Written by John Stasick (Microsoft) and Jake Mowrer (Microsoft)
Introduction: A Critical Question, A Critical Reality
“Top news today, <insert company name here> announced that their systems were breached by hackers dating back to at least 6 months ago. Details are currently limited on what information was taken and the full financial impact of the incursion.”
It seems like every day we see another announcement of another security breach in another enterprise. CIOs and CISOs are being asked by their CEOs and their Boards of Directors, “how do we ensure that we don’t end up as the next security breach headline?” It’s a critical question (probably the most critical question facing IT today). And it’s being asked in the face of a critical reality: IT spending will only increase 0.6% in 2016. The business, along with their partners in IT, have their work cut out for them!
The focus of this whitepaper is to revisit some concepts that aren’t necessarily new but are sometimes discounted or misinterpreted. Our hope is that the information in this whitepaper will spark new ideas and drive new actions as we collectively work to keep our companies and businesses one step ahead of the bad guys and the data breach media circus.
These are the 9 things that cannot be overlooked in the new (and continuously evolving) era of enterprise security.
#1: The keys to the kingdom
The new security perimeter is identity. It is the common denominator of corporate access and dictates a user’s access and permissions across networks, devices, apps and data. Regardless of if you’re a CEO or the dock foreman, you have a corporate identity. Identity, is literally and figuratively the key. It’s important to call this out so that it’s not lost while companies spend cycles protecting their endpoints. No matter how much you protect your endpoints with anti-malware, or your data from a Data Leakage Prevention (DLP) perspective, a stolen identity will get past all these countermeasures. You can build bigger walls with more sophisticated firewalls and stack layers of Intrusion Prevention Systems (IPS) behind them, if I look like someone that’s been in the castle before, I’m getting in!
Key take-away: Always assume that a set of your corporate identities have been reused, are for sale, are replicated in a 3rd party cloud or are still being used to access corporate data and assets even after separation/termination.
#2: With friends like these…
When we talk with customers about various security concepts and countermeasures, it’s common to hear, “Our trust model is simple: trusted devices are inside our network, any device external to our network is untrusted.” So, if a device inside your network becomes infected with malware, is it still trusted? Of course it shouldn’t be, so the model does not hold up in practical execution. We must always operate under the assumption that there are devices and servers on our network that are already compromised at any given time. The goal then becomes identifying these compromised assets and quarantine them as quickly as possible. The tricky part here is that there is no single sure-fire way to insure against compromise and it is also becoming increasingly difficult to detect compromised hosts, which leads to our next two concepts.
Key take-away: You must adopt an assumed breach posture. You’ve already been compromised — the goal is to contain it.
#3: Silver bullets are for werewolves
Another concept we hear often is “Isn’t two factor authentication good enough?” or “we already have the #1 rated prevent-the-breach solution available.” In reality there is no one single silver bullet process, procedure, or product that will provide complete defense against attackers. Instead, by constantly asking the question “If the attacker gets past this, what’s our next line of defense/offense?” We’re not building a better mouse trap; we’re building a maze full of mousetraps! Using MFA as an example, the specific question becomes: “If the attacker is able to steal the user’s token/phone used for the second factor and is able to get into our network, how will we find them?” That kind of question will lead to the right kind of answers. In the MFA scenario, one such answer would be to employ user logon behavioral analytics solution. The attacker may have the credentials and second factor but they don’t have the user’s system use pattern, allowing a behavioral analytics platform to alert the suspicious activity for containment. This type of “what if” thinking will drive a continuous cycle of security posture improvement.
Key take-away: You must take a layered approach to all security initiatives/solutions, where the next layer is always challenging the previous one.
#4: Hiding in plain sight
Signature based malware detection is still important but we can no longer rely on this technology solely to detect compromised systems. To illustrate this point, let’s use the DLL injection method as an example scenario. The more sophisticated attackers are using advanced techniques such as hot-patching as a means to silently inject malicious DLLs into running processes. Antimalware products typically don’t catch these because they are looking at non-system processes for DLL injection methods. So what are we to do? What if there was a way that we could evaluate a large number of hosts and see that an increasing number of them have begun to act out of character but in a common way among each other. This is where cloud powered machine learning coupled with telemetry from a very large sample size of hosts (think hundreds of millions) can help identify these unknown malware specimens and thwart an attack before it grows out of control.
Key take-away: When it comes to sophisticated attacks, it increasingly “takes a village” to identify them. The new cloud security model requires putting very large telemetry sets and computational power to work on your behalf.
#5: Humans take the path of least resistance (usually)
Security awareness and education programs can make a big difference in improving overall security risk (anti-phishing email training is a great example where there is always a return on investment). But when awareness programs morph into new policies where the burden of execution is put on the end-users, new risks are introduced. Here is a common example:“If passwords are the weakest link, we’ll just force our users to have better passwords.” While this may sound like a good idea, what usually ends up happening is that a user will be so proud of that secure password you made them create at your company, they’ll use it outside of work too. The danger here is that through some simple social engineering or if one of those external systems (that use that fantastic password) gets compromised, the attacker has a password to the user’s credentials on your company network! Let’s face it, every online storefront that we use doesn’t have the luxury or the bank roll to have state-of-the-art security countermeasures. Instead of leaning on password complexity in this scenario, look to other measures to protect credentials such as multi-factor authentication, conditional access and compromised credential threat reporting tools to solve this issue.
Key take-away: Doubling down on end-user security policy and relying on end-user compliance will often result in bad end-user habits, workarounds and a compromised security posture.
