NONE OF US have yet woven the perfect security net. If one of us ever does, an hour later there will be a new attack, a new method, or a new end user who renders that moot. With that in mind, we should consider the thoughts of the Greek philosopher Heraclitus who said, “No man ever steps in the same river twice, for it’s not the same river and he’s not the same man.” How might we apply that principle to modern cyberdefenses?
If IT security is a river, then your stack must be just as fluid. Consider how long you have been delivering that same stack. How often do you review its components? How often do you review your own practices for deploying your tools? How have you kept up with all the changes in the threat landscape we now find ourselves navigating? And what do you see coming next?
The Only Constant Is Change
If we roll back the clock 10 years, most of our sites had very distinct perimeters, were largely premise-based, client-server networks, and remote access was by means of SSL VPN or an RD gateway. Then came the rise of portables, the advent of the cloud, and later more sophisticated environments such as virtual desktop infrastructure.
But with 2020 came the “100-year flood” of changes that was COVID, boiling the river, as well as adding the thrill of supporting “work from anywhere.” Suddenly we were facing the most highly distributed and least well-managed device fleets we had ever known. For those on premise, those “ship to shore” remote access methods became truly critical.
With all this change, if you are still on the “firewall, anti-virus, and done” plan, you are well behind the curve. Today we now routinely provide managed detection and response, DNS filtering, multifactor authentication, and engage with outsourced SOCs. And, of course, we defend our new M365 “endpoints” with anti-spam, anti-phishing and backup as well.
Currently, it is no longer enough to know where users are. We must now know where they place data, how they share that data, and how to protect those repositories. That includes finding a way to back up all that data, wherever it may reside. No matter how you slice it, the discovery, identification, and protection of that data has gotten much more difficult these past few years.
Changing the Dynamic
Most of us spend too much time in reactive mode, with our heads down, too busy chopping wood to sharpen our axes, much less buy a chainsaw. The asymmetric nature of cyber warfare—we must be nearly perfect while attackers need find just one weakness—only exacerbates this imbalance. It is time for us to change this dynamic and take back control.
Most of our clients will simply never see the world as we do. We see the dots, but they see the image those dots represent. And they sometimes avoid thinking carefully about our questions. I cannot remember how many times I have discovered potentially serious issues on networks we manage, simply because we finally got a different answer to the same question.
I take from this that we need to stop thinking about endpoints, firewalls, or Wi-Fi, and to start thinking about protecting processes, becoming ever more integral parts of our clients’ businesses. This gets us a much more commanding seat at the business table. But it also puts us in the less familiar role of strategists, not as the tacticians so many of us “grew up” being.
We need to find a way to better express the value we bring; of seeing every process through the lens of security, of finding the hidden risks and offering safer solutions. There was a time when this was as simple as closing firewall ports and going to VPNs, but that time is now long gone. Now we must see over the horizon to succeed. If we can only react, we will lose this battle.
Back to the River
As IT security practitioners, we like to quantify, analyze, and justify our findings. We also like to stick with what we know. But finding the right approach to solving our clients’ problems also requires flexibility. We must do far more than measure, and much more than react. We must think conceptually, stay current, and anticipate change.
Another challenge that we all face today is the decentralization of IT decision making, and the rise of “shadow IT,” which I like to call “no IT” as it better expresses the utter lack of planning that we so often see. As hard as it may be to hit the moving target that modern IT security challenges present, it is that much harder when you cannot see the target(s).
We must find a way to lead our clients to make better IT decisions, rather than find ourselves chasing after them. While we can pressure (or price) our clientele into decisions, it is always better to lead than to push. Staying ahead of our clients’ needs is the most effective way to suppress their more self-destructive shadow IT machinations.
No Man is An Island
No matter how prescient we may be, there will be limitations in our ability to visualize the threat landscape and see over the horizon. That is why it is so crucial to reach out to others and expand our world by attending industry events and joining peer groups. The attacks we defend against are not static and we must react in a fluid manner. Participating in these groups and events has brought concepts such as privileged access management, zero trust, and secure access secure edge (SASE) to the SMB market, even just since 2020.
It Is All About the Process(es)
This is about contemplating threats still on the horizon. Who has not heard about ChatGPT this year, and about all that it may promise (or threaten)? Have you considered what the threat of what I call “broad fakes” might bring? There will be convincing impersonation by means of text and voice this year, maybe even video as well.
New AI-driven attacks will be planned, coordinated, and executed by algorithms that will cull information from social media, email penetrations, resident malware; and our entire “digital vapor trail.” They will be managed by professionals and the occasional nation state. And they will get better quickly. And you thought quantum computing’s threat to encryption was scary?
Our tools will also improve, of course, but our methods must take the greatest leap forward. Make some time for deep thought and become more visionary in your security practice. Engage with your clients and move more deeply into their processes. And do not forget to emphasize the importance of “hardening” their staff by means of cyber training. Let’s win this fight.
JOSHUA LIBERMAN is president of Net Sciences, MSP 501 member and the best little MSP in New Mexico. A former mountaineer, martial artist, and lifelong photographer, Liberman is widely traveled and speaks several languages. He is an ASCII Group board member, writes and speaks publicly, and raises Siberian Huskies. His wife, Heidi, calls him the Most Interesting Geek in the World.
Image: iStock
