Environmental drift is about unintended change and negative consequences. It’s about “stuff” that was working all of a sudden not working. Preventing, detecting and mitigating environmental drift is now a science with continuous security validation.
Like most people, I’ve been following the PyeongChang 2018 Olympic Winter Games in South Korea. I really enjoy the snowboarding competitions so it was great to see Red Gerard and Jamie Anderson (pictured above), both from the United States, take gold in the Men’s and Women’s Snowboard Slopestyle category.
Environmental Drift on the Slopes
Anyone that skis or snowboards knows that conditions can have a huge impact on performance. Things like temperature, wind, snow conditions, equipment, physical and mental state, and about a thousand other variables have to be considered. Seemingly small changes such as your edges not being sharp enough, ruts in the snow or a slight wrist injury incurred while doing a keg stand the evening before a race can be the difference between going for the gold and going home.
This is why coaches and athletes alike work to minimize risk across things they can control. They scrutinize videos, examining every twist and turn for themselves and their competition. They try new equipment, techniques, shakes, powders, and pills. They practice and practice and practice some more in diverse conditions across different mountains. They study the terrain for race day, knowing all that is good and bad about the mountain. These athletes are making sure that they maximize the knows and minimize the unknowns: they are mitigating environmental drift. Mitigating environmental drift is also a major concern for organizations combatting cyber threats.
Environmental Drift and Cybersecurity
From a cybersecurity perspective environmental drift is all too common. Unfortunately, most organizations are blind to the changes that cause environmental drift until it’s too late and they experience a compromise. If you know there is an issue you can fix it, validate the fix worked and then continuously validate to ensure it continues to work over time. The problem is, you don’t know, and small, $5 issues can result in multimillion-dollar problems. Consider the following:
- A proxy was added to the network and now your SIEM isn’t receiving logs from 25% of your security products because the proxy is blocking syslog.
- A tap or span was adjusted and now your network-based, antimalware solution is only seeing unidirectional traffic instead of bidirectional traffic thus causing it to stop analyzing and start being a really expensive paperweight.
- Your firewall was accidentally configured to allow unchecked ICMP outbound from the DMZ, thus allowing ICMP-based data exfiltration because the network team forgot to turn it back off after their “ping tests.”
- Your IPS signature you just configured isn’t firing because you added a space where there should have been a tab or other fat-finger fun.
- Your SIEM rule isn’t firing because you set the time window for the attack sequence too small and honestly the great percentage of SIEM rules never fire anyhow because validating them used to be too laborious.
- You thought the default configuration of your endpoint security control was set to block, but it was really just set to detect, and this happens all the time with all sorts of security products.
- You applied a patch to your WAF and now all your customized detections have stopped working as you think to yourself, “that’s what I get for going deep and customizing my controls.”
- You’ve just completed a broad network segmentation project and now networks that are supposed to be air gaped can communicate – “Hello PLC, this is the Internet.”
- The SIEM rules were built according to intrusion detection and prevention solutions that are no longer in your network…and then you find you don’t even have the SIEM password to get back in and fix it.
- Every time a change is made to a security control or supporting infrastructure you have no idea if it resulted in stopping something that was working, so you have adopted a special combination of assumptions, hopes, and prayers as part of your change management process.
Fortunately, mitigating environmental drift doesn’t have to be complex and it can be highly automated. The Verodin Security Instrumentation Platform (SIP) helps by:
- Validating that your security controls across network, endpoint, email, and cloud are working the way you want.
- Providing a mechanism for configuration assurance so that you can validate your changes have the desired impact.
- Assessing the state of your security effectiveness in an automated in continuous approach.
- Alerting you to changes such as – something that was blocking, detecting and correlating is no longer doing its job.
- Providing you with a platform to manage, measure and improve security effectiveness in a proactive way before an incident.
- Empowering you with evidence-based data to share with executives and other stakeholders about the state of security effectiveness and trends over time.
- Illustrating the value of security investments, details on possible product consolidation and retirement, and prioritization of future security spend based on empiric evidence.
- Allowing security decisions to be made more from a more informed position and more quickly, even by business stakeholders that are not tech- or security-savvy.
To learn more about Verodin SIP, how it addresses environmental drift and what the Office of the CISO from our partners at Optiv have to say about SIP’s impact on their customers, check out this webinar.