Nothing is Made Better By Ignorance
Having spent close to a decade in cybersecurity, there are certain things that seem to be universally true, regardless of the organization’s size and industry. I’ve written about them before, and I’ll no doubt explore others in future posts; but this is the one I thought I’d highlight today:
Nobody (not hyperbole) knows exactly how many endpoints they have. The answer usually opens with a deep exhale, followed by, “Well, I’d probably say about….”
You know this is true. I don’t even know you, and I know YOU know this is true.
So why is that?
Even when computing was largely physical, it was difficult to keep up with where everything was all the time. I mean, you only have one set of car keys – can you say with confidence that you always know where they are? So when you had hundreds or thousands of laptops and servers, with roughly 3% of it being refreshed every month, it could be difficult to keep track of it all. And then came virtualization, and then the cloud, both of which exponentiated the number of developers and other employees with the ability to create new machines. With that shift, so too has shifted the problem that this type of inventory management poses — from an accounting problem, to a security problem.
The difference between your keys and the extent of the reach of your infrastructure is that you know you have keys. You know they exist, and you know, down to the last detail, what they look like.
If I told you that you had an unpatched domain controller that was accidentally left in your DMZ, you probably wouldn’t put off pulling it down and patching it until after lunch.
So, when you put all this together:
- You’re spending considerable time & resources protecting your assets
- You know that you can’t say with confidence exactly what the totality of your assets consists of; and
- You can’t protect what you don’t know about
It leaves you with one of the universal truths in security: Nothing is made better by ignorance.
Out of sight is not really out of mind if you’re going to need to come in at 6am on a holiday weekend to remediate when things go wrong. It’s very much on your mind. So how do you actually stop that from happening? You need better visibility and monitoring into all parts of your system. But since a list of ten thousand alerts is probably going to yield the same actionable results as no list at all, you also need a sound prioritization mechanism.
All these tools are at the disposal of the world’s blue teams, but they need to be properly combined to function. Once you establish a balance in which your process takes some of the pressure off you to play catch up, you don’t need to be afraid of the new unknowns that pop up, because any process failure won’t spell your immediate doom.
No matter how good you are, your organization could potentially be toppled by insufficient protection of an asset you didn’t even know existed. So ask yourself, if you were whiteboarding the path to the ideal future state of your security posture: would a comprehensive assessment of what you need to protect come before or after where you are on that timeline today?
The truth is, the very nature of the problem is that in a world of highly dynamic infrastructure, assessing your total attack surface isn’t a point on the timeline; it needs to be a part of every point on the timeline. And that includes all the points up to now, and it includes all the points that come after now. But in that whiteboard scenario, one thing is certainly true: You would’ve done it before now. Something to consider, since ‘right now’ is point zero on the remainder of that timeline.
It’s not paranoia if they’re really after you.
Stay safe out there kids.