Trust but Verify – A “New” Security Paradigm: Visibility
Updated: May 23, 2020
I want to float a new definition of security. Or rather, how to achieve security. Not as an 8,000 page book of how to do it in practice, but rather as a simple paradigm.
We have the Confidentiality, Integrity, and Availability triad, which is absolutely true. But how do we achieve that?
How about establishing the paradigm that “Security requires full visibility”? Those that know me know I rant and rave a lot about the lack of leadership, collaboration, and involvement on the part of InfoSec managers and CISOs. While everyone else is saying that no one takes InfoSec seriously, that the CISO didn’t have the resources he needed, or that it’s the user’s fault, I say “Blame the CISO.”
I won’t go into that today so I’ll just sum it up with: “Well, all those things are the CISO’s job.” If you want more, just follow or connect with me, check out my posts, articles, etc.
Moving on… Now, the reason I push on leadership boils down to this: The number one root cause of breaches and InfoSec failures is that organisations don’t have visibility to their information security. And that is in large part because of 2 things:
The lack of leadership has led to an approach where issues branch out of control to the point that we have so many things to build controls around that we run out of human bandwidth to stay on top of it. It is simply too complex.
InfoSec leaders and managers are not talking to the people doing the actual work, instead relying on enormously oversimplified and often incorrect metrics, not only costing even more visibility, but also losing any feel as to what the real issues are. This is just [poor] human leadership, and it’s a real issue in InfoSec.
So, it boils down to something quite simple: You cannot have full assurance about something if you do not have full visibility to it. You need to be able to see it, fully, to be sure it’s working as expected.
This applies both to the managerial and technical spectrums: From a manager’s view, if you do not build relationships and talk with the people doing the work and understand exactly what they are doing and what concerns they have (that probably don’t show up on your management report), you won’t know what’s truly going on. You won’t know how to fix it, optimise it, or how to maintain it and entropy will inevitably set in. You’ll have a nice pretty report but the security of the environment will degrade over time in ways that don’t register through your metrics. You won’t even see it happening.
From a Technical perspective I can give you an example of something I’ve seen recently: A patching solution updates Windows registries saying the patch is installed but fails to actually update the binary files. When the tool (or any other tool) then queries a system’s registry to see what patches are installed, it shows the system as fully patched up. This is a technical example of false visibility. This false information will now work its way up and incorrectly influence the decision making process.
This is why tools have to actually apply secure principles throughout, so they don’t just look like they are doing something which can easily be broken by a glitch, let alone a malicious attacker. Too many vendors sell “for show” technology.
You can absolutely use technology to help maintain complete visibility, but as demonstrated above, you have to take the time to understand the technology to have the assurance it’s telling you the truth. Just like you have to talk to people to find out what’s going on.
This can also be translated into auditing. Or, specifically, why audits do not work and often certify organisations as having a good level of security when they should be sued for negligence: Audits do not operate with full visibility, heck, there’s hardly any attempt to even skim the surface in most cases.
Think of the difference between compliance/perceived security and real security like this: Acme Company has a job opening for a delivery driver. They need to hire someone with a car so he can deliver packages. They ask a candidate, John, “Do you have a car?” John says yes. They then check with “Can you prove it?” John provides a copy of his registration. John has passed the audit. Compliance has been met, we have the perception that all is ok. John can handle this, he is hired. John’s car, however, has no wheels, doors, or engine. It’s sitting in his backyard on concrete blocks, with a tree growing through it. In a functional role you’d notice right away that John wasn’t delivering the expected capability (packages are not being delivered, why?), but in security you probably won’t find out until you’re in the papers because of a major breach and looking into how the hell this happened. You should have gotten full visibility of John’s car before it was too late.
There is a consensus that auditing is not security. This is correct. But the more you audit with visibility, the closer it gets.
This is why when I do consulting for companies I focus on visibility. I drill down into details and pull on every string I can find, each one leading me to multiple other issues. Once we have figured out the real and complete picture, we can start streamlining it, simplifying it, reducing the obstacles to visibility (unnecessary complexity, sometimes through plain old sloppiness, being a big one), and creating effective operational security frameworks that maintain that visibility and leverage it to provide real security, usually at far lower cost.
A lot of people have been hyping up the [in my opinion] abstract, academic, and in-practice impossible concept of “zero-trust.” But what about flipping it around? What about [as near as possible] total-trust? I can see everything, so I can trust it. That is a lot more realistic, and actually practicable in the real world. Something we can aim for that works.
So there you have it. There is no security without visibility, and the ability to maintain visibility is strongly dependent on maximising simplicity and efficiency so that we can achieve that full visibility within our human bandwidth.
Welcome to the new paradigm: Security requires full visibility. Now let’s go secure some stuff for real.