Back

The Biggest Challenge Facing CISOs Today – and the Key to Winning

In a recent episode of Agent of Influence, I talked with Miles Edmundson, a 30-year veteran in the IT and Information Security space. Miles started as a security consultant, was Carlson Company’s first global Information Security Manager, worked for the largest crop insurance company in the world, and served as both the CISO for Ceridian as well as the US CISO for Equinity. His last 12 to 14 years have been in the financial services industry. I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music, or wherever you listen to podcasts.

“Exploring” the Network Neighborhood

To start, Miles shared an interesting story about how he first stumbled into and became interested in cyber security.

He was curious about how networks worked and saw an icon on his desktop that said, “network neighborhood.” He clicked on that and it took a while to populate, but he started to see over 2500 different systems. As he was looking at them, he realized he was seeing the entire client server system for all of Weyerhaeuser, his employer at the time. It became clear to him that there was a consistent naming convention by location, job title, etc., and so, within about 30 minutes, he was able to find the CFO’s machine and access sensitive information, including executive salaries. He reported the finding to their IT team, but this was the beginning of his career in cyber security.

Miles shared this as a lesson to security teams everywhere that exposing sensitive information doesn’t always require having a very high degree of skill. There’s a misconception that you have to be super skilled to break into systems, but in many cases, there are simple misconfigurations that can cause a lot of these problems and don’t require a lot of skill for someone to break.

Where to Focus When Starting a New Senior Level Position

In the early 2000s, Miles made the transition from consulting to being a practitioner, first joining Carlson Company as the Global Information Security Manager. He was the only person on this team in a brand new role and his budget the first year was $100k, which was already earmarked for a specific project. He was at Carlson for three years and by the time he left, the department budget had increased to $3.5M.

I’m always curious to ask CISOs and senior cyber security leaders about how they start in a role and prioritize areas of focus. Miles has two key areas of focus when he starts new senior level positions, which are obviously dependent on audit findings, regulatory issues, number of employees, budget, and more:

  1. He always wants to see org charts to know who’s who and how to reach out to different people so he can start trying to build relationships with people.
  2. He also wants to see any audit reports or regulatory reports to understand the underlying issues the organization needed to focus on.

Keys to Relationship Building

Relationship building is extremely important, not only for your personal success, but also the success of your team and entire company.

Miles shared a story from the book, Good to Great by Jim Collins about people who are excellent in their field. One of the people highlighted was a hotel housekeeper, who when interviewed, didn’t say she was a housekeeping person at a hotel chain, but rather that she was a representative of her company, and she wanted to ensure that people were having a wonderful time at her facility – and she was doing all she could to make that happen.

When Miles was asked what he did at Carlson Company, he would often say that he helped promote world understanding, because Carlson was a leading player in international travel and he thought it was critically important for people to know that the world is much bigger than his local area.

Miles also cultivated relationships by asking questions – and listening to the answers. He didn’t tell.

He was very conscious to be a good representative of his organization, his company, his state, and his country.

Biggest Challenge Facing CISOs Today

Keeping up.

Miles believes the biggest challenge facing CISOs is simply keeping up with all the requirements. In many respects, the role is responsible for juggling a number of different items all at the same time, and receiving constant requests from regulators, compliance teams, auditors, and customers. And CISOs have to meet these requests all while being constrained by budgets, personnel, talent, and more.

In addition, CISOs are effectively on call 24/7/365.

Advice for CISOs

Over the years, Miles has subscribed to a couple quotes that he shared that could be good advice for many things.

The first was from Teddy Roosevelt, President of the United States from 1901 to 1909, and he said, “Do what you can where you are with what you have.” Miles noted that you can only do so much with what you have – and so, do that.

