integration and management, and putting security everywhere a hacker might be in the kill chain: At the reconnaissance stage, at the infiltration stage, at the vulnerability exploitation stage, at the command-and-control communication stage, at the malware execution stage, at the exfiltration stage or at any other stage.
Whether it is encrypting a machine in ransomware attacks, disabling or commandeering an endpoint, for crypto mining or for exfiltrating proprietary data, private or financial information, a hacker’s ends must justify their means. The minute a talented hacker can prod your network and determine that this won’t be the case – by failing to find an open port, getting IP banned after a brute force attempt, thwarted by two-factor authentication, and more – your enterprise is secure. And make no mistake, a real defense in depth strategy is the only way to make it happen.