[BreachExchange] WannaCry? You’re Not Alone: The 5 Stages of Security Grief

[Audrey McNeil]

http://www.darkreading.com/perimeter/wannacry-youre-not-
alone-the-5-stages-of-security-grief/a/d-id/1329178?_mc=sm_dr&hootPostID=
c8c9faa8acde3b94c6281b12d9e3ca5b

As breach after breach hits the news, security professionals cope with the
classic experiences of denial, anger, bargaining, depression, and
acceptance.

When it comes to securing the enterprise, the attackers have the advantage.
Defenders are required to protect against every conceivable threat while
the attacker needs only a single attack vector to penetrate a network.

The universe of potential intrusion vectors is vast: faulty authentication
mechanisms, gaps in the perimeter network, legacy applications, and, of
course, human behavior are just a few examples. Unfortunately, enterprise
security teams tend to focus on a handful of information security domains:

Authentication
Patch management and 0-day threats
Malware and endpoint protection
Network security

"Network security" has come to be synonymous with "perimeter security."
Secure the perimeter, the thinking goes, and everything in the datacenter
can operate in an environment of mutual trust. Combined with strong
authentication mechanisms, this produces a comfortable, low-maintenance
state of affairs. Securing only those systems that face the Internet is a
whole lot easier than securing the thousands of servers in the datacenter.

Unfortunately the perimeter is but one attack vector of thousands. As
breach after breach hits the news, security professionals have realized
that securing the perimeter is not enough. And with that acknowledgment,
they are now slowly proceeding through the five stages of security grief.

Denial. In this stage, you, the security pro, believe you can’t be
breached. Your DMZ is locked down, your stakeholders comply with your
policies, and you’ve bought an intrusion detection system (or three). Your
job, then, is pretty easy: keep the firewalls up to date, scan the alerts
every morning, quarantine the occasional malware infection, sleep well at
night. Other organizations are getting breached. What’s wrong with their
security people? They probably don’t have an IDS.

Anger. Slowly, an uncomfortable reality dawns: the average
time-to-detection for an enterprise breach is somewhere around four months.
New attack vectors emerge as headlines in the news. The perimeter is
secure, but your contractors and business partners have access to your
network, so you’re only as secure as they are. Your favorite restaurant/
department store /multinational bank gets hacked, and you spend an
afternoon updating all your recurring payments with your new credit card
number. Meanwhile, the number one malware delivery vector is phishing
emails. Still.

Bargaining. In search of answers, you turn to the booming infosec industry.
There are so many products. So many! You buy them all. The cost of a breach
far outweighs your minimal savings in neglecting to buy the one product
that would have prevented that breach. You switch on all the endpoint
protection you can find. You log everything; your SIEM bursts with event
data. You get thousands of alerts every day. After a while you stop reading
them.

Depression. Another breach hits the news. One of your vendors proudly
announces their product alerted on the breach, which went undetected for
four months as attackers siphoned data out of the fortress. You think about
the vendor, with whom you’ve spent ungodly sums. Will they detect your
breach? You think about the company that got hacked. Are you better at your
job than they are? Is it even possible to be good at this? Is it possible
to be good at anything? You resolve to get drunk.

Acceptance. The next morning, your head is pounding. You sit down at your
desk and unlock your computer. Suddenly, a thought: it’s no longer about
whether you’ll get hacked, and it’s not even about when. You realize there
might be attackers roaming your network right now and you wouldn’t know
about it for months.

So what comes next?

The worst that can happen, you reason, is you get fired. But when the
standard for breach discovery is so low, all you have to do is detect an
intrusion faster than the other guy.

You study defense-in-depth. You deploy datacenter-level visibility. You
monitor for DNS exfiltration, SSL exfiltration, HTTPS exfiltration. You
deploy machine learning for anomaly detection. You audit your partners’
security practices and lock down the partner network. There’s no magic
bullet. You ignore the alerts and start hunting for threats.

You haven’t been breached yet, but you find all sorts of problems. Adware
is everywhere. Your network segments are too broad, allowing for plenty of
lateral movement. Software developers are logging in to production
databases using privileged credentials. Your internal firewalls are passing
all sorts of traffic. Pretty much anybody can access the storage systems.

Finally, data you can use! One by one, you lock down internal attack
vectors. You microsegment your applications and deploy next-generation
firewalls within the datacenter. You implement two-factor authentication
and continuously monitor compliance. You have three columns of Post-Its on
your whiteboard: the security hygiene measures your organization needs, the
ones it already has, and the ones you’re monitoring. Gradually, the
Post-Its move to the right.

You keep hunting the network for threats. Another breach hits the news: the
attackers lurked in the network for three years. You think about the
security teams at that company. Are you better at your job than they are?

You accept it: Of course you are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170622/292d9386/attachment.html>