Prioritizing Infosec Programs

What follows is a barely intelligible, Christmas cookie-induced attention deficit rant on the state of the industry.

The most excellent Jake Williams wrote on his company’s blog an interesting post from a Twitter Survey he ran, asking whether network or endpoint visibility is more important for detecting APT intrusions.  Jake points out there really isn’t a strong consensus among the over 1100 people that voted in the survey, nor in the responses to the survey, and that there may be a cyclical nature to the way infosec people would rank order these controls over time.

I continue to grow increasingly interested in the psychological aspects of security and perceptions of risk among IT and infosec people, and Jake’s post is a good example of why.  There is not an objectively “right” answer Jake’s question, but that doesn’t really stop us from forming a strong narrative in our minds that leads us to an answer we feel is correct.  I suspect that each of us apply particular context to such questions when forming our position.  For some people who work in organizations with highly diffuse / cloud-y IT, the concept of monitoring networks might not make any sense at all…  Which network would you monitor?  Monitoring the endpoint in this case is the only approach that makes any sense.  Other people point out that IOT devices are becoming more attractive APT targets and endpoint security tools do not (and likely never will) work on these devices, hence the network is the only place that makes sense to monitor.  Still others point out that the “right” answer is to get 100% coverage using which ever approach can accommodate that level of coverage.

I know that Jake intentionally framed this question in an unnatural way that yielded these results.  We can intuitively look at this situation and see that everyone is right, and that no organization would take such a position of going all in on endpoint security or network security.  While that may be true, this example does highlight the varied thought processes each of us as individuals use as we approach such questions, and that almost certainly influences how we approach questions of security investment prioritization – you know the exercises many of us perform where we rank order risks, possibly using addition, multiplication, weighting, and really nice looking heat maps, tweaking the numbers until they match our expected view of reality and hence our view of what we controls we should be implementing where?

An  intuitively “right” way to approach this is to consider whether each asset has the proper level of visibility – in some cases that may be through endpoint controls because the devices are not on an central network, and it might be network controls because we have IOT devices not supported by endpoint security solutions.  I don’t believe this is the right way to think about the problem: in my 20 years of working in and around infosec, the complaint has always been that we try to bolt on security, rather than to bake it in, but I see us continue to perpetuate it – possibly even embracing the notion of “bolt on security” for a variety of reasons.  In my estimation, the objectively “right” solution is to take a more systems-oriented approach to designing our IT systems in the first place.  We can’t use network controls to monitor diffuse IT environments because there is no logical network location to monitor.  What happens when IOT devices are added to that environment?  Where does the network control go?

Clearly this is far outside the bounds of the two answers Jake’s survey permitted.  Though I will hammer on one more point.  Jake’s specific question was “…which one matters more for detecting APT intrusions?”  A number of comments pointed out that “it’s not a breach until the data gets out”, and therefore network detection is critical for the final determination.  Schrödinger’s Breach, I suppose.  What concerns me with this line of thought is that the only harm a threat actor can exact on a victim is data theft.  The question posed wasn’t specific to a “data breach”, but rather an “APT intrusion”.  We have seen cases like Saudi Aramco, Sony, and the Dark Seoul attacks where the end game was destruction.  WannaCry and NotPetya likewise were not intending to exflitrate data.  Under HIPAA and other data protection laws, data doesn’t have to be exfiltrated in order to be reportable (and potentially fine-able) as a data breach.  Plenty of other harms can befall an organization, such as impacting the availability of an application, or physically damaging equipment and so on.

To sum up, I think we have a lot of growing ahead of us as an industry, in terms of how we think about controls, risks, and terminology.


Leave a Reply

Your email address will not be published. Required fields are marked *