At SolarWinds, we take reducing attack aperture and risk seriously. Using the guiding principles of our Secure by Design approach, we aim to eliminate implicit trust in applications and services and assume users aren’t secure and are most likely already compromised regardless of authentication practices. In our everyday practices, we’re moving toward single-pane-of-glass observability insights with integrated artificial intelligence (AI), machine learning (ML), and AIOps to speed issue discovery, decrease manual errors, and modernize our digital performance. We call this approach “assume breach.”
Does adopting an assume breach mindset makes sense for your business? I worked with our CIO, Chris Day, and CISO, Tim Brown, to create a whitepaper discussing the current state of breaches, critical considerations for building a security strategy, and what we’ve learned in our journey of adopting an assume breach mindset with observability. If you’re interested in diving into the topic, you’ll want to read the whitepaper.
In this blog, I’m taking a quick look at security, why an assume breach mindset is the future of security, and several key elements in achieving an assume breach mindset.
Start by establishing a baseline
When looking to adopt a new security strategy or adapt your existing ones to be more effective, you’ll want to establish a baseline. In essence, you need to know the possible risks to protect against them before they happen. One way to defend against these risks is by mitigating them as if they’ve already occurred.
Here are five key steps to establish a baseline:
- Establish policies for security by assuming a breach will happen and, in most cases, has already happened
- Set forth the proper controls to address new additions to the network, automatically reject devices if they don’t meet the controls, and report back to the security operations team
- Prevent and avoid unnecessary network segments or segments where unmanaged devices exist
- Classify your assets (both people and things) within the environment
- Understand the inherent risk associated with your users and assets
Following the five steps above will help establish a baseline based on what’s happening within the environment. However, depending on the size and complexity of your environment, your approach may change.
Security is an ever-moving target
In addition to establishing a baseline, it’s equally important to accept your security is never good enough—it’s only as good as it was yesterday. Once you understand this, you know security is a journey of continuous improvement. Over time, you move from good to better to best.
Though 100% secure isn’t possible, resiliency is. You need to determine which risks are least threatening or are most easily mitigated once they happen and leave them alone so you can focus on risks with far more detrimental impacts. In other words, choose the risks you’re willing to accept. Even the most secure organizations have accepted risks. You must know which risks are acceptable and which you need to mitigate.
Embracing cloud services the right way
Cloud, hybrid, and on-premises—these classifications raise scrutiny from a security perspective. Though most security practices can be used interchangeably across different technical landscapes, it’s essential to understand which works best for each scenario and which are mandatory regardless of the environment.
Cloud brings additional complexity to the technical environment. From a control and feature perspective, limitations in tools and services can cause inherent risks to be exploited easily if not properly secured. Managing role-based access to cloud services, ensuring account ownership and expertise, and reducing and eliminating unknown data leakage or access to specific data repositories all come with an increased challenge when securing your cloud environment. Though some tools can make it easier to protect against, detect, and remediate certain types of intrusions, knowing how to architect the environment and which approach to take can predict whether you’ll successfully prevent or mitigate an issue in the cloud space. This is where concepts like controlled access, access restrictions, and managed devices come into play.
By default, certain user profiles will need more access to your environment than others. Those who don’t need access to all elements of your network shouldn’t be given access. Especially in circumstances where a user profile requires elevated permissions to do their daily work, the risk exposure can be volatile.
Some applications will allow for configurations focusing on role-based access (RBAC). This type of configuration is the most secure option. RBAC will usually allow for a granular-level role assignment based on the needs of the user profile. In cases where RBAC isn’t available, and broader access is required, you can only protect via indirect tactics such as ensuring the user is verified by the identity management systems and requiring a multi-factor authentication (MFA) token to gain access to critical information.
You can also control access to certain information and enforce the policy by implementing a virtual desktop infrastructure (VDI), which allows users to log in to the environment via a VPN connection, perform their tasks, and exit the environment. This approach helps further secure the landscape by ensuring user access is verified when they log in to the VPN, the network is secure, and the systems accessed have internal policies enabled with proper logging and alerting.
One approach to controlling access is establishing systematic access restrictions only a network admin or security engineer can bypass. Traffic is controlled based on where the packet is coming from, where it’s headed, and who sent the request. If the conditions meet the requirements based on the restrictions, the traffic is allowed through, and the host grants access. In cases where access doesn’t meet the proper conditions, it’s automatically rejected, and the connection is terminated. This implicit approach helps protect specific data and network segments based on who has access to them.
Using honey pots as a deterrent to breaches
Following a layered security approach, honey pots can be set up in specific network segments with controlled vulnerabilities allowed to be exploited as a defense mechanism. The threat actor is seemingly given access but is actually being lured by the security team to a place where they can empirically record their behavior, gather metadata, and produce evidence against the intruder.
This is a tricky approach. If properly configured, the intruder will be deterred, and real access will never be granted. However, if done wrong, the intruder can leverage the honey pot to jump into a different network segment and quickly deploy their payload.
SolarWinds, your partner for a more secure future
By prioritizing adopting an assume breach mindset, organizations can ensure they have the right processes, people, and technology to observe their environment for anomalies and potential vulnerabilities proactively.
And though no product can assume breach for you, SolarWinds products can provide the level of visibility needed to help enable proactive monitoring, rapid diagnosis, and quick time to resolution. Our products offer an array of value-added features and reports, which you can customize based on your environment and business needs.
SolarWinds can help by providing robust observability solutions, customer service, and internal support to help address your business needs now and in the future. To learn more about our guiding principles for how we approach security and cyber resiliency at SolarWinds, you can read about our Secure by Design principles or download our whitepaper.