There is a simple adage in cybersecurity: You can’t defend what you can’t see. But as visibility has become increasingly critical to effective network protection, it has also become much more difficult to achieve. As the number of IoT devices increases exponentially, the scale, scope and even the definition of network has changed dramatically. Multi-cloud deployments and DevOps approaches have dispersed organizations’ data, while ever-increasing degrees of mobility create more and more points of access. Today’s CISOs and their teams must now protect a constantly—and rapidly—expanding attack surface.
“Lacking visibility into the key elements, functions and activities of the network leaves any enterprise susceptible to a potentially devastating cyberattack,” cautions Michael Chertoff, former secretary of the Department of Homeland Security. “While visibility across the entire network and technology stack is important, I would focus on four key areas of visibility that are likely to provide security professionals with the greatest understanding of potential threats lurking on their systems: visibility on devices, visibility on software and code, visibility on network activity, and visibility on access.”
For Tim Crothers of Target, a new approach to visibility begins not by seeing it as traditional passive surveillance, but rather as an ongoing process of gaining understanding and insights into attackers and their motives. Doing this allows security experts the opportunity to go on the offense.
“When we understand that they are looking for locally cached credentials, and why, we can then set up a sting,” Crothers explains. “We can run a script in our local hosts that caches fake admin credentials—knowing there is no legitimate business use for harvesting credentials—and wait for them to take the bait. A cybercriminal that has gained access to a network has no way of knowing whether nabbed credentials are valid until they try them, and when they do, they trip a series of alarms and fail-safes that prevent them from going any further.
It is an approach that blurs the lines between visibility and the more proactive strategy of inspection. “Inspection is the safeguard that allows security teams to preemptively stop attacks by finding the lurking ‘known unknowns,’” explains Digital Big Bang author Phil Quade, “the network breaches attempted or already achieved that you know are out there but don’t know where.”
How that inspection occurs can impact a wide range of stakeholders—and how they respond to it often depends on the context in which it occurs.
“Inspection, like all forms of security, is contextual,” write Ed Amoroso of TAG Cyber. “People feel one way about the thought of security tools in their homes or offices, and quite another way about a surveillance camera on a subway platform at 2 AM. IT teams must explain—and importantly, deploy—inspection tools and techniques in ways that leverage this aspect of human nature. Organizations that can’t make a clear and compelling case for the transparent use of inspection risk losing control of all their data.”
One strong strategic benefit to greater visibility and inspection is the information and insight it offers into a comprehensive failure recovery plan.
“Reducing the time between incident discovery and recovery is a critical element in event preparation,” says Simon Lambe, an information security leader at a national mail service. “Achieving this requires comprehensive asset management and active event monitoring… Unfortunately, far too many security teams don’t even know what resources are connected to the network, let alone being able to prioritize them, which is where asset management plays a crucial role.”
For more information on these advanced strategies for cybersecurity, and perspectives from more industry experts, check out “The Digital Big Bang: The Hard Stuff, the Soft Stuff, and the Future of Cybersecurity” by Phil Quade.