Endpoint Security: What's Missing?
I'm going to start this chapter by saying that a toilet has a better control system built in to it than our networks do. We understand how toilets work, what happens when they don't, and most important, why they fail. I know it sounds strange, but there is a similarity here that can be exploited—we just need to understand the science behind it.
So, from the preceding two chapters, we know that something is clearly missing. We're spending like mad, have no way to predict success (much less failure), and we still have the day-to-day problem of being attacked constantly.
I think part of the problem has to do with the fact that many people honestly believe that the network is too complex to understand and that "security" is the purview of hackers and vendors. I've actually had security people tell me in meetings that their network is too large, too distributed, and too complex to identify all the endpoints on it! On another note, I've actually had a hacker sit across from me in meetings, pound the table, and scream—yes, scream at me—"I can own your network!" I told him, "Great, I'll need a weekly status report." He didn't seem to be a bit amused with my sarcasm, but using fear, uncertainty, and doubt to sell a service has never been a big hit with me.
I touched on the idea that we should use science to help solve our problems, and I really think that's where the answer lies. We need to understand not just how, but why our networks operate the way they do. We're being driven by the fire of the day, and we're letting it drive our solution space. This is not how engineers do things, and for all practical purposes, no matter how we got here, we are engineers.
In this chapter, we explore the notion that the network and the endpoints that populate it is a problem that can be expressed as a closed-loop process control problem. Like the system that controls the heat and power in your building, a closed-loop process control system establishes a "set-point," such as the temperature, and works the system's compressors, coolers, and heating elements to maintain the temperature within a few degrees of the set-point. I submit that our networks have no such control and that's why we're having the problems we have now.
The network folks have known about this kind of a solution for years. All critical systems, such as switches, routers, Uninterruptible Power Supplies (UPSs), file servers, and even things like network-enabled power strips, all talk to a central system called a network management system (NMS). Properly instrumented systems talk with the NMS using a standard protocol called the Simple Network Management Protocol (SNMP). Using SNMP, systems report on their status, throughput, and general health. Details such as the number of packets passed, packets dropped, types of packets, temperature of the system, voltage level, battery life, routing protocols in use ... well, you get the idea. All that information at their fingertips enables the good folks in the network operations center (NOC) to keep the network up and functional.
As things change, the information is reported to the NOC, where decisions can be made to set things right. Using the capability of an NMS-equipped network, administrators can make tactical decisions to address acute situations, or they can use the trending information for strategic purposes.
It wasn't all that easy, but after many years of development, the network management people have successfully closed the loop, and our networks have become a commodity resource because of it.
We have no such solution in the security world.
Précis
I start our journey through this chapter by discussing a new way to look at our network and the security systems that inhabit it. As discussed in the previous chapters, our present methods aren't working, so I discuss a new process that will help us understand how our network technology interacts with our security technology. Each system has a distinct role and a unique mode of operation. When we understand these control modes, we can begin to understand how they talk and who they talk to. Like the NMS systems, we need a way to leverage communications protocols in a way that gets us information quickly and reliably.
Now the hard part: We're going to have to map our business processes to our security model. I say "hard" because when I've seen security fail, a good many times the reason it happened was because the security process didn't mesh properly with the goals and objectives of the business. We already know that if it's a choice between better security and higher profits, security gets the axe.
At the end of the chapter, I cover one other issue: nomenclature and iconology. Every engineering discipline has its own language and way of expressing things pictorially. Security people have resorted to drawing pictures of walls to represent firewalls, and I think that it's time we begin to standardize on some schematic representations that enable us to convey the complexity of our environments in a concise manner.
When these really easy things are complete, we can begin to understand what is missing in our present network, build a better model of our network, and understand how we can use the endpoints to control the amount of risk introduced into the enterprise.