#6: If it ain’t broke, don’t change it?
Speaking of end-users, believe it or not, they absolutely hate VPN. Having to use a VPN is an unnatural motion for a user that is just trying to get something done at work. And VPN solutions are not exactly known for being user friendly and can be frustrating when you are in a hurry (which is always). The truth is, VPNs are good for some things but shouldn’t be the standard for remote access. Instead, the recommended alternative is to publish an internal site externally using a reverse proxy. This is a solution that can yield quizzical looks by some companies as the “gut reaction” can be to infer that this is not a secure alternative. Let’s evaluate that. When a user VPNs into the company network, their computer essentially creates a secure session back into the corporate network. Once VPN’d in, the user and their machine, which are typically outside the safety of the key card locked corporate walls and controlled/monitored networks, are now sitting on the corporate network. The user can get to file servers and other resources that are probably unnecessary for them to access just to get the task done that they VPN’d in for in the first place. Reflecting on the fact that 63% of confirmed data breaches involve weak, default, or stolen passwords, VPN becomes a popular conduit for attackers.
Now consider publishing an internal web site for use externally via a reverse proxy. While it is still possible for an attacker to compromise the system hosting the Web site through a code vulnerability in the site (not a dig against developers, just a possibility), you are not relying on passwords as the primary method of protection before granting gaping access to the corporate network! If you do use VPN, please make sure you are requiring 2FA/MFA to help protect against weak, default, or stolen passwords.
Key take-away: Yes, it is possible for security solutions to delight users, improve productivity, and save money while improving your posture.
#7: It’s all about the data, and the bass, not treble
Another area of potential end-user delight can come from the usage of SaaS applications. However, cloud based apps and file storage and can scare IT organizations (regardless of which company hosts the cloud). The unfortunate thing about that possibility is that IT governed cloud based file storage can help your users be much more productive and give them less reason to store company data in a non-IT governed cloud. There, we said it. When you look at studies that show that 8 out of 10 employees admit to using non-IT approved SaaS apps , it would be foolish to think that there isn’t some type of company data in those apps. So what do we do? First, we should look at why IT groups don’t want to approve a cloud based file storage solution. The most common reason we hear is “how do I know a user won’t upload some document to the cloud storage and share it out to the world?” This is very controllable in enterprise class cloud file storage providers. In additional, with the emergence of Cloud Access Security Broker (CASB) technology, this is 100% manageable. Pile on information rights management which is also integrated into many CASBs and you have a solid solution to provide to your users. Give your users a solution or they’ll find one for you (and you might not like it)!
Key Take-away: IT can absolutely regain full control and security over SaaS apps and cloud storage with the correct solution.
#8: False sense of security
Sometimes the solutions you put in place to detect advanced threats won’t actually help you detect them. Let’s take SIEM (Security Information and Event Management) solutions for example. These systems essentially pull in mass amounts of log data from pretty much any type of system you run in your company. One example of data that SIEM’s collect are Windows logon security events that detail information about users logging into Windows systems. With techniques such as Pass the Ticket (PtT) used in many advanced persistent threat examples, these attacks can only be detected at the network packet level making them invisible to SIEMs that rely solely on Windows event data alone. Typically, when discussing this topic with companies, this information comes as a surprise to them. To detect a technique such as PtT, you have to dig into the network packet level and have an advanced rule engine that can look for telltale signs of the attack. There are products on the security market today that can analyze network traffic to find these types of attacks and are worth investing in. SIEMs are still worth the investment, especially when you have an auditor ask you to provide every place XYZ user has logged in for the last 90 days! Just don’t believe they will tell you everything about what’s going on in your computing fabric.
Two-Factor or Multi-Factor Authentication (2FA/MFA) are additional examples of solutions that companies sometimes believe will provide them protection from techniques such as Pass the Ticket (PtT). 2FA/MFA is a fantastic (and required) security solution in the new world, but, unfortunately, due to the nature of how PtT works, 2FA/MFA is not effective to protect against this increasingly common technique. However, in this example, other practices and technologies are effective, such as Privileged Access Workstations and Credential Guard in Windows 10 Enterprise Edition.
Key Take-away: Marketing and sales hype don’t always live up to practical execution. Ensure you understand the practical limitations, gaps and overlaps of all of your security components.
#9: Head in the sand
Let’s talk about penetration testing for a moment. This is another area where we see companies need to be a bit more aggressive. The days of pen testing on your network and against your external facing entry points is just not enough anymore, it’s time to think more aggressively. For example, if you are a retailer, do you run pen tests starting inside a store as the entry point? If not, it’s something to consider. For all businesses, consider performing phishing campaigns against your own email users. Plug a Raspberry Pi based sniffer into a network port in a conference room, what were you able to harvest? These are just some examples, for a look at what modern pen testers are doing these days, take a look at this article featuring a company named RedTeam Security. The infrared and RFID concepts are very interesting, entertaining, and scary all at the same time.
Key Take-away: Continuous testing of your security layers and vectors of entry is a key component of any long-term posture improvement strategy. Human error, corporate crisis and new, advanced threats can compromise the best security plans.
That’s all folks
While the information in this whitepaper is probably not Earth shattering, we wanted to review some security topics that we see come up time and time again when talking with businesses both large and small. The only way we’re going to keep the bad guys and gals out is by working together, sharing what works and what doesn’t. Our hope is that this whitepaper is provokes some new thoughts and will encourage more collaboration between businesses to keep our systems safe and secure.
 Verizon 2016 Data Breach Report