Defending an Undefinable Cyber Security Perimeter
The character Don Quixote became legendary tilting at imaginary giants that were ultimately just windmills dotting an expansive countryside. His cause was noble, but his efforts were fruitless and completely misguided.
Don Quixote’s adventures are not only entertaining, but define a pattern of behavior that is similar to today’s IT security professionals’ noble pursuit of network and data security. There are serious lessons to learn from the delusional Don Quixote extending beyond the folly of having an irrational hatred of windmills.
Statistics show that the ‘‘Quixote Syndrome’’ is widely effecting and deeply entrenched across a broad population of the security industry. According to a SafeNet 2014 Survey, 74 percent of IT decision-makers believe perimeter security is effective at keeping out security threats. At the same time it was found by a 2014 Mandiant Study, Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model, that 97 percent of businesses have already been breached. These findings are quite ironic and speak directly to a level of delusion that is plaguing our profession. To further support the existence of delusion, FBI Director James B. Comey recently appeared on 60 Minutesand stated: “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”
Delusion is defined as an idiosyncratic belief or impression that is firmly maintained despite being contradicted by what is generally accepted as reality or rational argument. The idiosyncratic belief that the modern enterprise network perimeter can be defended is propelled by the vendors of the network security industry. These hardware and software vendors are fully vested in the complex layered security model that is feasting on increasingly large IT security budgets. Their message is consistent: after your current layers of security fail, just buy our new and improved layer and you will be safe. What they are not telling security professionals is the truth – you will be breached no matter how many layers you implement.
Yet like Don Quixote, IT and physical security executives continue to expend their energy fighting a fight that cannot be won. They are simply fighting the wrong fight, defending a perimeter they cannot define, against an enemy they cannot see. According to the Forrester report, Understand the State of Network Security: 2013 to 2014, which surveyed 2,000 IT executives in North America and Europe, 46 percent stated they would be increasing perimeter security spending in 2014. Simply put, vast amounts of IT security budgets are being directed towards protecting a perimeter we cannot define, which is yielding a 97-percent failure rate. Worse yet, nearly half of IT security professionals are doubling down on this losing strategy.
The modern enterprise network has become expansive, porous, and completely blurred due to the large number of Internet-facing applications that have been deployed and adopted. The number of potential entry points into the enterprise network has proliferated uncontrollably. The complexity associated with administering access control lists, remote access connections, content filtering rules, and a wide array of security policies has increased exponentially. Administering security policies requires device-specific manual configuration that is prone to human error. According to the Ponemon Institute’s 2013 Cost of Data Breach Study, at least one-third of all security breaches are caused by human error. A rational argument for maintaining the status quo in a security strategy requires a quixotic denial of reality.
So what are security professionals to do if they no longer tilt at windmills? Accepting the reality that your perimeter will be breached yields a logical refocus on containment of the breached network segment. Eliminate the possibility of breach propagation. This strategy poses a tremendous challenge though, because of the core architecture on which enterprise networks are built – the Hub and Spoke architecture. This architecture is more than a half-century old and was never designed to implement granular controls on internal traffic. Additionally, it relies on a shared dynamic routing construct, in which all applications are routed over the same routers, firewalls switches and circuits. The problem resulting from this construct is that when perimeter vulnerability is successfully exploited, it frequently results in a security cascade effect that ripples across the shared routed network.
Most business plans cannot sustainably afford the physical separation of networks due to the high capital and recurring staffing costs required to operate disparate networks. Therefore, most businesses rely on a single shared infrastructure and highly complex security and routing policies to achieve some measure of separation. In the vast majority of networks, this separation ceases at the WAN interface of the access routers where all traffic is intermingled. This scenario provides the path for breach propagation because of its complexity and resulting vulnerabilities. Containment security can be best achieved through virtual network segmentation where each network has its own instances of virtual routers, firewalls and security policies from end-to-end. Virtual segmentation is more than just a VLAN, although VLANs can play an integral part. Each VLAN must essentially extend from application enabler to application gateway for containment to be effective. By removing shared routing and security elements between networks, the “leverage-able” elements that allow breaches to propagate are removed. Mutually exclusive security policies that cannot conflict with one another to create vulnerabilities are established. The construct of each independent network, including its definable perimeter, syslog baseline and the number of layers required to effectively defend it are simplified. Essentially, applications are stripped from the shared router environment and placed into their own statically or dynamically routed, private IP environments that are customized to the applications’ specific needs.
The evolution of software defined networks and a central brain (in the cloud), often referred to as a Universal Policy Controller (UPC), has made the administration of standalone, purpose-specific networks achievable. In this environment, a security-policy change to thousands of similar application networks can be implemented simultaneously and consistently. Compare this to the current method that requires device-specific manual configuration of each router in the network and to the associated cause and effect that results.
Valid concerns have been raised about the security of centralized controllers, but securing a single controller is far more realistic than defending against a vast landscape of windmills. This is especially true in a scenario where if one windmill gets the best of you, it unravels your entire defensive strategy.
It is time to face the reality of our dilemma and take achievable steps towards fighting a fight we can win. It is time to put down the tilts, dismount the horse, remove the antiquated armor and rethink our approach to what security really means. It is time to learn from Don Quixote rather than emulate him.
Information provided by Cybera, www.cybera.net