Three Dimensional Security

By

I am going to skip the small talk about the security landscape, how much it all sucks and how we are all doomed and get straight to the point.

Today's security operations approach fails because it is two-dimensional.  That has to change.  It badly needs the third dimension.  No, I am not talking about fancy 3D visual effects like you see in the movies. You don't need special glasses. Here's what I mean.

2D Security

The two-dimensional approach is checklist-driven security operations.  The first dimension is an entity (or resource) that is part of an organization's infrastructure or operations, such as a server, a workstation, a firewall, a network, or a user account. The second dimension is the properties and configurations of that entity. For example, the disk encryption status of a system, the rules configured on a firewall, or the password policy applied to a user's account.

Most organizations' security operations default this way because the security frameworks they align with are fundamentally built on a two-dimensional approach.  Compliance is made up of a list of entities and the secure configuration requirements for them.  This is an attempt to bring the security posture of an organization to a certain standardized level. It is not a bad approach, but it has significant drawbacks. 


Using the Graph

The configuration management of these entities and resources can be a time-consuming and daunting task. Not to mention the complex relationships among them.

We have seen small technology companies with less than 50 employees, a few AWS accounts and some git code repos, have a total of around 4000 digital entities and over 12,000 relationships in a connected property graph. A medium size enterprise with 500 employees can easily have upwards of 50,000 entities and 1,000,000 relationships connecting them.

Try keeping track of all that details and context in your head.  It is humanly impossible, even for the best security analysts in the world.

Security teams operate with a checklist-drive approach simply because there is no other feasible way. It is not that they don't want to fully understand their environment, but rather, the entity relationship model that reflects the actual operational environment has become so complex to a point that it is beyond comprehension. They are doing everything they can and wishing for the best. Therein lies the problem:

Attackers think in graphs; defenders operate with lists. That's why attackers win.

This operational complexity is allowing attackers the advantage to zone in on a very focused subset of an organization environment to exploit. Meanwhile, security teams  – the defenders  – are busy with the broad strokes of everything in their environment.  This is the reason why breaches continue to occur to organizations that are "certified and compliant".

Now imagine you have this graph with a fully automated, easily updatable and searchable implementation, you effectively have a north star, a GPS that guides your security operations.

Level the security playing field with attackers by moving your security operations from 2 dimensions to 3. 

This answers the "what", but not the "so what".

For example, you noticed an employee's laptop did not have disk encryption turned on. Ok, so what? Is that of any significance?  Does it pose a real and present operational threat?  In the checklist approach, the answer is yes, because the compliance framework of the day requires full disk encryption on user devices.  But what if the employee has no access at all to any sensitive or confidential data and no such data is ever stored on his/her laptop?  Would you want to spend the limited time and resource to deal with this misconfiguration, that has little to no impact to your operations, or to prioritize something else?  The answer is obvious when you have the context, but it is difficult for security teams to arrive at that answer accurately and timely.

Another example  – you use a vendor to maintain the HVAC systems across your sites.  The end user systems and accounts on the vendor lack strong security  – no strong password, no MFA, no disk encryption, etc. But they don't have access to your production operations, so that's not a problem, right?  Well, we all know how that turned out.

In today's cloud-first, software-defined digital environment, people and resources within your environment are so deeply connected, something that is seemingly inconsequential could have such a dramatic ripple effect across your entire environment.

The only way to know the extent of the ripple is to understand the interconnections.  The relationships among the resources and entities.  The third dimension.

3D Security

Three-dimensional security is a graph, not a list. A graph that is built with entities and their metadata but prioritizes the relationships. A graph is a complete  – or as close to complete as possible  – representation of everything that matters in your digital operations. A graph adds depth and gives you context.

What's in the graph?

This graph must encompass not just one environment  – e.g. an AWS account  – but all environments and controls.  Including people, infrastructure, development, end-user systems, applications, security controls such as identity systems and vulnerability scanners, as well as records, findings, and written policies and procedures.

The graph must map out the relationships and dependencies among these entities and resources across system and account boundaries.

Watch CEO Erkang Zheng speak at BSidesSLC 2019 on adding a 3rd dimension to security operations.

Erkang Zheng
Erkang Zheng

I envision a world where decisions are made on facts, not fear; teams are fulfilled, not frustrated; breaches are improbable, not inevitable. Security is a basic right.

I am a cybersecurity practitioner and founder with 20+ years across IAM, pen testing, IR, data, app, and cloud security. An engineer by trade, entrepreneur at heart, I am passionate about technology and solving real-world challenges. Former CISO, security leader at IBM and Fidelity Investments, I hold five patents and multiple industry certifications.

I am building a cloud-native software platform at JupiterOne to deliver knowledge, transparency and confidence to every digital operation in every organization, large or small.

To hear more from Erkang, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

The top 11 questions that every CISO should be able to answer
January 30, 2023
Blog
The top 11 questions that every CISO should be able to answer

In part one of this two-part series, we polled some of our top security experts to see what it takes to succeed secure and manage resources effectively.

Best of Cyber Therapy, Season 1
January 25, 2023
Blog
Best of Cyber Therapy, Season 1

Take a look at the top 5 episodes from Season 1 of Cyber Therapy, a video podcast featuring the humans of cybersecurity!

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.