As a veteran of the United States Army, 10th Mountain and 101st Airborne Divisions, I served in both Iraq and Afghanistan. When assessing the battlefield in preparation for combat, it’s always important to make assumptions, such as “If I get attacked, it’s likely to come from that direction at this time of day.” So, while it’s possible to slightly adjust posture, largely, it’s: “Hey, the battle has begun, now it’s game time.”
Based on my experience fighting threat actors in both the physical and digital world, it’s vital to make some assumptions, but in the digital world there’s more time to adjust the organization’s security posture to thwart attacks.
Today, security posture isn’t well defined. Ask five people to define security posture and they will come back with five different answers. It’s more than just vulnerabilities, misconfigurations, or other weaknesses in the infrastructure.
Measuring risk with visibility, exposures and threats (VET)
If vulnerabilities alone don’t define security posture, what other elements does it include? While cybersecurity frameworks such as NIST can offer guidance, these artifacts are often cumbersome to understand and implement. It’s time to simplify and make security posture measurable by defining across the three pillars of VET:
- Visibility.
Security teams must have visibility into the battlespace. So, what kind of visibility does the organization have? Does the team know when a new asset gets spun up in AWS, Azure, or even in the data center? Do the security tools know about it? Are agents installed and are they properly configured? Is the team confident in how its perimeter devices are configured? What are the limitations in the organization’s ability to prevent or detect threats in these environments? The team needs the right tools, in the right locations, configured correctly.
Lack of visibility is the biggest reason for missed attacks. To properly protect a network, the team must know where its visibility gaps are and build a plan to address them. Start by asking the customer if they know all the assets in their environment. Most of the time the response comes from a manually-managed spreadsheet.
- Exposures.
We need to understand where our weaknesses – our soft points – are in our battle position. When assessing exposures, it’s natural to lean into vulnerabilities – such as out-of-date software – but there’s more to uncover here. Understanding these exposures are important, but we must also account for the biggest risk. Think about this with the aid of threat modeling techniques. What am I most concerned about and what are the likely avenues of approach? Where are my weaknesses? When we’re analyzing exposures, we’re looking to better understand where our risks are. We’re not just talking about out-of-date applications or services. We’re also talking about misconfigurations, exposed S3 buckets, and overprivileged identity and access management roles. Gain a full understanding of the breadth of exposures and regularly monitor and report on them.
- Threats.
All organizations are under constant attack, relentlessly being probed from every direction. These threats are what the team prepares for and – based on how the organization is attacked – bring additional light to the team’s assessment of the battlespace. But does the team know what types of attacks it’s experiencing and what resources are under attack. All too often I see a business just absorb these attacks and brush off successfully-blocked attacks as the result of a tool doing its job, but the team must leverage this intelligence. How many controls were bypassed before antivirus picked up on the malware? Does the team know which assets take on the plethora of attacks? What types of attacks will the team experience? How well are the controls working? How can the team adjust because of these findings? Understanding how and where the team gets attacked is critical in helping it prioritize the work.
To effectively protect the organization on the digital battlefield, the team needs to first redefine its security posture by looking at the three VET pillars: Organizations can maintain a good security posture doing the following:
- Maintain constant visibility of newly deployed assets.
- Combine threats and exposures to properly prioritize patches.
- Prioritize architecture decisions that lead to increased visibility and reduced exposures.
By understanding these three pillars, the team can now make decisions and prioritize projects based on data rather than on a whim. These are decisions that will protect the organization against known and unknown attacks.
Tom Gorup, vice president, security operations, Alert Logic