We all know the role social distancing plays in combating COVID-19. Most people also understand why this is our primary line of defense; it's about slowing down the progress of the disease to prevent our healthcare defenders from being overwhelmed. Today's network security teams live in a similar shifting landscape and need to apply these same ideas to avoid getting overwhelmed. Here are three tactics to help "social distance" your network.
Tactic 1: Focus on Flare-ups
Networks bring a lot of value into our lives, but along with the value we get a lot of built-in complexity. As a result, network defense is complicated, whether your network is for commerce, healthcare, military use, or something else. All networks share one thing in common: the accumulation of complex, interacting parts. As a network grows, the number of things that can interact goes up very fast — quadratically fast. If your network doubles, the number of possible interactions goes up four times. At this rate, networks rapidly outstrip our ability to keep track of them and find problems.
Public health officials face a similar problem when combating a virus. On a planet with billions of people, it's impossible to accurately determine how many people have the disease. Instead, to protect as many people as possible, health officials focus on identifying symptoms and containing flare-ups.
Tactic 2: Without a Magic Bullet, Operate Wisely
With a pandemic, social distancing is a practical step we can take to save lives. Unfortunately, distancing is even more difficult in online security. When it's people versus a virus, people can change their behavior faster and more intelligently than the bug can evolve. The online world pits people against people, where the adversaries are clever and motivated. Tactics keep shifting, new vulnerabilities are continually discovered, and the rules for defense never settle down. This means our countermeasures must keep changing too. What was considered decent security yesterday is routinely out of date today.
It's no wonder that we have to plan for how we will handle breaches and how we'll quickly recover from them. Despite how security vendors behaved for years, perfect prevention is not an option you can buy off of a shelf. We must build security on the assumption that someone is going to get into some part of our infrastructure in the same way that we can't rely on travel constraints to keep a virus out. Social distancing has become the most important lesson to carry from the pandemic into online security.
Tactic 3: Quarantine or Zero Trust Is Not the Answer
Completely disconnecting from the outside world is not the answer to social distancing. Networks across all industries — from banking and finance to military, healthcare, and industrial operations — need to connect to perform their functions and deliver value and efficiencies. People also rely on connections, including social, emotional, and professional. For both networks and society, there will always be a risk of something nasty getting inside. The point of social distancing for your network is not to stop all contact with the outside. It's to increase the gaps between systems internally. Since we can't isolate our networks, we have to deal with internal segmentation, which intentionally keeps separate things separate.
Modern computing allows software to be run with wild abandon, sharing virtual machines and containers on limited physical resources. At first, IT shops saw this as a great advantage, giving them the ability to make one computer do the job of five and to reallocate inefficiently used resources to places where they can make a difference. Security personnel see it like public health personnel might: We know interactions — between networks or people — are necessary. So we manage the risk by asking for reasonable accommodations to a dangerous world. This compromise results in social distancing and network segmentation.
People don't like wearing masks and staying apart, and IT teams don't like limits placed on where they can run things. Security professionals must make the risks clear and avoid being too inflexible. An organization may have an innovative, cloud-first development team using cutting-edge tools. But while we don't want to remove their freedom to work quickly, we can require that they keep their fast-moving experiments in a confined cloud footprint, away from other operations that work at different speeds or face different regulatory requirements.
There are important security lessons we can take from the current pandemic to make modern hybrid business networks stronger and more resilient. We must prepare for events that haven't happened yet. And we must think about how to slow down spread by building in separation between different fast-changing areas.
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.