Security would be so much easier if our networks were not so complicated! It’s a tempting illusion that we can just take out our checklists of best and worst practices, compare each component to the rules, make sure each configuration knob is set correctly, then put our feet up until the next audit.
But it never quite works like that, because networks are complicated – indeed, try an image search for “complexity”, and mostly what you get back are pictures of networks! Networks are the epitome of complexity.
So why should security people care – isn’t the network a problem for some other team? The answer to that is just two words: “lateral movement”.
Pretty much every attack scenario more advanced than the basic smash-and-grab approach of clickbait ransomware depends on gaining a toehold in one part of a network, then spreading laterally to another.
Even ransomware is evolving to rely on lateral movement now, because most organisations have learned that it’s not good to leave critical corporate data lying around on laptops.
Great, so as a defender, you need to broaden your search – it’s not enough to ask “is this asset weak?”, you also have to get into “now where else could you go, if you controlled this location?”
That doesn’t sound so bad, until you start to consider the scale of the problem: if you have N devices in your network, you must understand N^2 possible lateral jumps that an attacker could use to take you down.
When N is more than 10, it gets hard – when N is over 1,000, we are beyond human scale, and algorithms are the only choice for searching this vast space, looking for the juicy attack pathways that attackers can follow.
Of course, as a defender, this game is always stacked against you – the attacker only has to find one sequence of steps that lets them in, but you have to find every possible pathway, and block them all.
The sad truth is that humans are not good at figuring out complex interactions, such as the lateral movements that attackers use to turn their toehold on your network into a stranglehold.
How do I know? Because I’ve spent my career getting computers to reason about complex interactions, in fields as diverse as epidemics, networks and cyber security.
What these various kinds of “chess computers” always show is that machines are better than people when it comes to figuring out complicated, multi-stage attack pathways.
It’s not that people are dumb – human defenders are better than computers at, for example, thinking through the motivations and likely techniques of an opponent, or setting strategic policies that trade off business agility with solid defence.
But humans just don’t have the attention span to check millions or billions of lateral moves, or even worse, sequences of lateral moves that an attacker is likely to use.
The recipe to deal with this is straightforward. Defenders need to: build and keep an up-to-date inventory – all security starts here; then map out what is connected to what, so that, like a battlefield commander, you can see your position; finally, unleash automation to figure out where your defensive gaps are, prioritise them, then fix them using a risk-based approach.
Anything less, and you’re flying blind, using hope as a strategy.