The meeting with the vendor went well. He showed you the hard facts about how good his product is, how it stopped the worst hackers at this other large tech corporation, and how, since he is such a great guy, will discount the yearly fee by 20% and throw some on-site support engineer to help you deploy the solution.
Perfect. You are now more secure. You are following the latest trend of buzzwords products. You can check your box under PCI, SOX and the other standards. You are covered.
You gather your senior people and communicate the news. Soon, your company will have the next generation in security monitoring, detection, and ultra-de-lux AI that can accurately (99%!!!!) detect malicious intent by looking at the activity of users. What a glorious day for security. A huge win.
Fast forward 11 months...
The new solution is deployed. The vendor's on-site engineer did an awesome job helping you go though the deployment and helping the Security Operation Center (SOC) ingest the proper amounts of logs and alerts. After a few weeks of running, the system seems to be fine-tuned for your organization. This is good.
It's 9pm. Your phone rings. The number is from your company. You wonder who's calling you so late. You take the call, and a voice says: We have been breached. We discovered a large dump of our customer's private data online. And it's recent! Like, a month old data!
What? How? You have detection and monitoring and AI? How?
Well, 2 questions: Were the attackers already inside when you deployed the new security measures? Or, have they arrived later, and your state-of-the-art AI is not so good after all...? Let's explore them.
At any given moment, whether you know about it or not, your network and systems may be compromised. This is the truth of the world we live in, and it's hard to control. At any given moment, whether you know about it or not, you can be compromised. The chance of you discovering it, is directly related to the knowledge, capabilities and experience of the attacker.
That is the mindset you have to have. That's what you are dealing with, if you are on the defense side. There is no way around it. You have to assume compromise. You have to assume all your assets "are belong" to the attacker. Get into the adversary mindset and start from there.
So, let's go back to you deploying that new solution. Let's assume compromise. How would you have dealt with deploying the new detection and monitoring? Would you have treated the network as hostile place already? Would you have worked with the vendor to set the learning curve of the product to a place where compromise was assumed?
Do you see where I'm going with this.
Always assume you are being monitored by attackers. Always assume your networks and end points and servers are under the control of your adversary. Once you begin to think this way, then you can begin to put controls around the thing that those attackers want (which is another story, and we will go there on another post).
Next, in thinking like an attacker, proactively scan and search for markers or flags of compromise. See what's going on around the "lesser" monitored or less important parts of the network. See what's lurking there.
Ideally, you'd hire a good Red Team to help you identify and close the gaps. However, if you can't afford this, or you have a good in-house team, start by researching your footprint towards the internet. Research what are your employees and executives disclosing (often accidentally) to the world. What are your vendors doing with their security? How about your supply chain? Your cloud providers? Are they all secure?
As you can see, it is really hard to be secure. If you assume compromise, if you treat every network and system as hostile, and focus on how to make getting to your data harder, and how to provide the right level of access, then you will begin to see where things can go wrong, and address that immediately.
When deploying the new AI-based monitoring and detection system, fine tune it for this. Assume a bad guy is already inside, Set the bar really high. See if the "vendor" can now deliver.
Conversely, once you have the monitoring service in place, don't assume it will be able to detect everything. Attackers are very creative, and they often come up with ways to remain stealthy and exfiltrate data that would surprise even the more seasoned security professionals.
Don't rely solely on software and automated processes for detection. Be proactive and begin to attack yourself, closing the vulnerabilities you find, putting in place a better, more intelligent and proactive way of making it hard for people to move inside and get to the data.
Think like a bad guy.