Aspirational versus Actual, it has been a mantra of mine for some time; an epiphany, if you can call final realization of the obvious an epiphany. This dichotomy is the root which bears the symptoms of the IRS, Target, Chase, Sony, Home Depot, etc etc etc. Our strategies, controls, energies, discussions, tools are all predicated off of an Aspirational understanding of our battlefield. We Believe that our network is built to match that pretty visio diagram, that our applications will work just the way we hoped they would when coded, that third party connections are tight and clean, that patches are always applied, that the truly worrisome attacks will be done by a very small handful of only the best and the brightest, fervently dedicated adversaries using tools in the statistical 6th sigma tail (0.0000001973%). With this aspirational focus we chase tools we aspire to cover as much of our battlefield as we can, trying for every server, inspect every packet, analyze behavior to divine intent of each executed function and activity. And yet, 60% of attackers are able to compromise an organization in minutes and 99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published . The Aspirational is easy to pontificate on, the Actual requires hard work and professional risk. The Aspirational can be explained away in a breach with a “Well, you know, security can never be 100% perfect”. The Actual is stepping up to become a true officer of the organization, being informed, and informing overall business decisions. It is our duty to become evangelizers of the Actual. What are the actual access rights within my environment and how are they being used? What does my network really look like and how does it morph? How are applications truly behaving? What is the complete lifecycle (or “kill chain”) of an action within the environment?
A key component of our controls and our knowledge centers on access. It is the Keeper of the Keys for all impacts within our environment. Whether it be the nefarious actions of an attacker, the legitimate activity of an employee, the insider looking to augment their income or make the company pay for some grievance, or the innocent error of an authorized person or application that bears unintended consequences. The concept of Access Control, with its mantra of Principle of Least Privilege, enjoyed a Renaissance with SOX but has resumed its place among the Sisyphean tasks as we never really left managing our Aspirational views of access. We can tackle the structured data in databases fairly easily, but it is the challenge of the unknown unstructured data in file shares, in directories, on Sharepoint, as it grows, travels, multiplies. Who is responsible? Who owns that data? Who has access to it in its many forms and multitude of locations? Who accesses the data? When? How often? What is the behavior of access now? Later today? In 3 months? These are the questions of the Actual Acolyte. The questions that need to be answered to make informed decisions, refine processes, engage business and data owners about data hygiene, influence data architecture so an organization can begin control how the business Actually works instead of aspiring to some concept.
But wait! Haven’t the answers to all these questions been proffered before? Yes, they have. But those tools focus on collecting data, kind of like cleaning the kitchen by stacking the dirty plates very neatly next to the sink. Scalability is a challenge as data continues to grow at a rate boggling even Moore’s vision. We still require legions of staff to pour through the data as it hasn’t been culled, merely collated. Our aspirations still predicate a “decide and recover” operation – act on an access and hold your breath waiting for the phone to call of a legitimate user complaining. We don’t have to live that way, in fear of the eventual disillusionment of our Aspirations. There are emerging technologies that begin to shed the awareness of reality to our unstructured data. The ability to retain real-time Actual awareness beyond the Quarterly point in time glimpses. One of these tools I have experience witnessing in action comes from STEALTHbits.
Moving to Actual requires three main components: knowledge, facilitation, and empowerment. We cannot make any reasonable decision without being informed, where is the critical data we care about? We can find Personally Identifiable Information (PII) in that unknown wilderness of unstructured data. Once you find it, collation does nothing to enable better decision making. We now have the ability to derive ownership and criticality of the data based on location, content, and actual activity on that data. This operationalizes some of the hefty lifting of prioritizing the targets for true analysis that will shape and inform our decisions and influence our architectures and strategies. Lastly, we need to actually be empowered through our tools to act on our knowledge and our prioritization to meaningfully begin to move the needle on our risk posture. Events over the past 7 years demonstrate we aren’t moving that needle to the extent we should. I goog that the root is our Aspirational bias. The cure is a move to the Actual and we need to start with our foundational Actual access awareness and controls. We need to achieve this is a way that respects and develops a healthy, sustainable security organization. Tools that enable learning and development of enthusiastic, potential security professionals to learn the reality and empower their creativity in tackling the challenges. STEALTHbits is a worthy and capable technology in our pursuit of turning the tide in this cyber security war.
Business Partner Services, Inc. (BPS) is comprised of a team of seasoned advisors with decades of experience successfully running security organizations and well networked in the Information Security, Data Governance, and Risk Management community. Based on our knowledge of the industry, BPS Inc. has a successful track record of excellent customer experience by navigating our clients toward innovative technology and capability not otherwise considered. BPS Inc. has been able to leverage this experience to demonstrate a high ROI in time, money and resources for our clients.
 Verizon 2015 Data Breach Investigations Report
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Mr. Corbin Nash has held several C- level positions in his 20 years of an innovative technology focused career focused on building successful business-enabling security organizations and consulting with Boards of Directors and executive staff on areas of risk management. Most recently he is CEO of a successful security consulting and reseller firm focusing on emerging security technologies to address current and future threats. He advises several emerging, innovative security technology companies. He was interim Chief Information Security Officer at American Express evolving their program from compliance driven to risk and business oriented. As a member of FS-ISAC, the FBI has consulted with him on the cyber-attacks targeting financial services, retail, and critical infrastructure. Mr. Nash directly influenced President Obama’s Critical Infrastructure Protection Executive Order around cyber security and has been responsible for influencing PCI and bringing two Fortune 200 companies to Tier 1 compliance. For this reason, he understands the true threat landscape and the effective and challenges of current security controls and capabilities.