The next quote is from Winston Churchill during World War II, and the paraphrased quote is, “Never, never, never give up.” This served Miles well in his career and he passed it along as advise to senior leaders.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

Back

AutoDirbuster – Automatically Run and Save DirBuster Scans for Multiple IPs

Autodirbuster Logo

If you’ve used OWASP’s DirBuster, you know it’s a great directory buster. Its speed and reliability make it one of the best directory busters currently available. However, it has one big limitation: it can only scan one target at a time.

This is fine if you’re only attacking one target, but if you are attacking an entire network, then directory busting becomes a very manual process with a lot of downtime between scans. AutoDirbuster attempts to automate that process and eliminate downtime between scans.

For those who just want the code, it can be downloaded from https://github.com/NetSPI/AutoDirbuster

How does it work?

AutoDirbuster is essentially a Python wrapper for launching DirBuster. The user provides a list of targets, denoted as “IP:port” and AutoDirbuster automatically launches DirBuster for each target. However, AutoDirbuster does additional checks to ensure that the proper target is passed to DirBuster.

The workflow is as follows:

  • A list of targets is provided
  • A TCP connect scan is done on the target port to test if it’s open
  • If it’s open, HTTP and HTTPS requests are sent to determine if the service is HTTP-based and whether it requires TLS
  • If the service is HTTP, a check is done to determine if a previous report file is in the same directory
  • Dirbuster is run using Python’s subprocess.Popen(). If a timeout is specified, then after the timeout period, a SIGINT signal is sent to Dirbuster so it can safely shut down and write results to disk. A note is added to the report indicating that the scan timed out.
  • The next IP:port goes through the same process (TCP connect, HTTP service query, dirbust)

What’s really useful about this workflow is that a target with a closed port or non-HTTP based services running can still be provided to AutoDirbuster. The advantage of this is that Nmap scan results can be directly provided to AutoDirbuster. In fact, there’s an option just for that: provide an Nmap Gnmap results file as a list of targets.

Autodirbuster Demo

Installation

The installation process is straightforward:

  1. Clone the repository with git
  2. Navigate to the repository on your machine and install dependencies
  3. Run AutoDirbuster. If you see the usage output, the installation was a success and you’re ready to use AutoDirbuster.

Copy and paste the commands below to install AutoDirbuster:

git clone https://github.com/NetSPI/AutoDirbuster.git
cd AutoDirbuster && pip3 install -r requirements.txt
python AutoDirbuster.py

If the script isn’t working as intended, check the GitHub repository for common issues here.

Features

A number of features were added to make AutoDirbuster customizable.

These features include:

  • Target timeout
    • Automatically end a scan after a given amount of time
    • Useful for targets that respond with the same status code for every request or for an unresponsive or slow target
  • Automatic DNS reverse lookup
    • The reverse lookup hostname result will be used instead of just the IP
    • Useful for targets that are using virtual hosting
  • Gnmap mode
    • Directly provide an Nmap Gnmap results file as the list of targets
    • Port scan and then immediately start directory busting
  • Custom wordlist
    • AutoDirbuster uses OWASP’s directory-list-2.3-small.txt by default but any list can be used
  • Single target mode
    • Quickly launch DirBuster from the terminal against a single target without having to spend time configuring its parameters
  • Recursive mode
  • Custom file extension list
  • Number of connection threads
  • Start point of the scan
Autodirbuster Usage

Recommended Workflow

  • Run Nmap and find open ports, outputting the results with “-oG” or “-oA”
  • Run AutoDirbuster in a terminal multiplexer, such as tmux, with the Nmap results and a timeout
    • Example: python AutoDirbuster.py -g Nmap_results.gnmap -to 15
  • As the pentest progresses, periodically review the dirbust results using the included DirBuster pretty printing script dirbust_read.py, which will ignore all DirBuster error lines and only print the found directories and files

Conclusion

Directory busting is an important part of a penetration test but can be a painful manual process on its own. Using AutoDirbuster makes directory busting painless, efficient, and very fast. Give it a shot and see if you find it useful.

https://github.com/NetSPI/AutoDirbuster

Back

Checklist: Getting the Most Value Out of Penetration Testing and Vulnerability Management

You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. And you’ve committed to building an ongoing and continuous vulnerability management program to guard against the potential threats to your assets. Now what?

