The focus of security has always been protection against complicated and advanced attacks. The battle between advanced attackers and incredible defenders is a great story. You know, good versus evil.
Many of you have probably been preparing for a cyber attack from Russia, given its war with Ukraine. The United States government has told us to expect an attack. I’m not sure if Russia will launch significant cyberattacks against the West, but if they do, what kind of attacks will they launch? I would postulate that the answer is the simplest attack that will do the job. Every nation-state with significant cyber capabilities is sitting on dozens (if not more) of zero-day attacks. But why would they burn a sophisticated attack unless forced?
Logical attackers seek the path of least resistance to gain a foothold in their environment. That means taking advantage of the weakest link, and that’s usually something simple, like misconfigurations and other basic security bugs. When someone asks what is the best way to protect against these attacks, I usually answer by telling them to do the simple things right. You know, block and tackle to use a football analogy.
My partner (and DisruptOps co-founder) Rich Mogull has always said that “simple doesn’t scale,” and he’s right. Making a firewall change on two devices is not difficult. Enforcing firewall policies on hundreds of devices around the world is very, very difficult. And getting it right every time makes it even more challenging.
So let’s talk about solutions to do simple things well and consistently. Surprisingly, it involves a combination of people, process, and technology. And we focus heavily on process because that’s the best way to achieve consistency. If everyone knows what they’re supposed to do and you have the means to keep track of their activities, you tend to get consistent results.
These five tips should provide you with a roadmap for improving security hygiene, as well as your overall security posture.
Tip 1: Get in line with the policy
If you don’t know where you’re going, you have no idea when you’ll get there, or even where “there” is. So the first tip is to set your hygiene policy so you know what success looks like. Whether you’re setting a goal to patch within a week or blocking outbound connectivity to specific geographies, having policies defined and documented will ensure everyone is on the same page, before you start blocking things.
Tip 2: Expand visibility
I suspect you’ve heard the saying that if you can’t see it, you can’t handle it. It happens to be true. Once everyone is aligned on the policies, you need to figure out what’s in the environment. To be clear, you should already know a little. Like their locations and the infrastructure already installed. Maybe you even have a CMDB that (supposedly) has asset information. That’s a start.
Any asset list and posture information you have is likely outdated, especially with the proliferation of cloud and SaaS. So you need a defined process and tools to ensure you understand the full state of the technology, both on-premises and in the cloud.
Tip 3: Manage changes
Another critical process to implement is change control. Who does what changes when? This process should be thought about before you learn about Log4j (or the next widespread vulnerability). The key to consistent and successful operations is to ensure that everyone knows their job. In an all hands on deck situation, the last thing you need is uncertainty about roles and responsibilities.
Are approvals required to make changes? Do approvers have an RTO (response time objective)? Are there situations where it is urgent enough to make the change without approval? How much downtime is acceptable? These are the types of situations that the change control process must handle.
Also, be sure to audit who is making changes as part of the process. You’ll want to know who made a mistake in the event of a faulty shift (I’m only half kidding about that). And in the event that a management device is compromised, any changes made by the attacker will be logged so they can quickly revert them.
Tip 4: Continuous Monitoring
At this point, you’ve probably had enough processes: now you need to do things. That’s the fun part, right? The key to hygiene is control. Just like you want to go to the dentist twice a year to check for cavities, you want to keep an eye on your infrastructure to make sure everything is in compliance with policies.
That means checking devices for configuration changes. As mentioned above, an incorrect setting tends to be the path of least resistance for attackers, so you’ll want to make sure you know if a setting is changed.
You’ll also want to monitor for available patches. You can wait until the next patch window to apply the patches, but you want to know which devices need to be updated and the relative urgency of the patch so you can plan your work effectively.
Note that I said “continuous” above, but that’s a relative term. Should you check the settings every minute? Or every hour? Or every day? It depends, but in general more monitoring is better than less. The best option is to look for changes in your log streams. For example, you can set up an alert when a change is made to a security group in AWS or a firewall rule in Panorama (if you’re using Palo Alto firewalls). That trigger can ensure you know about a change as soon as it happens, and if a malicious actor did make the change, you can bet every minute counts.
Tip 5: Automate (almost) everything
We are big fans of automation. In fact, it is a central aspect of all our products. Remember that “simple doesn’t scale,” so as your environment gets larger and more complicated, embracing automation is absolutely critical. Given the security skills gap and the challenge of finding and retaining security personnel, the more machines can do, the better.
You can automate the application of fixes to your devices, and you can automate the rollback of unauthorized changes. You can let machines monitor the sources of information that tell you about patches, and those same machines can collect a great deal of change information to identify out-of-cycle or unauthorized changes.
Our friends at AWS believe that every time a human being changes their infrastructure, it’s an automation error. That’s an aspiration for the vast majority of companies, but it’s a good vision. As you record your processes and see what routine tasks your people are doing over and over again: automate them. There is (in some cases, understandably) hesitation to automate too much. Don’t automate faster than you’re comfortable with, but equally don’t let fear of change paralyze your organization.
Finally, you *don’t* want to be the path of least resistance for attackers. Your security posture will be significantly stronger if you can consistently ensure security hygiene from an operational standpoint. We’re not saying you’ll be immune to attacks, but you’ll make attackers work for it.
*** This is a syndicated Security Bloggers Network blog from firemon Written by Alisson Little. Read the original post at: https://www.firemon.com/five-tips-to-ensure-consistent-security-hygiene/