We all know the Infosec Triad because it's been drilled into our heads for years: Confidentiality, Integrity and Availability. It even has a cool acronym - C.I.A. But as cool as it sounds though, C.I.A. just describes the attributes of the data we are defending. It is going to take a whole other triad and another acronym to help us protect it.
Fortunately, that triad exists, though the acronym is far less catchy: Visibility, Accountability, and Defense In-Depth. Each of these elements is in itself a deep subject, and each is haunted by the scary bogeymen of our industry. BUDGET! DIFFICULTY! COMPLEXITY! And… OMG… CULTURE CHANGE!!!!!
In my experience as an information security assessor, I see many levels of information security acumen out there. We all know some organizations are clueless. Maybe many. But even well-run and committed organizations fail to explore these subjects, and many of these will get breached and wonder why. Maybe taking this new triad to heart will help.
In a series of blog posts, we'll explore the depths of each of these three elements. Got your miner's helmet on? Good, turn on your light and let's go.
It's pretty simple to describe this item in the triad. It comes down to one question: Can you identify who or what performed all actions on your network?
Sounds easy. In execution however, this may take an enormous amount of effort, and in many organizations run contrary to the company's culture. "You're watching me? Oh my! Who are you, the NSA?" This attitude is changing, but is still prevalent in many organizations, especially in healthcare and education. People may think all we have to do is be open and transparent and sing 'Everything is Awesome' (remember that song from the Lego Movie? Now it's stuck in YOUR head), but we know better. Trying to explain that we can't have Accountability without Visibility often makes it worse, as some organizations fear or reject Accountability, either due to historical culture perspective (i.e. the aforementioned health care and education) or because the organizational culture is based in "plausible deniability."
So now we encounter our first, and possibly worst, bogeyman - CULTURE CHANGE.
Users need to know you're watching everything. And, if you can't watch, there is still value in making them think you are watching everything (sort of like having an alarm company sticker on your home, without an alarm). But if you choose the deceptive route, remember: once exposed, always exposed.
How do you achieve visibility?
- Turn on event logs. Everywhere! Just because that server is not sensitive does not mean it can't be compromised and used to compromise sensitive machines. And collect application logs, if possible, especially if the application has its own authentication. There are a number of resources to tell you what to collect and the detail required.
- Centralize and analyze the event logs collected. Now we get to difficulty and complexity. I know – it is a huge amount of data to analyze. But like the cobbler who has kids who go barefoot, we seem reluctant to use those little electric thingies in the chilled room – your computers – for our own processes. There are tools (SIM & SEIM tools) as well as managed security services (MSS) that can help.
- Keep your logs. Industry best practice suggests (or in the case of PCI DSS demands) you keep one year's worth of logs, and have three months immediately available. Without log retention, performing forensic analysis of attacks that span long periods like Advanced Persistent Threats (APTs) becomes nearly impossible. Consult (or create, then consult) your data retention policy or your legal department before deciding how long to keep logs.
GUARD YOUR NETWORK AND DATA
- Install, configure, tune, and monitor Intrusion Detection (IDS). Take advantage of your SEIM tool or MSS to help with monitoring, and keep an eye on both the external and internal traffic. Devices jump the castle walls (read perimeter) all the time, and it's getting worse with more mobile devices and BYOD.
- Install, configure, tune, and monitor File Integrity Monitoring (I just seem to think you have unlimited budget, don't I?). At the very least, protect and monitor changes to critical files like device configurations, log files, and security-related files. Know when and who accesses or changes every critical file.
- Instrumentation. This is something coming down the pike, and it could be huge. There are products being introduced that can be bolted onto applications and networks and monitor them at a deeper level for a number of purposes, including performance and security. If you're lucky enough to have one of these, collect those logs. The application instrumentation may be able to detect vulnerabilities discovered on the fly.
THE OTHER STUFF
- Change Control (groan). This has been around since the beginning of time and is still not baked into the culture. Technical people often hate change control, but it is critical for visibility and accountability. Change control is critical not just for identifying who did what but who was ultimately responsible for the decision to do it; who is responsible to make sure that it works; and who is responsible to fix it if it doesn't.
- Don't forget physical security (locks, badges, proximity cards, cameras that are recording and someone watches, guards, area segregation, clear screen and clean desk, etc.
How do we get acceptance of this level of visibility in your culture? Well, management support is vital, and it also helps if you better handle the next item – accountability. But we'll dive into about that next time.