Security Scope and the Threat Continuum. What CISOs Need to Know.

Originally published by Netography.

Written by Martin Roesch, Netography.

The pandemic kicked off a rapid evolution of networks that have now become composites of multi-cloud, hybrid-cloud, and on-prem infrastructure with mobile and remote workers accessing data and applications scattered across this complex and fluid computing environment. We refer to this evolution as the atomization of networks and the implications for network security are massive. Organizations struggle to defend their network because it is so ephemeral and elastic, they are blind to its composition and entire categories of attack. It’s a forcing function that’s driving security leaders to take a deeper look at two key underlying security principles—scope and the threat continuum.

Security Scope

For years organizations have used a “defense in depth” approach, layering multiple tools to arrive at a set of capabilities intended to fully secure their network. But the truth is, defense in depth doesn’t really exist. It’s a misnomer. What we are dealing with most of the time is defense in adjacent scope. As a simple example, an NGFW doesn’t deal with malware and EDR doesn’t deal with network-based threats encoded in network protocols. Each of these tools and, for the most part, the array of different security technologies we deploy each have their own scopes of coverage and their own scopes of responsibility. Aside from the feature/function race between vendors within product categories, there is very little real overlap. Broadly speaking, network-based tools are scoped for different classes of attacks than endpoint-based tools.

Threat Continuum

We also have different time periods in which security occurs: before an attack happens, during an attack, and after we’ve been compromised. In each phase of this threat continuum there are different tasks to complete and different network and endpoint tools we use to complete them. But the actual time within each phase to do the job is not equal.

Before an attack we have a “nigh-infinite” amount of time to prepare defenses and make it hard to be attacked in the first place. We deploy tools like cloud security posture management (CSPM), attack surface management (ASM), firewalls and zero trust network architecture (ZTNA). We also deploy compliance policies and do vulnerability management and patching. We spend a lot of time to discover, configure, and harden the environment so it is difficult to get broken into in the first place. But if an attacker does get through and if all goes well, we’ve mitigated the damage an attacker can do. At least that’s the promise of ZTNA.

At the point of attack, we typically have milliseconds to detect and prevent an attack with EDR, an IPS, or an NGFW. For example, when a possible remote code execution exploit is being transmitted over the network or traversing a device, we have to detect and decide whether or not we are going to block it in real-time. If we detect and make the right decision, then we’re in good shape. If we don’t, our “during” technology has no more opportunities to detect and do something about that attack unless it has been specifically engineered to deliver continuous capability beyond the point of attack in the after phase, and most are not.

After an attack, we once again have a “nigh-infinite” amount of time to figure out that we’ve been compromised and then scope, contain, and remediate using tools like cloud detection and response (CDR), log management, SIEM, SOAR, and NDR. In reality, we need to do this as quickly as possible because the corollary is that attackers also have a nigh-infinite amount of dwell time and the longer they have access to a compromised network, the more damage they can do. They can and frequently do remain undetected for months or even years and damage can escalate exponentially.

Security scope and the threat continuum are core principles the security industry has been built around and what drive the network and endpoint security capabilities we deploy to protect enterprise networks. But now, we need to rethink our approach to network security.

Rethinking Security for the Atomized Network

NGFW, IPS, and NDR—the technologies scoped and responsible for network security during and after an attack—are going away. These deep packet inspection (DPI) technologies primarily delivered on appliance-based architectures are being obsoleted by the twin trends of encryption and atomization. And nothing has replaced them.

We thought we had built a better mousetrap with Zero Trust and moving to the cloud, but it has come at a price. And 66% of enterprises don’t see moving fully to the cloud, ever. Zero Trust and SaaS have accelerated the broad usage of encryption, so when access-based permission models are abused to gain access into the network, compromises are incredibly difficult to prevent with existing network technologies. EDR is obviously valuable and provides unique visibility into local processes and system activities. However, it is adjacent in scope and its capabilities to detect and contain are limited if the attacker uses techniques outside its scope. And many endpoints and networked devices can’t support an EDR agent which means network security is even more important.

We need to revitalize network security visibility and control with a new architecture that is built for this atomized, encrypted world that we are in now.