(At the time I wrote this (2017), I had never heard of “zero trust networking”. Looking back, that’s what I’m describing in this post. If you’re interested in these concepts, please read up on zero trust)
The way we are dealing with security is all wrong. No one can deny it, but no one is doing anything about it. Why? Because “the business”.
Security cannot and should not interfere with the experience of the end user, that is a fact. That is the only way we can sell security to users. The alternative is no security at all. But other IT teams are not end users. They’re technical and they understand limitations and workarounds. Security can and completely should impact them. Security should be a gate for IT teams, letting them through only after checking their badge and ID. You don’t let visitors into your office without checking their badge and ID. Why do IT’s technical whims get a free pass?
Application owners far too often get away with not knowing how their applications behave on the network. Networking teams far too often get away with not communicating their network architecture or changes to their architecture to the rest of the organization. Server teams far too often get away with not knowing what applications run on their servers.
How often on a security team do you see an IP address in your SIEM and have no idea who owns it, what the purpose is, and what applications are running on it? Far too often. It’s unacceptable. It should be considered the highest priority for teams to work with security not reluctantly, not when they’re told to, but as a rule. Security not knowing what is running on a server should be as critical as an application going down. It should be hair on fire. It should make or break careers.
Looking for projects for the new fiscal year? How about this one: give security a list of every port needed, every external network range needed, every server that needs to talk to every other server. And after that, block everything else. Put rules in the SIEM that create alerts for every firewall deny and everything that does not match that profile. Every new server and every application will have to be specifically allowed before it will work. And every outbound firewall deny is a severity 1 security incident. If it’s not part of the approved applications/servers/ports, it’s an insider threat.
“But that will break everything!” Good. It should. It is absolutely irresponsible to not know every single application, every workstation, every server on your network. Attackers can exploit one single hole that no one knew about that was allowed for the sake of another IT department because they don’t want to follow cumbersome processes, and now your entire company is shut down. Because we can’t impact the server teams. We can’t impact the network team. We really needed that any-any rule. Right?
Block everything. Make other teams defend their needs. Every quarter they need to attest that it is still a need, with their name signed beside every port, every server, every app. So when the breach happens, you know exactly who was negligent. You know exactly who stopped your company.
There are no more mistakes. There are processes, and they are either followed or they are not. Technology isn’t a joke anymore, this is real life. Block everything. Make security break your company, or the lack of security will end your company.