It feels like “everything old is new again” with information security. The Federal Government is now declaring “game-changers” in its “Federal Cybersecurity Game-change Research Agenda,” but they sound like they’re really just old fashioned security fundamentals. And they don’t mention the most important things (in my opinion, at least) that infosec professionals should be doing. Seriously?
These fundamentals of security are so critical – and so often overlooked – that I think it is doing the infosec community a disservice to publish guidance without including them.
Here’s what I’m talking about:
I was just reading some information from the Federal Networking and Information Technology Research & Development (NITRD) program regarding the US Federal Cybersecurity Game-change Research Agenda. I’m glad this effort is happening, but I find it interesting that things like “Defense-in-Depth” and “Trust Anchors” are being treated as “game-changers.” After all, these concepts are core to what I focus on every single day – and have been doing so for the last 12 years or so. The premises behind these two concepts are clear, and well-understood:
- Defense-In-Depth: don’t rely on a single element of security; build layers of security controls that work together to minimize the chance that an attack can get through your defenses unnoticed. Essentially, design your security in a way that minimizes single points of failure.
- Trust Anchors: provide objective means to determine whether systems, data, users, and related components can be trusted, and provide early notification when they can’t be trusted.
If you go to the NITRD link above, you’ll find some good initial reports from the Federal Special Cyber Operations Research and Engineering (SCORE) Interagency Working Group as a result of a couple of workshops they’ve run earlier this year. But, something very important is missing!
Necessary but not sufficient
There is good stuff in a couple of the “Assumption Buster” reports on the NITRD site, “Defense in Depth – Final Report” and “Trust Anchors – Final Report” but I believe there is a glaring omission from both of these reports: the importance of achieving and maintaining secure configurations on your systems.
The concept is very straight-forward, and yields huge benefits:
- Anchor your systems to a trusted, objective standard. This can be a Center for Internet Security (CIS) benchmark, a DISA STIG, or your own internally-defined security standards – just make sure they are explicit, repeatable, and measurable. You can use automated Security Configuration Management products to help you assess your systems against your standard to identify and resolve any non-compliant conditions. This is a key element, as it establishes a known, trusted, and secure state. To me, this is a foundational “Trust Anchor” even though it isn’t mentioned in the NITRD report.
- Establish a baseline of your systems’ configurations. Once you’ve brought your systems up to standard, establish a baseline by taking a snapshot of the state of each and every system (especially the critical ones). This is a core tenet of “Defense in Depth,” because it allows you to quickly assess your systems for any deviations from your known and trusted state. If an attack is successful, it will leave a measurable mark on your systems, and finding differences from your baseline state enables you to quickly measure the extent of any system compromise.
- Continuously monitor for deviations from your known and trusted state. A lot of security products look for suspicious activity, which can be misleading (false positives) and/or overwhelming (lots of noise). The beauty of monitoring for changes in system state is that configurations don’t lie – if something changes, it changes.
By combining trusted configuration standards, system configuration baselines, and continuous monitoring you have a solid foundation for security.
You can further augment the effectiveness of these practices by combining them with other complementary methods to help reduce noise. For example:
- evaluating each change vs. your policies;
- looking for unauthorized changes;
- evaluating who’s making the changes and which method they are using;
- using event logs to determine the source of the change; and
- prioritizing alerts based on asset priority, asset risk, or the business service the asset provides.
In future revisions of these documents and the Research Agenda, I would like to see the system state, hardening, configuration baselines, and continuous monitoring called out explicitly in this guidance. These fundamentals of security are so critical – and so often overlooked – that I think it is doing the info sec community a disservice to publish guidance without including them.
It’s time to get serious about achieving and maintaining a strong information security foundation through the effective implementation of configuration standards and driving continuous accountability.