In the first two posts of this Dynamic Security Assessment series, we delved into the limitations of security testing and then presented the process and key functions you need to implement it.

To illuminate the concepts and make things a bit more tangible, let’s consider a plausible scenario involving a large financial services enterprise with hundreds of locations. Our organization has a global headquarters on the West Coast of the US, and 4 regional headquarters across the globe. Each region has a data center and IT operations folks to run things. The security team is centralized under a global CISO, but each region has a team to work with local business leaders, to ensure proper protection and jurisdiction. The organization’s business plan includes rapid expansion of its retail footprint and additional regional acquisitions, so the network and systems will continue to become more distributed and complicated.

New technology initiatives are being built in the public cloud. This was controversial at first but there isn’t much resistance any more. Migration of existing systems remains a challenge, but cost and efficiency have steered the strategic direction toward consolidation of regional data centers into a single location to support legacy applications within 5 years, along with a substantial cloud presence. This centralization is being made possible by moving a number of back-office systems to SaaS. Fortunately their back-office software provider just launched a new cloud-based service, which makes deployment for new locations and integration of acquired organizations much easier. Our organization is using cloud storage heavily – initial fears were alleviated overcome by the cost savings of reduced investment in their complex and expensive on-premise storage architecture.

Security is an area of focus and a major concern, given the amount and sensitivity of financial data our organization manages. They are constantly phished and spoofed, and their applications are under attack daily. There are incidents, fortunately none rising to the need of customer disclosure, but the fear of missing adversary activity is always there.

For security operations, they currently scan their devices and have a reasonably effective patching/hygiene processes, but it still averages 30 days to roll out an update across the enterprise. They also undertake an annual penetration test, and to keep key security analysts engaged they allow them to spend a few hours per week hunting active adversaries and other malicious activity.

CISO Concerns

The CISO has a number of concerns regarding this organization’s security posture. Compliance mandates require vulnerability scans, which enumerate theoretically vulnerable devies. But working through the list and making changes takes a month. They always get great information from the annual pen test, but that only happens once a year, and they can’t invest enough to find all issues.

And that’s just existing systems spread across existing data centers. This move to the cloud is significant and accelerating. As a result sensitive (and protected) data is all over the place, and they need to understand which ingress and egress points present what risk of both penetration and exfiltration.

Compounding the concern is the directive to continue opening new branches and acquiring regional organizations. Doing the initial diligence on each newly acquired environment takes time the team doesn’t really have, and they usually need to make compromises on security to hit their aggressive timelines – to integrate new organizations and drive cost economies.

In an attempt to get ahead of attackers they undertake some hunting activity. But it’s a part-time endeavor for staff, and they tend to find the easy stuff because that’s what their tools identify first.

The bottom line is that their exposure window lasts at least a month, and that’s if everything works well. They know it’s too long, and need to understand what they should focus on – understanding they cannot get everything done – and how they should most effectively deploy personnel.

Using Dynamic Security Assessment

The CISO understands the importance of assessment – as demonstrated by their existing scanning, patching, and annual penetration testing practices – and is interested in evolving toward a more dynamic assessment methodology. For them, DSA would look something like the following:

• Baseline Environment: The first step is to gather network topology and device configuration information, and build a map of the current network. This data can be used to build a baseline of how traffic flows through the environment, along with what attack paths could be exploited to access sensitive data.
• Simulation/Analytics: This financial institution cannot afford downtime to their 24/7 business, so a non-disruptive and non-damaging means of testing infrastructure is required. Additionally they must be able to assess the impact of adding new locations and (more importantly) acquired companies to their own networks, and understanding what must be addressed before integrating each new network. Finally, a cloud network presence offers an essential mechanism for understanding the organization’s security posture because an increasing amount of sensitive data has been, and continues to be, moved to the cloud.
• Threat Intelligence: The good news is that our model company is big, but not a Fortune 10 bank. So it will be heavily targeted, but not at bleeding edge of new large-scale attacks using very sophisticated malware. This provides a (rather narrow) window to learn from other financials, seeing how they are targeted, the malware used, the bot networks it connects to, and other TTPs. This enables them to both preemptively put workarounds in place, and understand the impact of possible workarounds and fixes before actually committing time and resources to implementing changes. In a resource-constrained environment this is essential.

So Dynamic Security Assessment’s new capabilities can provide a clear advantage over traditional scanning and penetration testing. The idea isn’t to supplant existing methods, but to supplement them in a way that provides a more reliable means of prioritizing effort and detecting attacks.

Bringing It All Together

For our sample company the first step is to deploy sensors across the environment, at each location and within all the cloud networks. This provides data to model the environment and build the initial network map. With the environment model you can start analyzing risk to sensitive data stores. Identifying a handful of ‘missions’ adversaries are likely to undertake helps focus efforts on clear and present dangers, and avoid getting distracted or falling into every potential hole.

This initial assessment and resulting triage help the organization focus efforts on attacks which can cause real damage. The CISO understands the minimum 30-day window before things can be addressed, but the team can focus on eliminating issues with high-profile networks and devices which put sensitive data at risk.

Once initial triage is done the team can undertake a more detailed analysis of the environment, turning the map into a baseline, understanding typical traffic flows and activities within all the organization’s systems and networks. This helps both simulations and ongoing assessments to identify anomalous activity which warrants further investigation and/or immediate action.

Threat intelligence data also feeds into ongoing assessment enabled by DSA. Instead of just patching everything first-come-first-served, the CISO can marshal resources to address new attacks seen in the wild which would be work in this environment, as indicated by the ongoing simulation. This again helps the CISO focus resources on issues which could cause the most serious damage.

DSA also helps with change control. As new changes are requested, driven by business needs and application upgrades, the impact of the changes can be modeled so their risks are understood. When an application is deployed in the cloud, for instance, the network map can be updated quickly to understand new potential exposure. Similarly, diligence on opening new offices and integrating acquired companies is accelerated because the new locations can be easily modeled and the risks they raise evaluated. What used to be an ad hoc unscientific process can be quick and fact-based. This enables the CISO to present concerns with hard data about potential risks, not just gut feel.

Finally, DSA capability ensures that changes are made completely and accurately. Ongoing assessment identifies issues which have been successfully vs. unsuccessfully remediated, and what else needs to be done, if anything. The CISO is able to address the biggest concerns, to ensure focus on the biggest risks, and to get a full picture of the entire infrastructure – including resources now in the cloud.

With that we wrap up our series on Dynamic Security Assessment. We will assemble the paper over the next couple weeks, and we are always happy for feedback on any of our posts to help improve our research.