Sir, what if the perimeter died?
We’re seeing a trend for quite some time and I am fairly sure you’ve experience it yourself: enterprise applications are delivered through some kind of cloud, more than ever and employees interact with clouds in their daily work. At the same time, traditional habits of working in the office melt away – in favor of Home Office, mobile work and always-on devices. When previously we could expect most application where run from a server room, being accessed from a desktop on the office floor from the same building or campus…
Nowadays, we see more flexible access patterns:
Even to the point where – the work device may not even be issued by the company, but a device that people own privately. And they access corporate data securely through managed apps. And in the after hours, they play games and stream music and video.
This is happening for quite a while now and probably started when we allowed mobile devices to synchronize e-mail and their calendar when they were outside the corporate network. Similarly, it happened when we allowed an application to be run in the perimeter, to be accessed from employees from inside and business partners from outside alike.
Today, we see applications being delivered in an elastic, flexible model, traditionally run in the datacenter, now serviced from a private cloud and potentially moved to a public cloud and back, depending on demand and required capacity. Software-as-a-Service such as Office 365 or Google and Salesforce make it easy to consume whole applications from the cloud – from anywhere at anytime.
Protect – Detect – Respond
Traditionally, with the perimeter-centric security thinking, obviously, a lot effort and resources go into protecting the assets inside the corporate network. If something from outside wanted access (VPN, etc), it would have to be checked rigorously, and even then, might not be allowed to access the crown jewels from remote. The traditional concept of “inside = good”, “outside = bad” is not state of the art anymore any is going away.
Since this “protect”-centric thinking won’t help us any longer with the perimeter dying, there’s two additional aspects that the industry is pushing now. In fact, not only since yesterday, but for quite some time and these additional aspects should have been in your security planning from day one: Detect and Respond.
The “Detect” and the “Respond” part become far more vital, because the moving parts that sit inside your perimeter and later on outside, will have to be monitored and checked for compliance and health. In case something is not right with them, you want it to shut out from accessing corporate assets as quickly as possible, before damage has been done and your corporate secrets were stolen – and sold.
Detecting and Responding earlier brings the infamous “time-to-detection” time for attackers in a network down from >150 days to … something hopefully far smaller.
You see from the pictures above, there’s no perimeter any more. Clients can exist anywhere – and applications can exist anywhere, in a datacenter you control or in a cloud. That change in architecture makes it hard to put in place traditional control points and traditional firewalling. The perimeter around our precious network and assets (in blue) is going away. So, how do we remediate that the perimeter dying?
Microsoft enforces modern access control through Conditional Access, and the notion of an access context:
- Identity: who is accessing services? Our employees? Partners? What department do they work in?
- Device: what device are they accessing the service on? Do we know it and its health state?
- App: what app are they trying this on? Is the app managed?
- Location: where’s the user on their device? In known network – or allowed region/country?
- Service: what asset of ours are they accessing? Are they interested in our crown jewels or just a commodity service or marketing material?
Evaluation of the access context results in a control being enforced: Granted Access, Blocked Access, or enforcement of Multi-Factor Authentication (MFA) or a managed or domain joined device. This, in effect, turns the access context into the new perimeter.
These controls, in the Microsoft world, can be applied to all services and applications that are integrated with Microsoft’s cloud identity platform. As mentioned above, traditional “inside = good”, “outside = bad” or traffic flow patterns “outside -> inside is bad” is going away. Instead, we’re looking at the access context more holistically. A corporate user on a managed device accessing internal services as well as SaaS services in the cloud may be okay – but a partner who has their own laptop trying to access our file repository from outside Europe may be … undesired. That’s that we’re trying to prevent now. What effects does that have for your Security posture?
- Classify: Ensure you know what and where your assets are. And protect them through an appropriate Access Context -> Controls definition.
- Educate: Make sure your Security staff understand that traditional thinking “inside = good”, “outside = bad” is no longer adequate.
- Learn: Understand how your business intends to run their precious applications – and how you can wrap access context checks around it.
- Improve: Ensure you can collect the appropriate access context insights, to fine-tune your rule set and learn about violations.
- Control: Define what “controls” you need. Typically, everything starts with MFA for identity verification and goes on with device management/device attestation to limit data spill/data leakage.
All of this satisfies some aspects in each of the Protect – Detect – Respond actions.
Behavior-based anomaly detection
With the advent of the cloud came another aspect and technologies to our hands that help with Detect and Respond. By being able to collect unbelievable amounts of data, storing them and applying computing power to them, there’s a lot of conclusions that one can draw from how, where and what users access and need from all your corporate assets. By collecting user logon data and successful access to the resources, Security analysts and data scientists can see patterns of how users work, what data they access and what applications they use. Using this baseline, it becomes possible to detect anomalies from the usual work patterns and alert administrators or shut down access completely:
- When Alice suddenly accesses a service from Moscow, although she’s never worked there before and her office and home is in Berlin.
- When Peter accesses a number of different file servers he’s never accessed before, in rapid succession.
- When Emily dials into VPN at 3am in the morning her time – and she’s never done that before.
- If Sophie downloads lots of documents to her computer and later sends them via e-mail to someone else.
These are just some examples of how behavior-based anomaly detection could help prevent data spill or data leakage from happening. And it doesn’t mean that all of the actions mentioned above should be remediated automatically and access should be denied. It might be legitimate that Emily dials-in at 3am because her deadline the next morning approaches and she lost sleep over that important milestone – you probably don’t want to block Emily…
But each of the aforementioned actions could be first signs of someone’s credentials being compromised or a machine infection or an employee turning against the organization. Learning about these changes in user (or machine) behavior help investigate, Detect and Respond to these incidents if appropriate, ultimately bringing down the mean time of discovery when the bad guys are already here.
Before you walk away...
Closing this article, if there’s a set of To-Dos that I believe you should follow up on, it’s these:
- See and read more about Protect-Detect-Respond at your trusted sources for IT Security. They may call it (slightly) differently, but the concepts aren’t new.
- If you are an Office 365 customer or use Azure AD for applications, look at Conditional Access.
- See and evaluate where you are with Protect-Detect-Respond (P-D-R). If you aren’t at a 33% split between these areas, I encourage you to look over your security strategy and see, if you want to adjust that. I am not saying splitting in three equal parts is the right thing to do for you – but it is a thought-provoking exercise and reality check of where your resources and efforts go
- Is behavior-analytics something you can use in your company / in your country? Which of your trusted vendors for networking, software and cloud offer these capabilities? They come in many forms and factors.