Once upon a time, cyber security was like a bank vault. We built thick walls and a big door and we put an armed guard out front. This was more than enough to keep valuable assets secure, because we didn’t have sensitive corporate data and credentials sitting on multiple servers and devices outside a business’s physical headquarters. As the digital domain grew, that vault became a fortress. Walls got higher and could accommodate doors and windows. We carved in lookout points for an army of figurative guards. But the fact is, the Middle Ages of cyber security are long gone.
Nowadays, when we imagine the best way to secure an enterprise network, the ideal analog is a sprawling metropolis – with countless entries and exits that are always going to be outside of our control. Likewise, a modern network’s boundaries are porous and amorphous, changing rapidly and without warning. Much as it’s impossible to find the exact borders of today’s metropolis, enterprise networks stretch onto cloud, virtual and mobile terrain. We hope they end at clearly marked city-limit signposts. But real corporate perimeters have sections that function more like the empty, weedy and abandoned lots of the urban fringe.
For example, I work from home and have many connected devices. Some are supposed to be authorized to access my corporate servers and some are not. This is the reality for millions of other workers in the world, and it causes a level of system complexity that IT managers find overwhelming. As a case in point, software vulnerability scanners identify hundreds of thousands to millions (if not a billion, as reported by one company) of active issues. This is total overload, and the result is a business with a severely reduced level of resilience. To combat this, IT managers need a holistic overview of a network’s access points, vulnerabilities and respective asset values in order to effectively prioritize security issues.
That said, it wouldn’t take a years-long plot from an evil genius to get deep enough into a network to cause significant damage. Every city has mundane-looking side streets and manholes, abandoned railroad tracks and drought-parched storm drains that can more than accommodate the passing malcontent. Perhaps there’s a stadium next to a railroad track, where trains with ammonia regularly pass. Maybe there’s a single door left open on a single building that’s interconnected to several more buildings – all that interconnection makes it close to impossible to check everything by sheer human effort alone. Automated oversight is essential.
Ultimately this leads to an old axiom: you can’t manage what you can’t measure. And you can’t measure what you can’t see or don’t understand. Without actionable intelligence from a prioritized index of security issues, a city could never fully understand its level of risk in light of existing threats. The same is true of enterprise networks.
Simulate full-scale attacks every day
To solve complexity and overload, we use automation. Software never gets tired. Let’s say there’s a large multinational conglomerate that wants to find any errors in the configurations of its network devices. The IT department would need software that could check every letter of code – ad infinitum – to find a needle in a mountain of needles: the one out-of-place digit that could, for example, allow employees on a partner network to emulate employees on the home network. The software would have to find that one temporarily unlocked gate where any passing thief, poking his head inside to look for an attendant, could find a set of keys to every door in the building hanging on a nail in the wall.
I understand that facing complexity and overload can be very intimidating to IT teams, but it’s the kind of bad news that becomes good news very quickly. Making daily attack simulations a part of continuous awareness programmes may reveal glaring weakness, but they also give us a chance to reduce risk before threatening forces strike.