Putting a successful vulnerability management program in place needs careful consideration up-front to ensure your organization is set up for success to remediate vulnerabilities for each application and system you have. For a quick overview of the process, our Best Practices for Your Vulnerability Management Program tip sheet can be used as a guide. The following checklist breaks the best practices process down and provides you with a planning roadmap to getting the most value out of a penetration testing and vulnerability management program.

Penetration Testing Program Plan of Attack

Deliverable

Elements of Success

Requirements

Step One:
The Plan

Develop a plan that puts structure and strength around cybersecurity to include continuous vulnerability testing and patching, incident response plans, and training and security awareness programs. The ultimate goal? Decrease time to remediation and to close security gaps in your network.

Clearly define the scope, objectives, identification of testing, and the order in which they are to be performed.

Build a vulnerability management team. This could include both in-house talent as well as industry analysts or consultants. When choosing a pentesting service provider, ask about the credentials of their pentesting team, beyond technical competencies. Will your team be comprised of a dedicated work group or an outsourced group who haven’t previously worked together, for example. Team structure has implications on streamlined communications and in knowing who is inside your network.

Augment with careful preliminary risk planning with contingency plans should any services be unintentionally disrupted.

Types of penetration testing:

□  Develop a high-level vulnerability management plan – be sure to include non-negotiables such as scalability and continuous testing

□  Present your case to business leadership; gain agreement on budge

□  Refine plan and define ownership and scope of your program to include personnel and their roles and responsibilities

□  Develop policies, standards, and procedures

□  Determine merchandising strategy – to bring visibility to the program’s successes

Step Two: Scanning and Assessment

Layer in automated scanning functions that deliver results that can be easily sorted and acted upon with human capital to find and fix vulnerabilities.

Create an enumeration (list and count) of suspected vulnerabilities that are enumerated only after using multiple automated tools over time, not just one single tool.

Build in further analysis of suspected vulnerabilities using specialized tools and manual techniques as required.

□  Identify all assets you want to scan

□  Define vulnerability landscape:

  • Common vulnerabilities and exposures (CVEs)
  • Common configuration and enumeration (CCEs)
  • Architecture
  • Design

□  Define actionable reporting structure of vulnerabilities

□  Deploy automated vulnerability scanning, use authenticated mode to scan high-value resources

□  Prioritize pentesting cadence, beginning with an external network penetration test followed by internal network testing

□  Commence manual pentesting

Step Three: Preparing for Risk-Based Remediation

Develop a risk-based remediation plan commensurate with your program’s maturity level and appetite for business risk.

Employ a comprehensive verification of high-risk vulnerabilities including but not limited to safe exploitation of these vulnerabilities using both automated and manual processes, including the injection of malicious code when called for.

□  Rank vulnerabilities through an established remediation timeline. For example:

  • Critical = 7 days
  • High = 2 weeks
  • Medium = 1 month
  • Low = Patch driven updates

□  Assign application and system remediation owner

□  Build in business leadership approvals for long lead remediations

Step Four: Ongoing Reporting and Improvement

Automate your vulnerability management program as much as possible: spreadsheets, emails, and document sharing portals are insufficient for most organizations, large ones in particular. Automation enables 24/7 pentest report visibility with business leadership and continuous improvement.

Find a penetration testing reporting platform that is engaging and customizable to showcase what is most important to your business, one that can track and compare data over time.

Learn about the NetSPI Resolve™ platform.

□  Build a reporting framework – for the pentesting team and for business leadership

□  Identify continual improvement opportunities

□  Use comparison data to showcase progress over time and highlight successes

All organizations should aspire to have the people, processes, and tools necessary to effectively execute an ongoing vulnerability management program. Failure to do so may result in poor tool selections, testing mistakes, and faulty interpretation of vulnerability scanner and pentest results that often lead to a false sense of security and could put the enterprise at risk. By building out a vulnerability management plan, as depicted above, you can dramatically increase the security of your enterprise and can be better assured to reach your ultimate goal: to decrease time to remediation and close any security gaps in your network.

