The demise of network security walls in the times of COVID-19

The Middle ages have a definite end date – 29 March 1453; the day the City of Byzantium’s famously mighty Theodosian Walls that had protected it for hundreds of years were laid low by Ottoman gunpowder. The Eastern Roman Empire, in decline for hundreds of years, was already on the point of collapse – but this moment is what we choose to remember. A change in the way wars were waged so profound it bookended a chapter of history.

As we find ourselves in a time when our own castle walls (enterprise boundaries) have come crumbling down, on-premises controls, like the castles they sought to replicate, are looking increasingly antiquated in a news cycle devoted to remote work. But just because the castle has fallen, it doesn’t mean we need to rebuild it. To forget the lessons of the past means we are doomed to repeat its mistakes. The game stays the same, but the way we play it has changed.

Cybersecurity is, at its heart, a game of asymmetries. The levers and tools we have at our disposal to defend our estates look completely different from how those who attack us perceive them. This fact may seem self-evident, but embracing it represents a paradigm shift in the way cybersecurity operations can be understood. Old ways of understanding and speaking about cybersecurity emphasised the now passé castle doctrine. Whilst the core idea of defense-in-depth is a good one – the lexicon that it sprang forth was insular; Firewalls, IDS, AV, SIEMs, VPNs or compliance such as PCI or ISO certifications. More technical controls, more architecture, more cost and more complexity. Focussing inwards, at the expense of looking outwards. Build higher walls, they said, and it will take a mightier army to besiege them. This is the sadly predictable downfall of many. And as we know, nobody builds castles anymore.

No military force ever looks exclusively at themselves when committing to a fight and military doctrine teaches us a lot about understanding the adversary before a single round is fired. Even a 15th century hussar would not sit back and wait to be attacked. A modern air force would not fly without knowing where the enemy surface to air missiles were located and understands the environment they operate within, so would probably take a look at the weather as well. Similarly, an army would characterise an opposing force to determine where an attack would deliver the most decisive effect, while also understanding the type of ground they need to move across.

Military forces have three fundamental modes; sense, fire and manoeuvre. Sitting still gets you outflanked while being unable to drive out attacks makes you defenceless. But you can’t defeat all attacks all the time against all perceivable adversaries. “If a battle cannot be won, do not fight it,” said Sun Tzu, so you need to concentrate your efforts in time and space (and probably budget too). Cybersecurity is the same. Don’t try to stop all the 1’s and 0’s. You won’t win, and you’ll probably end up annoying legitimate users. Extending your understanding of the information environment beyond your own “border”, knowing what adversary tradecraft looks like and if they are planning to attack you, puts you on the front foot. Modern warfare is highly asymmetric, and victory goes to the side that can influence decision making - not the one with the most tanks on the battlefield.

But back to siege mentality. Whilst we as an industry were busily building walls, the breaches kept coming – despite our sense of security. It’s not even a close contest; intruder dwell time is measured in months. One of the problems with castles is that they’re not attacked at their thickest point, and they are as weak as their thinnest. The intruders understood and exploited the asymmetries at play here for a long time and have a nasty tendency of avoiding playing to our strengths. It should come as no surprise that our controls don’t cause offensive security practitioners much concern, in much the same way as career criminals don’t lose sleep over speed cameras. Ask a pentester about the last time they were detected by a SIEM. Where you see a compliance checkmark, they see a jungle gym. The net result is overwhelmingly the same. All too often in the form of waking up to a series of notes explaining how to buy bitcoin to pay ransoms or a knock on the door from a government agency.

After they are finally discovered, we get on with the incredibly expensive process of Incident Response – evicting adversaries from a network and all it entails. Downtime, loss of face, loss of PII, loss of revenue, fines. Real tears from your IT staff pushed to the brink. A vague press release, or if you can get away with it, none at all. If the media does find out, or you must disclose - issue a mea culpa. We take security very seriously. Then wait for it to happen all over again.

As organisations dutifully sent their staff home, defense-in-depth suddenly got a lot shallower - entire userbases have rushed out past the enterprise walls. Abandoned with them were all the on-premises controls we spent the last 30 years deploying; corporate firewalls and proxies, AV servers. All temples to the old gods. The truth was that regardless if you liked it or not, the blinking lights in your datacenter were already steadily going out. Software was already eating the world, and COVID-19 simply accelerated it. Being a proponent of on-premises security controls in a post-COVID world will be an exercise in cognitive dissonance. Entire control planes and data sources are vanishing, and new ideas and techniques take their place.

Time will tell how we mark COVID-19 and its impacts on technology or cybersecurity, but it’s clear to us now that de-perimeterisation is here to stay. Traditional defense-in-depth strategies no longer hold water when you can’t control what your users’ home network looks like, and the VPN appliance is acknowledged as more risk than reward. Nobody builds castles anymore.

So, the game stays the same, but the way we play it must change.