Looking forward to 2021, I wanted to write an article not about the FireEye breach or SolarWinds Orion supply chain attack (enough of that has been written), but about what we as in the Cyber Security industry can do about it. The change required is an important and fundamental one.
Ultimately innovation, skills, culture, talent and money will solve this problem but that is a vague and fairly long list. The change required is an economic change, a focus on the real problems and investing in tangible solutions that actually solve issues. Most large Enterprises have multiple solutions to the same problem.
Let’s take e-mail spam protection as an example; I recently audited a large organisation and found they had four different anti spam e-mail solutions. The EMEA and USA parts of the organisation accounted for two products, as they generally had different polices, procedures and supply chains. A further one was in Asia, from a business they bought ten years ago and hadn’t been able to migrate to one of the existing solutions for fear of breaking everything. And the fourth, they didn’t know they had but it was in a head office and they felt that seemed right to have a bit of extra protection for their HQ.
There is a solid argument for defence in depth, and also of diversity, but complexity is the main killer of security. If you look at each of the vendor’s products in depth they are actually fundamentally the same. Two were a direct offshoot from each other, born from a feud of the founders so they went in commercially separate directions with the exact same tech. The other was an offshoot from a commercial agreement to license the underlying filtering engine and rebrand it for a different market, and the last started off as Open-Source and uses an engine that is in fact the same fundamental engine as the other three vendors. So, not that much diversity after all. When looking at the configuration of each of the four solutions, they had not been updated for several years. One was out of support entirely, and all had public vulnerabilities that could have been exploited. Why was this the case? Money.
Except, its not as simple as that. Over the past 20 years, technology and innovation has driven enormous efficiency savings across all aspects of security and the Enterprise. Boards of companies were keen to drive down risks, drive down costs and raise profit. Outsourcing the Security Operations Centre (SOC) seemed to meet all these objectives, but it separated the teams that are responsible for security. There are efficiency gains to be had with large SOCs for multiple clients, but there is a subsequent shift in perception of who owns the risk. Ultimately the business owns the risks, but in the small print of the SOC T&Cs this will be made clear they do not own the risk if the business suffers a breach. I’ve use the example of outsourcing the SOC here, but it is equally true for offshoring software development, allowing remote administrator access to core network infrastructure, or outsourcing any core business function.
Undoubtedly the boards heard logical arguments that outsourcing would maintain a similar risk profile, lower costs and thus increase profits. Instead of the efficiency gains being used to improve security they were used to reduce headcount and maintain the same level of risk. The boards did not understand at the time they were in fact slightly increasing the risks. It was death by a thousand cuts, but with each decision and each vendor’s product brought in to tackle a specific risk the complexity increased, the risk either stayed the same or went up very slightly due to now having more attack surfaces and more solutions to patch.
At no time did anyone look holistically across the whole Enterprise, or when they did the answer was so awful and expensive the board were paralysed into kicking the can down the road and hoping the inevitable happened on someone else’s watch. Or they could blame someone else (welcome to the world of the CISO). Skip forward 10 to 15 years and most Enterprise has hundreds of vendors, thousands of products and a complex, brittle IT infrastructure.
The mindset shift for the board needs to be not how to reduce costs but how to increase resilience and security across the whole Enterprise. The issue for most boards is they do not have the technical skills required to understand the whole Enterprise and make sensible decisions for the entire estate. The commercial structure of these large Enterprises that have come about through acquisition lead to messy backend integration and the project to normalise and integrate the various systems either never gets off the ground because it couldn’t quantify the gains or was enormously expensive or probably both.
It’s easier and feels safer to do nothing than risk breaking things, and often the business cannot accept any outages or downtime for core systems. Having redundancy and multiple environments again struggles to quantify the gains and appears to be only required seldomly. The mindset shift required is to build simple, unified, resilient, secure, robust, reliable IT infrastructure.
The massive gains in efficiency need to be spent on increasing the security, not reducing costs. Twenty years ago it would have been unthinkable to allow remote admin access to the core network. Network admins would expect to have to visit the computer hall to carry out core administrative tasks. It was part of the job, but now it is unthinkable to visit the computer hall unless of a hardware failure. However, if you look at the list of tools stolen as part of the FireEye haul six of those were for some sort of remote access or remote control of systems. An attacker will generally want two things went they attack a network; they would like to again some kind of administrator privileges so they can do what they want and they will require remote access to the system time and time again. The Remote Desktop and remote access tools are clearly a prime target.
I appreciate this will not be a popular opinion, especially now with Covid, but it should not be unreasonable to expect IT admins to have to go into the office to perform changes to the core systems. We have come to expect that we can work from anywhere, which is fine for users but admins shouldn’t be able to do all of their job from a beach in Hawaii. Will this mean we will need admins working on shift patterns, and have one at the office all time? Yes, probably. This has just increased the cost of that one job role by a factor of 3, but did I say it was about money!
Technology is moving quickly, the same disruptive forces are also the force for change and improvement. Cloud, Artificial Intelligence, Machine Learning, Big data analytics will all play a massive role in improving cyber security. Let’s hope they are used to complement and improve existing measures, not to complicate them and drive down costs without a holistic improvement to security.