A lot of smart people are changing the way we think about cybersecurity. Much of this comes from the novel security challenges in the rapidly growing domain known as the Internet of Things. But the ideas themselves aren’t new and they have been – and will continue to be – applied just as effectively in traditional IT cybersecurity. Let’s take a deeper look at the situation and clarify what’s going on.
For many years now, IT operations teams have been using perimeter defenses as the basic cybersecurity tool. And for nearly as many years, people have been complaining about the inadequacy of perimeter defenses in the face of determined, well-funded attackers.
Network firewalls across several technology generations have served all of us very, very well. You need locks on your doors and windows, and you always will. But entirely new technology categories and practice areas have sprung up over the years to deal with the problems that firewalls create.
A firewall, of course, is a network filter positioned so as to defend a perimeter. For this to work, you need a perimeter, and this, unfortunately, is the problem. A perimeter says everything on this side is good, and everything of the other side is suspect. You already know why this model no longer works – there are just too many ways to get past the perimeter. And all of them constitute attack vectors.
The Problem of Scale
The Internet of Things takes this a step further.When machines, devices, sensors and other OT production assets have IP addresses and can send and receive network traffic, it quickly becomes impossible to define a perimeter around them all, let alone enforce one.
The problem here is fundamentally one of scale. Perimeter defenses are ultimately embodied in network devices such as firewalls and policy-enforcing switches and routers. This model only makes economic sense if small numbers of defensive devices can protect large numbers of assets. This isn’t the case when the asset footprint is the Internet of Things. Economically, you can’t deploy enough firewalls or network filters to protect a huge and dispersed footprint of connected devices.
Not only cost-effectiveness is impacted by scale. Manageability is too. Firewalls and network filters typically are configured statically, according to rules expressed as predicates on network metadata (addresses and ports), and application recognition. Keeping these rulesets accurate and up-to-date is a brutal problem even in enterprise IT. In the IoT, it’s far worse.
Cyber for Connected Assets
So, the goal posts have moved. The new goal, then, is to achieve a high and measurable amount of security assurance for connected assets, with acceptable costs both for technology and for ongoing management. The cybersecurity infrastructure of the future will require adaptivity, automation, and resiliency.
Adaptivity is a property of a security framework that responds quickly to changes in the overall cyberthreat environment facing an enterprise. Adaptivity ranges from changing security sensitivities (presented by assets of more or less criticality), to safety and operational factors, to changing business requirements. Modifying firewall rulesets just doesn’t work at scale.
Automation is a property of an infrastructure that continuously analyzes the operational status of an asset base, from software/firmware updates to configuration to health checks. When presented with security events, automated analytics should generate specific remediations that can be triggered immediately or passed to human operators for decision.
Resiliency is the property of an infrastructure that quickly recovers from compromises back to a known state. The resilient system will accurately distinguish zones in asset-space that may still be in a compromised state from those that are recovered.
To achieve these goals, the perimeter-defense model of traditional practice isn’t adequate. A new model for cybersecurity practitioners and technology providers is needed. The new model calls for:
Visibility into the OT production network and assessment of risks;
Extensive instrumentation of the connected-asset base;
Continuous monitoring and incident analysis of the data generated by the instrumentation;
Automated or semi-automated responses to security events detected by the analysis; and
Rapid recovery after threat responses.