By Chris Day, CISSP – Chief Cybersecurity Officer, Cyxtera
Adversaries are waging cyber warfare daily to create confusion and cause disruption for strategic or military purposes. You need only look at the United States election last year to see the depth at which they’re willing to go. Digital propaganda campaigns can instantly reach millions of people, influencing popular thought, sowing fear and discord, and creating harmful divisions.
Threat actors are also targeting critical infrastructure – which can dramatically disrupt the civilian population’s everyday life. Nation states are seeking to infiltrate stock exchanges, banking systems, the power grid, water and sewage treatments, and communications networks. Just this year we learned that Russian hackers got into the business systems of a U.S. nuclear power plant. Russian and North Korean adversaries separately gained access to the corporate networks of U.S. energy companies.
These reconnaissance missions are the tip of the iceberg. It’s a matter of time before real damage is done. In this new-age of organized digital crime, threat actors are skilled. They have resources. They have patience.
My Organization isn’t a Target
It’s easy to look at these attacks and not associate the threat with your organization. A retail company, for example, may wonder “why would attack critical infrastructure matter to us? Why should we care about cyber warfare?”
The answer is simple: every organization is a target. Everyone has data that is valuable to someone else. You may not be a primary target, but you might be a target of opportunity. For example, enterprises with large networks have significant amounts of computing power. Adversaries may want to compromise the network and utilize the power for their own purposes. Or, your network may be the stepping stone to another target.
Cyber is unique in that way. It allows for networks and systems not normally associated with warfare to get pulled into a conflict. It also creates imbalance. Nations can wage war against global powers and gain digital victories that can be devastating.
Like it or not, every organization has a stake in this war. To defend ourselves in this new reality, we must start to do things differently.
The Modern-Day Threat Landscape
There are common techniques in cyber warfare campaigns. As defenders, we need to address them.
Stop lateral movement. Once adversaries gain access to a flat network, they’ve unearthed Pandora’s box. Networks that lack segmentation make it easy to move from one system to the next. It can be impossible to detect or stop this movement without proper instrumentation and manpower. It’s one of the primary reasons we see today’s major breaches go undiscovered while adversaries have free run of the network for months, if not years.
Trust no one. When it comes to cyber warfare, you must adopt a zero-trust model. Assume that a legitimate user’s credentials can and will be compromised. Accept that malicious insiders exist. Traditional security tools provide all-or-nothing access. Once a user is authenticated, they have carte-blanche to all network resources. We must shift from unfettered access to one of least privilege.
Secure the Cloud. 68% of companies will use or are using the cloud for business workloads according to TechProResearch. As challenging as network security is in a traditional enterprise IT environment, the cloud makes it even harder. Cloud environments are dynamic; traditional security controls are static. If we agree the cloud is here to stay, we must deal with how to secure it.
Yesterday’s Security Technology is Failing
Adversaries are getting more sophisticated. Cyber warfare is a ‘real job’ to them. Hostile nation states train their cyber warriors in a methodical and disciplined way. Conversely, defenders are waging war with outdated tools. Network security technologies haven’t evolved in decades. A deficit of skilled talent makes it difficult to fill critical security positions, which compounds the problem.
Firewalls are configured and forgotten. Policy or rule changes aren’t done in real-time. VPNs are expensive to deploy and manage and don’t make us any more secure. VPNs authenticate to everything – once authorized, users have complete access to the authenticated network resources. These technologies are perimeter-based security in a world where the physical perimeter no longer exists. They are based on implicit trust, with a “connect first, authenticate second” approach.
Implicit trust is akin to someone knocking on the front door of the house, letting the person through the front door, and only after they are inside asking who they are and what they need.
A New Approach to Security
We must even out the battlefield if we are to successfully combat cyber warfare. Fighting modern techniques with outdated methods present an unsustainable risk. We need to handle security differently.
Based on the principle of zero-trust, a Software-Defined Perimeter (SDP) model is a smarter way to go. SDP wraps network permissions around each unique user. It creates one-to-one network connections between that user and their devices and the applications and resources they need to access, and nothing more.
The Software-Defined Perimeter model was created explicitly for security across cloud and on-premises infrastructure. It’s all about policy enforcement, access enforcement and entitlements.
The basic premise of a Software-Defined Perimeter is to “authenticate -first, connect second.” Traditional network access controls rely on application level permissions for authorization. A Software-Defined Perimeter creates individualized perimeters for each user, allowing for much more fine-grained access control. As the user’s situation changes, the individualized security perimeter changes.
Using the front door example, the Software-Defined Perimeter approach takes the person that is knocking at the front door, confirms who the person is and what it is that they want and then opens the door to let them in the house. Once inside, they can only access those rooms that they need…and nothing else.
Cyber Warfare Calls for Modern Security
Cyber warfare presents real threats to our security. The perimeter is not an impenetrable wall. It is fragile (at best) and constantly changing. The only way to cope with the modern cyber threats is with modern security solutions. It’s time to move away from traditional security solutions and look to a Software-Defined Perimeter.
About the Author
Chris Day is Cyxtera’s Chief Information Security Officer. Prior to Cyxtera, Day held similar roles at Invincea, Packet Forensics, and Terremark. Day is a member of the Defense Science Board, which provides guidance to the Secretary of Defense on matters impacting national security. He is a regular speaker and author on cybersecurity topics.