Back

How to Build a Cyber Security Team with Staying Power

Data from the Bureau of Labor Statistics shows that information security professional employment is projected to grow 32% between 2018 and 2028, much faster than the average for all occupations. Those statistics mirror what we are seeing at NetSPI – a demand for information security professionals to create innovative solutions to prevent hackers from stealing critical company assets or intellectual property.

Twenty years ago, the role of a cyber security professional revolved around securing the perimeter. Today, cyber security has evolved and matured, along with the attack landscape. CISOs are responsible for many things, from preventing breaches and instilling ongoing security and vulnerability management programs, to internal/external leadership and even reporting to the board. Learning from the past as we plan for the future, I’m confident that the role of the cyber security team will continue to evolve, making it is imperative that organizations build and invest in a team with staying power.

Humbly speaking, with the tenure of many NetSPI team members at 10 years or more, we are fortunate to be able to offer our clients quality – and consistent – counsel because we have built a mindset around focusing on building teams with staying power. In this blog, I’ll share some insight into NetSPI’s commitment to team building in the hopes that it can provide guidance for your own workplace development (or even to serve as criteria for hiring your third-party testing team).

Hire for Experience, but also for Thirst of Knowledge

After hiring numerous professionals throughout the years, I’ve noted that there are a number of things, beyond experience, that can come together to make a person great in this profession. Someone who is a self-starter or is ambitious, oftentimes is a great team member. Further, an individual who works on projects outside of work or school demonstrates to me a passion for the profession.

Yet, two traits that are more difficult to recognize at first are the more unique soft skills: memory recall and curiosity. Individuals who have memory recall, who can understand patterns and relationships, usually gain an advantage when it comes to thinking like an attacker and recognizing familiar trends, while working as part of a client consulting team. And the highly curious person often has an innate drive to pick things apart, skills that are fundamental to success when the technology landscape becomes more complex by the day and emerging technologies continue to open new doors to hackers. Technology vulnerabilities are there – and a curious person is more apt to see find exposures so remediation can commence.

Interesting Data on Memory: In a Scientific American article, Northwestern University psychologist Paul Reber states that the human brain consists of about one billion neurons, amounting to more than a trillion connections. Neurons combine so that each one helps with many memories at a time, exponentially increasing the brain’s memory storage capacity to something closer to around 2.5 petabytes (or a million gigabytes).

For comparison, if your brain worked like a digital video recorder in a television, 2.5 petabytes would be enough to hold three million hours of TV shows. You would have to leave the TV running continuously for more than 300 years to use up all that storage.

Make Training and Continuing Education Fundamental

Today’s college graduates in the technology or cyber security fields, or even those with just one to two years of experience, have a definite thirst for knowledge. Our organization has found that investing in feeding that knowledge has paid dividends and has manifested in our proprietary NetSPI University.

Each year, through NetSPI University, we take new cyber security talent through a six-month continuous improvement and training program that consists of internal and external educational courses, technical labs, shadowing programs, and cross training. Why do we make this investment? The reason is two-fold. First, it is part of our DNA and culture to continuously improve (truly, at all levels of the organization). Secondly, our ability to outpace attackers is due to our talent and our culture. Our clients respect that, and in some cases, seek out our counsel in putting in place their own training programs. In the long run, organizations benefit from investing in their teams.

Focus on Measures Outside of Just Technology Competencies

In Nabil Hannan’s inaugural edition of his Agent of Influence podcast (with the excellent title of “Cyber Security Education and the Ethics of Teaching Students to Break Things”), he states that “some of the most successful people who he’s seen in cyber security are usually very adaptable – they learn to adapt to different situations, different scenarios, different cultures, different environments.” He goes on to point out that this is critical as technology is always evolving, as are the security implications. I couldn’t agree more. In fact, I think it is a hiring measure – adaptability or agility outside of technical competencies – that is undervalued. I write about the importance of agility here.

