サイバー・ハイジーン：サイバーレディネスへの第一歩

What is cyber readiness? It’s an information technology (IT) discipline that involves a Left of Bang approach to endpoint management, real-time threat detection, and rapid threat remediation. In combat operations, a left of bang approach involves designing operations to generate an advantage before an attack, the first shot, and explosion. This could involve conducting a convoy at the right time, selecting the right route, hunting for bad actors, or reacting to events in unpredictable ways that confuse the attacker. Left of bang involves hunting for threats, then rapidly assessing risk and impact to counter these threats. Connecting these ideas to endpoint management, real-time threat detection, and rapid threat remediation, visibility becomes the common denominator. Visibility is fundamental to hunting and is a foundational capability that enables cyber hygiene, threat detection, and assessments of counter threat actions.

In an earlier blog post, I offered this equation as a succinct way of explaining cyber readiness.

Cyber Hygiene + Threat Detection + Counter threat Actions = Cyber Readiness

Here’s a quick explanation of each of these elements:

• Cyber hygiene focuses on endpoints and networks, ensuring that all defense measures have been taken appropriately.
• Threat detection is, as the name suggests, prompt detection of threats ranging from ransomware attacks that shut down devices to business email compromise (BEC) attacks that trick employees into transferring funds to criminals. Detecting threats quickly and accurately gives security teams a chance to stop them from spreading across the organization and causing more damage.
• Counter threat actions involve taking action to stop attacks and even, on occasion, compromising the capabilities of attackers.

If an organization performs these practices well, it will significantly improve its cyber readiness, that is, its ability to avoid and withstand cyberattacks.

Cyber hygiene: maintaining optimal health of our IT environment

Let’s take a closer look at the first of these elements: cyber hygiene. Hygiene, essentially a medical term, refers to the practice of maintaining health and preventing disease through cleanliness. In cybersecurity, cyber hygiene prevents attacks by eliminating vulnerabilities, software defects, security flaws, or misconfigurations. These efforts are akin to handwashing to remove germs to prevent the spread of disease. Mark Rober demonstrated this in his YouTube video “How to See Germs Spread Experiment” that demonstrated how easily germs spread.

Cyber hygiene provides many parallels to medical hygiene in that we want to remove vulnerabilities or threats – ways an attacker can penetrate our network. We need to know what’s happening on every endpoint (that is, every laptop, desktop, server, IoT device, cloud application, etc.) regardless of where it is and over which network it’s connecting. In effect, we need continuous collection of cyber hygiene data for every endpoint we’re trying to secure. And we need treatments (think IT security policies or endpoint-hardening best practices) to help repel attackers and restore endpoints to full operational capacity. In technical terms, we need our technology environment to be fully operational and free from defects. A left of bang approach positions our IT operations and security environment in a continuous state of optimal health.

Let’s more deeply investigate the four cyber hygiene requirements.

Requirement #1: Comprehensive visibility

Our first requirement is comprehensive visibility — visibility into every endpoint handling the organization’s data or connecting to its networks.

Holistic visibility appears to be an obvious goal that can be achieved with a basic monitoring tool. In reality, endpoint visibility is a challenge for most IT organizations, even organizations that have invested heavily in cybersecurity. Organizations often have many tools that enumerate their endpoints, and the results from these different tools are consistently inconsistent. This inconsistency is a result of both inadequate endpoint coverage and a poor BZO of the environment. The tools are deployed but not fully operational, or the tool is simply not deployed at all. Detailed audits of enterprise networks reveal that most organizations overlook 10-20% of endpoints.

Why this gap in visibility? Many endpoint management products are limited to working with certain operating systems and certain types of devices, or their discovery algorithm works only with devices with endpoint management software already installed. In other words, these products can confirm they know about what you already know about, but they cannot discover anything you might have overlooked – the invisible germs in Mark Rober’s YouTube video. As a result, there’s a gap between the set of all the endpoints posing cybersecurity threats and the smaller set of endpoints the security team thinks it’s managing.

Unfortunately, an adversary such as a ransomware gang needs to breach only one endpoint to gain a foothold in an organization. Security teams can’t afford to overlook a single endpoint, let alone 10% or 20% of their endpoint estate.

Make sure you have a way of discovering and managing all the endpoints in your environment, including endpoints in home offices, remote workspaces and cloud environments. Then you’ll have met the first important requirement for cyber hygiene.

Requirement #2: Real-time visibility

Once you’ve established comprehensive visibility, you need to ensure you have continuous, real-time visibility into the health of all your endpoints, whether local or remote. Fundamental to a left of bang approach is a decision advantage; this advantage is fueled by endpoint data.

Make sure you can answer these questions:

• What type of endpoint is it?
• What software has been installed on it?
• What security tools are installed, configured, and healthy on the endpoint?
• What processes are running on the endpoint?
• If the endpoint was involved in risky activity, which other endpoints was it communicating with?

Security teams need to be able to answer these questions quickly by enriching and contextualizing events or risk with endpoint data. While business functions determine if an endpoint is part of Key-Cyber Terrain (KCT), real-time visibility enables data to contextualize risk and impact if an adversary seizes a KCT endpoint. If an attack is underway, consulting a compliance, change, or configuration report from last month will produce minimal insight when contrasted with real-time visibility. To respond quickly and effectively, you need to know what software is installed and active now, so you can understand software vulnerabilities and threats. You also need to be able to see what’s happening on any endpoint at any time. You need to be a hunter with a left of bang mindset. You need to detect those processes, activities, and behaviors that do not belong on the endpoint.

Real-time visibility is a key enabler to planning, decision-making, and threat detection. Therefore, it’s an essential element of cyber hygiene.

