The myth of perimeter security
The rationale behind network firewalls was simple: build a moat around the castle to keep out the bad guys and allow only the people you trust, in over the moat. Essentially, protect your internal network from the big bad internet by selectively allowing or disallowing traffic between the two. Perimeter security relies on a set of firewalls that protect networks, devices, web applications and SIEM products to monitor activity on the network in real time. In theory this should work and it does work to a great extent in practice as well.
However the typical attack surface of an enterprise has grown and fragmented to such an extent that there are just too many weak points in the castle walls that can be exploited. On the other hand the hackers are always trying to find these weak points and how to exploit them. This has essentially scrambled the concept of a “perimeter”. Really, where does your perimeter begin and end if you are using AWS along with Cloudflare CDN in addition to a significant heterogenous on-premise mix of hardware and software. Traffic coming in over the moat (the drawbridge – typically secure https) has to be continuously monitored since hackers keep trying there as well. But more than ever, the bad guys are resorting to bypassing the moat altogether. And the number of tools and techniques available to the hackers is breathtaking and scary.
Speaking of the attack surface, there is the cloud, an entity owned and operated by a third party where you have little to no control over the moat and rely for the most part on the cloud vendor to build and maintain the walls and the moat. And for economic reasons you are now moving your crown jewel services to their new castles in the cloud.
Then there is BYOD which essentially lets supposedly trusted people bring in their own devices they want inside the castle. In the near future there will be a plethora of IoT and edge devices, finger print scanners, access control systems, video surveillance equipment to name a few, all connected to your networks, all vulnerable and all with the potential of rendering your moat useless.
Now it can be argued that in a layered defense approach, such devices will hardly be ever exposed to the internet directly thus putting them out of reach for a potential hack. That may be true, however, hackers almost always use more than one exploits chained together. For example a sophisticated reflected cross site scripting attack to get access to session tokens for a user coupled with a XML External Entity processing attack, followed by a remote code execution. And this is not just a mythical string of cyber attack profiles. A recent hack published by Wizcase details atleast two of such techniques used in tandem to hack into a NAS storage device.
The reality is that the moat-drawbridge approach to perimeter security is no longer effective. What is needed is monitoring of the entire attack surface in real time so weaknesses can be identified and addressed before hackers can exploit them. This needs active vulnerability intelligence that can identify new and emerging vulnerabilities as they are published as well as tracking them through their lifecycle as they evolve. Scanning a fragmented and bloated attack surface is also not practical. Once a weakness has been identified, its remediation has to be done promptly using as much automation as possible.
Relying on the outdated promise of traditional perimeter security is not an option anymore.