I am going to skip the small talk about the security landscape, how much it all sucks and how we are all doomed and get straight to the point.
Today's security operations approach fails because it is two-dimensional. That has to change. It badly needs the third dimension. No, I am not talking about fancy 3D visual effects like you see in the movies. You don't need special glasses. Here's what I mean.
The two-dimensional approach is checklist-driven security operations. The first dimension is an entity (or resource) that is part of an organization's infrastructure or operations, such as a server, a workstation, a firewall, a network, or a user account. The second dimension is the properties and configurations of that entity. For example, the disk encryption status of a system, the rules configured on a firewall, or the password policy applied to a user's account.
Most organizations' security operations default this way because the security frameworks they align with are fundamentally built on a two-dimensional approach. Compliance is made up of a list of entities and the secure configuration requirements for them. This is an attempt to bring the security posture of an organization to a certain standardized level. It is not a bad approach, but it has significant drawbacks.
Using the Graph
The configuration management of these entities and resources can be a time-consuming and daunting task. Not to mention the complex relationships among them.
We have seen small technology companies with less than 50 employees, a few AWS accounts and some git code repos, have a total of around 4000 digital entities and over 12,000 relationships in a connected property graph. A medium size enterprise with 500 employees can easily have upwards of 50,000 entities and 1,000,000 relationships connecting them.
Try keeping track of all that details and context in your head. It is humanly impossible, even for the best security analysts in the world.
Security teams operate with a checklist-drive approach simply because there is no other feasible way. It is not that they don't want to fully understand their environment, but rather, the entity relationship model that reflects the actual operational environment has become so complex to a point that it is beyond comprehension. They are doing everything they can and wishing for the best. Therein lies the problem:
Attackers think in graphs; defenders operate with lists. That's why attackers win.
This operational complexity is allowing attackers the advantage to zone in on a very focused subset of an organization environment to exploit. Meanwhile, security teams – the defenders – are busy with the broad strokes of everything in their environment. This is the reason why breaches continue to occur to organizations that are "certified and compliant".
Now imagine you have this graph with a fully automated, easily updatable and searchable implementation, you effectively have a north star, a GPS that guides your security operations.
Level the security playing field with attackers by moving your security operations from 2 dimensions to 3.
This answers the "what", but not the "so what".
For example, you noticed an employee's laptop did not have disk encryption turned on. Ok, so what? Is that of any significance? Does it pose a real and present operational threat? In the checklist approach, the answer is yes, because the compliance framework of the day requires full disk encryption on user devices. But what if the employee has no access at all to any sensitive or confidential data and no such data is ever stored on his/her laptop? Would you want to spend the limited time and resource to deal with this misconfiguration, that has little to no impact to your operations, or to prioritize something else? The answer is obvious when you have the context, but it is difficult for security teams to arrive at that answer accurately and timely.
Another example – you use a vendor to maintain the HVAC systems across your sites. The end user systems and accounts on the vendor lack strong security – no strong password, no MFA, no disk encryption, etc. But they don't have access to your production operations, so that's not a problem, right? Well, we all know how that turned out.
In today's cloud-first, software-defined digital environment, people and resources within your environment are so deeply connected, something that is seemingly inconsequential could have such a dramatic ripple effect across your entire environment.
The only way to know the extent of the ripple is to understand the interconnections. The relationships among the resources and entities. The third dimension.
Three-dimensional security is a graph, not a list. A graph that is built with entities and their metadata but prioritizes the relationships. A graph is a complete – or as close to complete as possible – representation of everything that matters in your digital operations. A graph adds depth and gives you context.
What's in the graph?
This graph must encompass not just one environment – e.g. an AWS account – but all environments and controls. Including people, infrastructure, development, end-user systems, applications, security controls such as identity systems and vulnerability scanners, as well as records, findings, and written policies and procedures.
The graph must map out the relationships and dependencies among these entities and resources across system and account boundaries.