Historically, security programs have focused most heavily on the perimeter of the environment, likely in an effort to mirror physical security measures. While fences and surveillance cameras at the entry and exit points of a bank or manufacturing facility may provide sufficient visibility and controls for the threat models faced in those scenarios, they simply are not adequate for the information security realm. The idea of a perimeter-based security approach seems reasonable enough, but several harsh realities show the shortsightedness associated with that approach.
This post will outline several reasons why a perimeter-based security approach is no longer enough and offer alternate approaches organizations should consider for a more comprehensive security approach.
3 reasons a perimeter-based security approach no longer works:
1: The definition of the perimeter is always changing.
Infrastructure no longer resides neatly within a well-defined network diagram, with a single or even a known number of ingress and egress points. Organizations now tend to use an array of onsite and off-premises business functions, have in-office and at-home or roaming users, and an ever-expanding array of services that quickly become core to the organization’s operation. Adding a BYOD model to the mix complicates the matter even further. As this concept of a perimeter itself continues to shift away from neat concepts of “inside” and “outside” the environment, our approaches to visibility and control must focus on the individual systems in the environment.
2: The increased usage of end-to-end encryption decreases the value of a perimeter-based approach.
As encryption becomes stronger and more widely used, technologies such as certificate pinning and perfect forward secrecy will complicate or fully prevent the traditional means of intercepting and inspecting those perimeter-crossing communications. This means our collective approach must change, as the growing tide toward encrypted communications will not be reversed in any meaningful way. Therefore, we must turn our attention inward, where the communications are encrypted and decrypted to have insight to the underlying activity.
3: Internal-only activity (which never crosses any perimeter) is extremely valuable for your information security program.
Client-to-server communications exist solely behind the proverbial boundary on the network diagram, but will never be seen by a perimeter platform. Attackers’ lateral movements often evade detection for months because the victim simply has no means of seeing what is going on within the theoretical boundary. And the notable increase in the use of legitimate peer-to-peer technologies such as VoIP and software update distribution mean we must have some means of identifying the “baselines of normalcy” within the environment. These baselines can then be used to identify suspicious outlier events that warrant further attention.
Related Reading: Common Security Mistake #1: Lack of Visibility
Moving Beyond the Perimeter: Alternate Security Approaches
Given that perimeter-only or perimeter-based visibility and control measures have long been an outdated approach, what approaches can help organizations retain visibility and insight to their organizational activity? Fortunately, there are several measures that can give any size information security team a chance to improve their posture.
1: Extend visibility platforms.
One quick win is to extend visibility platforms to the segments between network segments. For example, if the security organization uses the Bro NSM platform to examine and log all perimeter-crossing traffic, adding network taps on the uplink from critical subnets inside the environment that feed additional Bro platforms would be an evolutionary increase in visibility. Any NetFlow or similar traffic summary platforms could be added to the same taps for integration to an existing collection. Of course this would require de-duplication to minimize investigative workload and storage requirements, but the added visibility between segments within the environment would prove crucial when tracking an attacker’s lateral movement or to support an insider threat investigation.
2: Internally collect logging data.
Explore what kind of logging data can be collected from internal systems. This may include data as basic as web proxy logs, or as extensive as process execution logging from all endpoints within the environment. Fortunately, open-source solutions such as ELK and Graylog have made large-scale collection and analysis feasible for organizations that cannot afford the large price tags for full-scale SIEM platforms. Even Microsoft’s own Eventing architecture can be useful for aggregating endpoint-centric data into a single data store for ease of analysis.
3: Adopt an endpoint-centric approach.
Over the last several years, the industry has seen a number of endpoint-centric visibility and control solutions proven in the marketplace. These include micro-level logging platforms, behavioral analytics, and layers of threat intelligence. The “big data” approach typically used for these platforms is important because of the immense volume these collections often incur. Many teams exploring such solutions are surprised to see that a single endpoint worth of collected data can quickly surpass millions of items per day. This is, of course, not feasible for a human-run process to fully address, so some form of filtering and prioritization is needed. This, in conjunction with a well-trained human examination pipeline, is an ideal approach to making a massive raw data collection into actionable items for the team to focus on.
Learn how Red Canary collects endpoint activity and analyzes it to find threats
Any information security team operating today must accept that the perimeter-only or perimeter-centric approach is an outdated model. While it should not be abandoned entirely, it must be augmented with internal visibility solutions that help the team maintain their visibility and control within the environment. The endpoint will remain the single consistent cog in an ever-changing machine of enterprise architecture, so ensuring visibility from this perspective is a critical component for any effective information security program going forward.
READ THIS NEXT: What to Do When Threat Prevention Fails (Hint: It Always Does)