Requirement #3: In-depth software visibility – Software Bill of Materials (SBOM) insights

The Log4Shell (or Log4j) software vulnerability (CVE-2021-44228), first reported on 2021 年 12 月 9 日, forever changed the work of enterprise cybersecurity. Here was a widely used, open-source software component embedded in thousands of commercial applications — including applications from the most trusted names in the software industry — found to be vulnerable to attacks. In some scenarios, the vulnerability could give cybercriminals full control over process execution, enabling them to run whatever programs or shell commands the applications could access.

In most large organizations, the Log4Shell component was embedded not just in commercial applications but in internally developed applications as well, broadening the search considerably. A patch was available, assuming you could find all the places where Log4j was installed. But that discovery process was difficult and time-consuming work, in part because the scope was so vast and encompassed many applications, but also because the Log4Shell artifacts were packaged in archives of archives within JAVA applications.

Meanwhile, attackers were busy. Within 72 hours of the vulnerability being announced, cybercriminals launched more than 800,000 attacks leveraging the vulnerability.

Log4Shell raised the bar for cybersecurity hygiene. Before Log4Shell, security teams could practice good patch management by keeping track of applications and patch levels; after Log4Shell, security teams realized they needed a magnifying glass or infrared light (IR) for the germs that are invisible to the human eye – they needed visibility into all the components of every application and service running on their networks. In combat hunter terms, we want visibility during all hours of the day; we need night vision goggles so we can see into software to assess threats, vulnerabilities, hygiene, and readiness.

In other words, security teams now need real-time visibility into software bills of materials (SBOM). An SBOM is the list of all the components making up an application or service at any time. Only with this level of detailed analysis can security teams be ready to respond when the next software component vulnerability is announced. And given the extensive use of popular open-source libraries, the complexity of software, and the likelihood of design flaws, another announcement similar to Log4j is inevitable.

It is worth noting that a capability developed in 2007 was not designed for the SBOM Log4j problem. Modern capabilities are extensible, adaptable, and agile. Modern cyber capabilities are more like a computer language than a monolithic function within a program. This is where opportunity and work intersect in the story of cyber success. The ability to create custom content is a critical enabler to see tomorrow’s threats. Time and space are the LimFacs in this challenge; we may not need all the data, just the right data to drive the right decision to take the right action in a timely manner.

That’s why insights into SBOM are now an essential requirement for cyber hygiene.

Requirement #4: Configuration variance (patching operations & software management)

We’ve talked about finding all the endpoints and understanding their vulnerabilities and risks. Now we need a way of hardening them by ensuring each endpoint has the right configuration by installing patches, employing active software management, and properly configuring each endpoint. Making endpoints resilient to attacks involves predictability where the organization minimizes configuration variance. In essence, each endpoint is in the prescribed configuration.

To continue our hygiene metaphor, poor hygiene incurs risk factors; conversely good hygiene increases health and resilience by eliminating germs that can cause ailments. Now we’re going to apply a left of bang approach to improve the readiness of our environment by keeping our environment clean from vulnerabilities, misconfigurations, and old software.

Every organization has tools it uses to install patches and to deploy software; these tools are often point solutions that consume time and effort. The effect is that mediocre results are achieved through time and effort. Performance metrics are important, but the larger impact to cyber readiness lies in the variance of the configuration of all endpoints. The pace of patching and deploying software is important, but supporting multiple configurations increases complexity and results in a reactive approach driven by compliance, stale data, and historical reports. This could be a result of too many tools, resulting in a convoluted and disjointed configuration management processes, or the problem could be the wrong tool, tech-knowledge debt within the organization, and a “work harder, not smarter” approach to configuration management.

When you rely on five or ten different tools to scan devices, assess vulnerabilities, install patches, confirm that the patches are really installed (with many tools, reports of success can be greatly exaggerated), and generate reports for audits and compliance, the workflow itself becomes a new type of risk. Steps might be missed or delayed. Data and reporting formats might vary. Key details might be overlooked. Processes might be dangerously prolonged.

In contrast, effective patch management is capable of:

• Acting on the intelligence about patch status and SBOM gathered by other endpoint management tools and workflows
• Installing patches quickly and effectively without jeopardizing the performance of endpoints or the network
• Generating reports on the real-time status of endpoints
• Helping security teams find and fix problems quickly when new zero-day attacks are announced
• Integrating with other aspects of endpoint management for seamless handoffs between endpoint operations

By centralizing tools in a single platform, technology teams can eliminate patching delays while assuring authenticity of software introduced into their environment, resulting in one source of data that is authoritative, accurate, available, and actively managed. In truth, modern digital IT organizations have many teams, and each team needs a common site picture that expands hunting in a left of bang approach. Organizations attain the fourth requirement for cyber hygiene by raising all teams to the intersection of work and opportunity where collaboration can drive activities that minimize configuration variance and ensure the network is always in a known state.

Cyber hygiene: an essential part of cyber readiness

Addressing the four cyber hygiene requirements will allow organizations to know and understand the state of their environment. The result will be a higher level of cyber readiness that reduces attack surfaces, hardens endpoints, and positions the endpoint collective to be clean or free from vulnerabilities. When teams within the organization share a common sight picture informed by threats, an effective endpoint management solution enables organizations to shape their environment through teamwork, cyber hygiene, and insight into configuration variance of their endpoint estate. This level of awareness creates a decision advantage that enables agility, adaptability, and awareness of threats.

Now that we’ve explored what’s needed for effective cyber hygiene, let’s consider the next element of cyber readiness: threat detection. I will write about that important topic in my next blog post.

---

Meanwhile, learn more about the Tanium Converged Endpoint Management platform and its role in endpoint management, including patching and compliance.