When I started RazorSecure, I had two initial goals, to reduce the amount of time it takes to detect a cyber security breach, and to reduce the number of false positives that cyber security software generates.
When looking at these two problems, I came to a conclusion that would set the tone for our entire tech strategy. The only way to meet these goals was to focus on behaviour and treat systems, within the network, as individuals.
This approach is in contrast with the typical cyber security risk strategy thinking, which advocates a holistic approach, network monitoring and relying on external threat feeds. It is logical to follow this type of holistic approach in a large enterprise network with a diverse estate of assets, where there are many elements outside of your control so you must either bring those within your control (lock down workstations etc) or you must focus on the elements that are within your control (the network). As a security professional in this case, you act to protect the network from the devices connected to it.
However, this is just one case to be considered in critical infrastructure and cloud hosting environments the opposite is often true. The network is the least controlled part of the infrastructure; with maintenance ports and devices being connected to the network with poor physical controls, or a shared network across many tenants. In this case, focusing on the systems connected to the network is the correct strategy; a system-centric approach where systems protect themselves from the network is more effective for critical systems.
Even in cases where the network can be controlled, protecting the “critical” devices within the network and reducing the problem space when applying detective controls to them is the most effective way to ensure they remain secure over their lifetime. It is a critical part of a layered approach to cyber security.
So why is it important to treat them as individuals?
Treating a device as an individual ensures that the behavioural learning uses the best possible data to protect that one device.
Even when considering a fleet scenario with hundreds of similar devices, this remains true! These devices should all be the same, but the reality is they are not. There will be subtle differences in configuration between them which will drift over time, so a security strategy that treats them as a group will also likely fail over time.
It is for this reason that penetration testing is not a silver bullet within critical infrastructure. Pen testing will only test a single, ideal system at a single point in time. It does not consider new vulnerabilities that are found by attackers in the deployed software or scenarios where misconfiguration creeps into a system because of configuration drift or maintenance that is performed over the life of the asset.
Treating systems as individuals allows us to focus on understanding the differences between the fleet of similar systems. This gives us the ability to identify the outliers; devices that have been misconfigured or potentially already breached before our software has even been installed.
Limiting the problem space allows you to focus on what is important
An experienced security professional will recognise that there are many different approaches to security monitoring. The danger with rail cyber security is that you can fall into the trap of trying to ‘boil the ocean’ and over-invest in security controls that have only limited effectiveness.
Identifying critical systems and applying a system-centric security approach that covers those systems is a great place to start. This allows you to focus on what is truly important in your network, key points of aggregation, critical systems and the services that are critical to your operation.
This focus allows you to implement targeted controls that don’t overwhelm your security team.It is a starting point for building a continuous improvement strategy.
We had a brilliant discussion with an industry veteran a few years ago. He got our strategy immediately and articulated it in the best way: “The reason this works is because you have limited the problem space, it isn’t about being the best security system for every device, it is about being the best security system for this device”.
How our technology principles have continued to evolve
When we first started out, we focused on individual systems and gaining visibility into their operations. Our mantra was that it is systems that get hacked, not networks. We still strongly believe this today, but our view of the world has broadened.
We now believe that a system can take this individualised approach to its own security and the systems around it. A host-based approach is not possible for some systems, but that does not stop us applying the same principles with a different data set. If a key device in a network, like a mobile communication gateway or a security gateway, can understand other vulnerable systems around it that could be possible attack vectors;by ingesting data from their system logs, SNMP data etc. it can therefore better protect itself from those systems.
At RazorSecure we would always recommend a layered approach to security, and that is why we offer protection for both key devices and networks. Our flexible, hybrid approach to security starts with protecting key devices and then looks to cover gaps in visibility with network monitoring. Our approach is strongly aligned with the NIS Directive, NIST Cybersecurity Framework and IEC-62443; prioritising key systems with a structured approach based on international frameworks.
This article is part of our 'sharing our technology' series, where we will discuss the six key principles of our technology. Stay connected for further releases.