What’s more, organizations that provide a framework for performance – meaning evaluation measures on quality, technical depth and outcome – help not only the team member, but the organization as well. But I argue that agility measures should also be part of the framework for performance so that team members can bring their own skills and perspectives to each and every engagement and incorporate their individual style. This not only benefits the employee and the client, but an organization can then apply that individual’s insights across the whole team to make the organization better and smarter. Additionally, organizations need to understand that a dynamic culture, one that puts in place the building blocks to enable people to enjoy working together pays dividend in terms of work product, retention, and recruitment.

In my opinion, cyber security professionals have the best job in the world. They get to ethically hack into some of the largest companies. With that comes responsibility. Because of the importance of the work that cyber security professionals do day in, day out, its critically important that organizations provide opportunities for these talented individuals to grow, stay on the cutting edge, and to lead. A commitment to building a team with staying power through a commitment to training and development of the next generation of security professionals is imperative as the profession continues to grow to meet the growing demands of the job.

Back

Q&A with Nabil Hannan: An Inside Look at Red Teaming Culture

The term ‘red teaming’ is said to be overly used in the cyber security industry, which is why the concept is often misunderstood and unclear. But for the right cyber security pro, red teaming can be an exciting profession. Red teaming assessments are objective based assessments of an organization’s security posture. Assessors are allowed to use any technique that they deem appropriate to try and determine if the objectives, defined upfront, can be accomplished. Typically, a red team’s goal is to gain unauthorized access to an organization’s environment while avoiding detection and then maintaining access for a pre-determined period of time to test an incident response team’s ability to identify and respond to threats.

Red teaming is not a job for the faint of heart as it involves travel and many hours, even days, of thinking strategically and reacting quickly to the situation at hand. Nevertheless, it’s a critical component of every vulnerability testing strategy and can help organizations accurately assess threats to IT assets, benchmark current security capabilities, justify security investments, sharpen the skills of the team and improve detective controls. Given the importance of red teaming engagements, the industry should also understand the people behind the engagements and how they operate in order to get the most value out of the engagement. I talked with NetSPI Managing Director Nabil Hannan for an inside look at red teaming culture.

Aaron Shilts (AS): Who is drawn to red teaming work?

Nabil Hannan (NH): Although having solid technical skills to be able to circumvent security controls in the software, network or infrastructure may be an important skill to have, ultimately, the personalities who are most attracted to this type of work, and end up being most successful at red teaming engagements, are people who are clever and can think outside the box. Having the ability to think quickly on one’s feet and solve problems on the fly are important attributes for people who perform these assessments.

AS: Penetration tests and red teaming assignments can cause stress and anxiety, how does this affect professionals?

NH: Although red teaming engagements can be stressful, typically the personalities who do these engagements enjoy, and even thrive on, doing this type of work, and – from my experience – rarely consider this as true “stress.” Red teaming engagements really allow assessors to go above and beyond and truly think outside the box on how to circumvent security controls in creative ways to successfully complete objectives. These creative methods can range from being able to create phishing emails (that generate excitement and make victims fall for the attack and click/respond to the phishing attack) all the way to physical security attacks where you can use condensed air cans or even something as simple as a balloon to trigger motion sensors and get access to parts of a building which require special access or clearance.

AS: What kind of tools do red teams have at their disposal?

NH: Red Teaming assessments can leverage any existing information they have at their disposal regarding vulnerabilities and weaknesses in the systems and environments they are trying to compromise. This may include penetration testing reports, automated scan reports (e.g. static application security testing (SAST), dynamic analysis security testing (DAST), interactive application security testing (IAST), network scanning), video surveillance feeds, user guides, documentation around access controls, and more. There are also many tools and gadgets that can be purchased for fairly low cost to do reconnaissance and exploits with things like WiFi antennas with extended range, RFID sniffers, and USB mice with flash storage inside them.

