My Home Burglary and what it means for your enterprise

My house in DC was broken into. More specifically my garage, which is behind my house, was broken into and a few things stolen. Other than the asshole move of keying my car, nothing of great value was lost. All the same the process got me thinking about my life as an InfoSec professional and the similarities of our homes to our enterprises. I will use my home as an allegory to how we handle our digital worlds and what I learned.

Threat Assessment:

I made a conscious decision to install our security system in the home first. I did this due to evaluating the risk to those things most important in my life. These ended up being my beautiful girlfriend and my computer lab. I decided that the garage was “Secure Enough” despite not reviewing the crime maps to develop a true threat assessment. As I ordered the sensors for the home, I couldn’t bring myself to pay the extra 125 dollars for the garage.

Security Boundary:

Looking back I was perfectly happy to place my sports car and racing motorcycle in there, but not to invest the money upfront to protect them. Even though my very important assets were sitting somewhere, I failed to extend my boundary to the edge. A single security product or posture is never adequate for protecting things. I should have realized the value of the assets warranted a greater level of protection.

Continuous Monitoring:

After the break-in I went back and  purchased the sensors and installed them. Now though I was in a new state of mind and I realized that having an alarm sound and messages sent to the police may not be sufficient. After performing a more thorough threat assessment on I knew that the type of attacks thus far were quick run and grabs. I needed some way to perform forensics on the attack after the fact. The police department would be capable of dusting for prints and looking at the break-in type, but that is only half the dataset. I installed wireless cameras with motion alerts to ensure that in the event a break-in occurred I would be able to go back in time to see exactly what happened.

Off-site Storage and Audit Log Retention:

It might be that at this point I was paranoid, but I decided that storing the video and imagery from my cameras in the house server was not a good idea. What if they stole the server? A computer lab might not mean much to a non-geek, but it looks expensive so I can imagine it being targeted. I decided it was time to offsite the data to my Co-located server. This gave me the ability to protect the data in the event my storage was stolen or the house was burned to the ground.

Lessons Learned:

  • Have you evaluated the threats adequately? As we learn from Sun Tzu, “Know your Enemy.” How often do we simply cut-n-paste the threat assessment from the last SSP/SSAA without actually considering all the angles?
  • Our security boundary includes any place we store something we care about. Are you storing your companies data somewhere and NOT protecting it because its out of sight, out of mind? Often we lock down our corporate network and then happily provide our users laptops full of our data, VPN access from a non-secured phones, and countless other niceties. The cost we pay later is almost always more than if we did the right thing up front.
  • It took 6 months and half a million dollars, but your enterprise has a snazzy new SIEM. Are you actually watching it? Are the alerts and rulesets tuned for the enterprise or are they out of the box? Just because you spent time and money doesn’t mean the tool is useful. Did you assemble a Red Team to see if the tool was able to detect the type of threats you identified in your enterprise?
  • We install end-point security software, AV clients, firewalls, and tons of IDS sensors. What do we do with the data? Are we storing that data in a location that is just as vulnerable to the attack vector we are trying to stop?
  • A security posture is a living, breathing, and ever-changing thing. Today’s threat is not tomorrows and if you are not going back every so often to see what else is out there, you are failing. Today I am protecting against simpleton thugs doing quick hit-and-runs, but what if 6 months from now the threat is more advanced. It will force me to change the way I protect my home in the same way it should force us to change the way we protect out enterprise.