Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

7/19/2017
03:46 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Security in Knowing: An Interview With Nathaniel Gleicher, Part 2

Ignorance is indeed bliss - for those who would attack our organizations' IT systems. This is part 2 of a conversation with Nathaniel Gleicher, head of cybersecurity strategy for Illumio.

Yesterday, we ran the first part of an interview with Nathaniel Gleicher, former Director of Cybersecurity Policy for the Obama White House and ex-senior counsel for the US Department of Justice's computer crimes division, now head of cybersecurity strategy for Illumio. Today, it's the rest of the interview, where we went into detail on what it takes to turn knowledge into security.

In yesterday's interview, Gleicher had just talked about the Secret Service model of security, represented by a pyramid with four words -- understand, control, detect, respond -- written on slices from bottom to top, representing the sequence and amount of effort and planning put into each one.

As before, what follows is an edited version of our conversation.

Curt Franklin: It sounds like [the Secret Service model] presents a sort of a road map toward security that that companies and organizations can follow.

Nathaniel Gleicher: When I think about this I tend to call it the inverted pyramid. If you go next to it on that sheet of paper and you draw an upside down pyramid and you put it four horizontal slices on it and write those same words in the same order again respond at the top, detect below it, control below that and understand below that. When you look at the focus of the cybersecurity community and a lot of security teams, the way we invest looks a lot more like this.

We have a huge emphasis in detections and response. There's a huge focus on behavioral analytics, on anomaly detection, on how do we find the bad guys once they're inside, catch them and stop them. We invest far less in controlling the environment and we invest very little in understanding. If you look at the lesson from physical security, if you don't have a strong base, if you don't have understanding and control, your detection and response effectiveness is just capped in a very limited way.

A lot of it from my perspective comes back to this inverted pyramid. We don't understand our environments and we don't have control over them. And ironically if an intruder is inside our empire we should have an advantage -- they're inside our house. We built the house, we know what was there. In theory we have a huge advantage, but we don't today. And so when I think about security it's not about artificially forcing our environments back to a simpler way of life, it's about building tools that will enable our organizations to actually understand the environment that exist today to exert control over them. That is what enables us to actually be effective in response.

CF: I would love to hear some some more thoughts on that because it seems to me this is a key piece of the entire puzzle. A lot of organizations will give lip service to understanding things; it's doing things with that understanding that so many organizations fall down on.

NG: I completely agree. And so there's two pieces to it. One is technical and one I would actually argue is organizational.


You're invited to attend Light Reading's 11th annual Future of Cable Business Services event. Join us in New York on November 30 for the premier independent conference focusing on the cable industry's continuing efforts in the commercial services market -- all cable operators and other communications service providers get in free.

Everyone talks about how security is a technology problem and in some ways it is. But actually I think a lot is organizational. So you're talking about not just understanding an environment -- although to be honest that's hard enough -- but also being able to take action based on [that understanding].

Rob Joyce is the former head of NSA's tailored access operations unit (TAO). He's one of the best hackers in the world. He gave a talk at Enigma about a year and a half ago now. The basic premise of his talk was, "Hi, I'm from the NSA, we're really good at breaking into your system. Here's what you would need to do to make our life hard." And it's a fascinating perspective.

He says two things. The first thing he says is, intruders win because we know your network better than you do. This is the "understanding." You know how the network was supposed to work when you set it up; we know how it actually works today. But then he goes on and he lays out five things you could do to make life hard for the NSA and for other sophisticated attackers.

I love that these are not rocket science. He talked about encrypted communications, using strong passwords, limiting user access, patching vulnerabilities and segmenting your environment. These are all things that we've known about for years, that everyone agreed are the best practices, but that when you get inside a lot of environments they're still not done.

It drives home this message that security is actually not impossible. So it's really an organizational challenge. How do you make the organization work?

CF: One of the things that you talked about was limiting user access and I think that we can agree that in most cases that means making sure that users have access to everything they legitimately need but only what they legitimately need. There is so much emphasis on the application design side today in improving the user experience and minimizing transactional friction. So is there a necessary tension between the security side and the user experience side?

NG: Security is essentially the practice of trying to impose differentiated friction. That is, you want to impose as much friction as possible on illegitimate actors and as little pressure as possible on legitimate actors. And one reason why I think we actually do a really bad job is that right now is because we don't understand our environments.

If you knew and understood what an individual needed to do in order to get their work done you could impose limits that wouldn't actually limit the user but would constrain an intruder trying to manipulate those credentials. The problem is we generally don't know what those needs and dependencies are.

The needs of a user, like the needs of a system, aren't static. They change constantly and they're not something that you can expect humans to track manually and keep up to date with static rules. It just doesn't work.

Part of the problem is in a lot of our environments we're writing security rules at a very low level. Today, we don't write most software in assembler, we write it in higher-level languages and we have machines that do the translation. We need more things like that in security where we can express security policy at a high level and then have an intelligent system that does the translation so that we can make high level decisions and then make sure that they are carried out in the right way.

I've found that the average organization utilizes about 3% of the open connections that they enable within their data center; actually in many cases it's much smaller than 3%. So there's this huge scope of open, frictionless communication that a legitimate organization isn't using that you can close. This would radically constrain an intruder but would do very little to constrain the legitimate business.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.