AS: How can leaders help balance the demands of the job while creating a sense of camaraderie among their teams?

NH: Most red teaming engagements are performed in teams of two or more. It’s important for the team to work cohesively together and help complement each other’s strengths. Building a team with a good mix of both technical and non-technical skills is important for success. Successful leaders will assign specific roles for each team member focused on harnessing their strengths, and also ensure that the team works together to brainstorm and create plans and strategies on how to accomplish specific objectives outlined in the engagement.

AS: What background or qualifications are beneficial for a red team professional?

NH: Professionals with military and law enforcement backgrounds are a valuable addition to a team because they can help navigate the legal and physical security aspects of an engagement. And it’s critical to have professionals on the team who have the resources and technical expertise to be able to identify and exploit vulnerabilities in software systems to find ways to circumvent security controls and accomplish the objectives of the engagement.

AS: Is there risk for red teams to get in trouble with the law while participating in an engagement?

NH: There have been some incidents, but they are very rare. Typically, during Red Teaming assessments, the assessors are provided with a “get out of jail free” letter that they are required to carry throughout the engagement. These letters have details provided regarding the engagement, who the sponsor is, and contact information of the client to call and confirm the rules of engagement and scope of the assessment by law enforcement. The cyber security community typically isn’t worried about their assessors getting arrested and facing criminal charges, because they were performing the work on behalf of an organization, and they have contractual languages that protect them.

Red teaming professionals certainly have their work cut out for them, as cyber security adversaries continue to evolve and find new ways to access sensitive systems and data. Let this article be a reminder to thank red team assessors next time you see them – and talk with them about how IT and security leaders can better enable them to work collaboratively, use all available resources, and use their creative, yet technical, minds to help organizations assess security threats and ultimately improve their security posture.

click here to read our technical blog
Back

Aligning Stakeholders, Protecting Against Malicious Insiders, and the Reality that Nothing is Purely Internal Anymore

Starting and Growing a Cyber Security Program

When joining any new company and trying to build the security program, it’s important to listen and seek to understand the business’ goals and objectives. At the end of the day, we’re not doing security for security’s sake or because it’s cool or because somebody told us to. We’re implementing security controls and policies in a commercial setting – or in any setting – for a purpose. We want to support the business. We want to drive more business. We want to grow the company. We want to create a reputation with customers of trustworthiness.

Fully understanding the business motivators for the company is critical. You need to understand and embrace the corporate organizational goals, mission, and the short- and long-term objectives the organization wants to achieve. It’s with this information at hand, you can then develop your own strategy to support these initiatives.

For example, when I joined Demandware, the company had just gone public a few months prior pushing for a shift in priorities and strategy – one of which was the desire to provide the SOC2 report to customers. The ask (and need) was urgent, leaving my first order of business to make sure we were able to fulfill these contractual obligations and support the goals of the business. First, I assessed their security organization and determined I needed someone who could help organize all the compliance-related work and audit enablement that goes into a project of that scale. So that’s where we started. We built the organization and team as we moved forward and took note to other areas we needed to work on, and hiring the right talent to fulfill the need.

As you build out your security program, start from the core deliverables that you need to focus on first, identify and prioritize your gaps, and you can fill those as you go.

The Criticality of Aligning Stakeholders

Companies are starting to realize that skimping on security will eventually get you into trouble. However, I think people generally can’t properly assess the likelihood of risky events. The typical response, or mentality almost innate to most human beings is: “This would never happen to me/us.”. We either overestimate the risk by orders of magnitude or completely underestimate the probability. People have a hard time properly predicting the likelihood of something happening, and that is a challenge that still gets in the way today in security organizations.

