Why you need to let go in security to get what you want

Last updated at Fri, 21 Jul 2017 15:22:17 GMT

The second part of the Party Crashers series focused on the need for us to embrace change in order to combat the shifting nature of attackers and their penchant for compromised credentials.

Guided by the preparation (/2014/07/29/embrace-the-c hange-we-need-in-security-to-reap-the-benefits), our conversation is global. The advantage to the series is the opportunity to maintain a dialogue. We shared a lot of comments, insights, and thoughtful questions.

The series suggests a growing number of people are thinking deeply about these issues. Some are acting, some are still figuring out what it means. A few noted the value of validation. The key to our success lies in letting go of what doesn't work to embrace what does. Here are some of the highlights from the second part of the party crashers series.

On letting go of our legacy approaches

As a young child, I recall a visit to the office where my father worked. The rather large computer terminal -- with a yellowish-orange screen and glow -- sat in the middle of the work area. Before everyone had a dedicated device, computer terminals were a shared resource. It made it a bit easier to focus on the asset.

In the last decade, we've experienced a shift where people have two or more  devices to access systems and information. Access comes from a variety of places, around the clock. The landscape changed. The way we work changed.

Those changes prompted our attackers to shift. Not just their tactics, but also the way they measure and evaluate the success of their attacks. When they realize something isn't working, they adapt or move on to try something else.

We polled the audience during the conversation to gauge how we're doing in terms of measuring the results and returns on our investments in security.

The results, while not surprising, represent significant opportunity. It signals a need to move beyond discussions of shifting our mindset toward changing our behaviors. Letting go of the notion that security cannot be measured or demonstrated as a benefit to the organization.

One of the realizations is our reliance on infrastructure data to tell a story about people. We asked about that, too:

This remains a top challenge in our industry. The key to the compelling story lies in the ability to capture and interpret the right information. A good story includes 3 elements: characters, conflict, and resolution. It needs to be distilled, practiced, and matched to the needs of the audience. This is an area we'll continue to explore.

Changing the mindset and what to look for

When shifting to a mindset of “assume breach” - it's oddly freeing. It means less feeling like a fortress, and gives us an opportunity to be creative. It allows us to place focus on detecting the right things (stay tuned for part 3) that guide the right response. It also changes how we're evaluated.

So we asked about the the situation when an attacker bypasses preventative controls.

A popular comment -- and a strong understanding of the reality we face -- was the request for a “we don't know when we've been breached option. The upside is that the bulk of the audience realizes the importance of detecting problems and initiating the proper response.

The key is looking for the right things, capturing the information that drives the right response.

Getting started with accounts

One way to manifest the change in thinking is to shift focus on accounts. A major benefit is the opportunity to gain an understanding of how people actually use our systems. This helps us build the story we need to tell. Broader, it sets the stage for better detection and the opportunity for the appropriate, rapid response.

Mike Belton, Manager of Assessment Services, joined our last discussion to share details of how he and his team are able to compromise credentials and successfully penetrate the information and systems of clients. Popular targets include monitoring third party accounts for potential weaknesses (Mike explained the scope of most agreements understandably prevent attacking a third party to gain access - a restriction our attackers don't have).

We inquired how many people are monitoring those connections.

The results were a bit surprising, given the results of Mike's team and disclosures of recent breaches. Perhaps it signals a growing understanding that third party connections need to be monitored.

One comment even pointed out the growing trend to consider third party connections and credentials to be part of the ‘insider' category. That shift in thinking -- acknowledging that our organizations are service providers -- places a higher importance on monitoring those connections.

Mike also mentioned the role of service accounts. Nearly every assessment involves the use of service accounts in some fashion.

While the spread of responses is a bit more distributed, the high level of confidence was a bit surprising. One astute commenter noted, “everyone would be shocked if they knew how many service accounts are on proprietary systems that you don't even know about.”

Another person remarked that if everything seems fine - but quiet - it's a strong signal that our monitoring systems are not working properly. As the series continues, we'll work a bit deeper into these issues with suggestions and considerations of building a stronger system.

Why letting go is the key

The real lesson of the second part of the series is that letting go is more about mindset and less about tools and technologies. In many cases, what we need in order to be more successful is as simple as changing what we look for and shifting how we use what we already have available to us.

What I found encouraging is that while we have room to grow, few people are stuck. Most of us realize the need for change. I also think a few people may be overstating their current attitudes and approaches. Possibly the challenge of wording informal polls; however, it could also be the need to think about things differently and assess the changes we're making by the results we get.

With the foundation established, now we focus on the priority of action. Join me in the next part of the series where we explore the importance of detecting the right things at the right time. We'll also explore how to address the challenge of resource constraints and find the funding you need to make changes.

In the meantime, engage with me on twitter (@catalyst), leave comments and ask questions here or on the Security Street (https://community.rapid7.com/community/userinsight). Look for the discussion prep for Part 3 on Tuesday, August 12th and our next conversation on Thursday, August 14th.