Today, many of the more mature security programs are focused on driving security from a risk-based perspective. Understanding where you shine, where you’re not so good, the overall risk to your company, and alignment to business strategies, gives you a much better chance to be heard and given the resources to build a security program that is meaningful to your stakeholders.

An old adage that I think fits the industry well is that “a good compromise means all sides are equally unhappy,” and I think that’s really what we need to strive for. We cannot have perfect security; it would either not be supportive of corporate goals, be too expensive, or both. In parallel, we cannot completely ignore some of the risks and threats we are seeing in today’s environment. Finding the right middle ground is the key here. Modern day risk-based analysis tools can give make it much easier to make some of these calls.

The Ultimate Security Challenge: Malicious Insiders

An important distinction should be made between the unintentional insider, the complacent insider, and the malicious insider. The unintentional person is someone who accidentally clicks on a phishing email and makes a mistake. The complacent person isn’t necessarily working within the framework that everyone agreed to but isn’t necessarily intentionally working against it.

Then there is the malicious insider, which is one of the hardest problems to solve for in security. Solving this problem is incredibly difficult – you essentially have to go into the psychology of people to understand if you’re dealing with a disgruntled employee or someone who lost loyalty to the company and wants to capitalize on the opportunity.

Determining the right level of technical and security awareness, monitoring, and controls your organization will spend for depends on how you define your threat profile and what you want to protect against. If you truly want to protect against a motivated attacker with sufficient funds and deep insight into your organization, then you’re going to need to spend a lot of money on tools, put forth a lot of effort on developing proper processes, and most importantly, provide rigorous training for your employees to help identify and report anything they deem suspicious. You’ll also need to check your employees’ activity, intentions, running baseline analysis, and effectively doing background checks to figure out their true motivations. This is incredibly challenging and goes way beyond what most small and medium businesses would ever consider. Even for larger enterprises and governments, it can be quite difficult to manage and defend against malicious insiders.

As you think about your threat landscape, understanding who the threat actors are that you want to protect yourself against should be the input into what kind of control mechanisms you decide to put in place.

Is Anything Internal Anymore?

I don’t think there’s anything purely internal anymore. Especially during COVID-19 and the various lockdowns and restrictions that we have in place. For example, at LogMeIn, we have 4,000 offices now ­– every single employee home office – and there really isn’t an internal network that could provide an adequate level of protection. Employees have to be able to connect from anywhere at any given point in time (circling back to business goals and objectives). Back in March, Security leaders who thought that VPN was the best solution for everything have seen the scalability limits of that approach. I think companies that have been more aggressive in terms of adopting SAS and zero trust approaches have had a somewhat easier time adjusting their business processes to a rapidly changing environment.

As long as you rely on the special privilege associated with the presence on a particular network or physical presence in a particular area, your scalability and agility suffer a lot. I think the right approach to solving these kinds of problems is to treat every network as a hostile network. There is no inside protection.

Obviously, you have firewalls around your environment and don’t let everybody in, but this only slows down the adversary – doesn’t stop it. The appropriate protection against adversarial activity requires that your sensors, tools, and Sec Ops teams are capable of detecting noise made by the adversary and eradicating them. Just relying on firewalls as the only way to protect yourself is a dangerous and slippery slope. At the end of the day, if somebody does sneak through the front or side door, and establishes a beachhead within your perimeter, a lateral movement becomes incredibly easy.

The line between internal and external assets has been blurred over time, especially with connectivity and mobility. Employees are now bringing their laptops home and have access to VPN on their personal tablets and smartphones. Accepting the change in how we work will only benefit organizations in the long term, and leaders need to think critically about how they’re going to approach this change.

There is no internal network that is special – or truly internal anymore.

Words of Advice

In closing, below are some words of advice that I live by in our industry.

  1. Communication starts with listening,
  2. Context matters a lot.
  3. Building durable relationships with stakeholders is the most important thing you can possibly do if you want to be successful in our line of business.

Discover why security operations teams choose NetSPI.

X