The Real Reason for Breaches (and How to Avoid Them)

Security is a tough job – we invest so much effort, and yet the breaches keep on happening.  Why?  In a word, complexity. 

Author: Mike Lloyd, CTO, RedSeal

The digital world brings so many great efficiencies and innovations – the pressure to move fast and exploit opportunities is irresistible to every organization.  But crossing all these online frontiers brings the unavoidable frontier challenges – lawlessness, chaos, and rapid change.  Security is easiest in mature, well understood, and above all, in simple infrastructures.  Every added bit of complexity and change moves away from security, and towards chaos.  The security professional has a thankless task – we cannot simply demand that our employers be more orderly or cease changing.  Instead, we have to adapt constantly, and try to keep up with all the new territory that is constantly opening up, with new threats and new ways to get it all wrong.

When you analyze any of the major breaches in detail, you find they are always multi-component – there is never just one simple, single cause.  Attackers are stealthy, persistent, and they move from one foothold to another.  This means that when a breach happens, it’s a system-level failure, not just one component that could have been isolated and fixed.  Worse, even if you put all your effort into fixing as many components as possible, you’ll never get to 100% secure and impervious to attack.  The bad guys will search and search for anything you missed, then exploit it, gain a new foothold, and work outwards from there.

Clearly, the road to security doesn’t come from finding and fixing everything – it’s impossible to fix every issue in your network today, and even if you could, there will be new defects tomorrow, because the rate of change is so high.  Instead, we have to learn to thrive in a world with inherent vulnerability, just the way animals and people do in the biological world.  Biological systems are resilient rather than perfectly protected – they can adapt and bounce back from infection, since Mother Nature long ago learned that blocking every pathogen just wasn’t going to work.  Of course, this doesn’t mean you should give up and just accept every possible attack – biological systems still aim to be hard targets, they just actively maintain an immune system so they can detect, isolate, and remove the inevitable successful attacks.

So the way forward is to find what you have, in the cloud and across your physical sites, see how it’s all connected, and understand where you can block incoming attacks, as well as thwart lateral movement for attackers who do make it past your defenses.  The first goal is a complete inventory – in itself, that’s a hard challenge because of the diverse and changing fabric we use to get the work done.  The second goal is to harden any assets that are exposed.  The third goal is based on recognizing that perfect hardening at step two won’t happen, so instead, it’s essential to understand what is connected to what, so that you can stay ahead of attacks and block them before they get a chance to spread.  This is why RedSeal focuses on these three disciplines – gather and map the network in all its hybrid complexity, then harden the individual elements, then help our customers conduct war games where they can think at a system level, and prioritize their defensive efforts to become a resilient hard target.

For further details on how RedSeal tackles cloud security, check out our solution brief: “Redseal Ensures Your Critical Cloud Resources Aren’t Exposed To The Internet”

Mike Lloyd is CTO of RedSeal. You can read more RedSeal blogs here.

Return Home

1 Comment


    Dennis London:

    I’ll agree that complexity has something to do with it…but you’re also missing one of the main factors – lack of response. Look at all the major breaches over the last couple of years and you’ll find they all have SIEM, IDS/IPS, AI-integrated endpoint and network solutions, and all the other best of breed / nex-gen bells and whistles…yet they still got hit. Why? Alert fatigue led to a lack of response to the notifications, which led to the attacks. Or worse yet, the events which generated the alerts were added to exclusions. Most of the breached organizations found traces of the attackers going back months prior to the actual attacks, many even found the alerts or notifications which were never acted upon or were added to exclusions.

    Don’t get me wrong, RedSeal is excellent at what it does…but it doesn’t resolve the issue of responding to an alert. You’re phenomenal at helping reduce the vulnerabilities and understanding the network architecture. Absolutely no doubt about it. And with your SIEM integrations you have an incredibly deep understanding of any integrated environment. But none of that is going to actually stop the attacker if they’re already in the network and initiate their attack. None of those solutions are capable of doing that.

    My company offers an MDR/SOC service which actually responds to the events and isn’t just another alert or notification to get ignored. With an average 9 minute response time from the first alert, we detect and stop the attacker during their initial instance on a system or in the network. We’ve even been brought in and detected an attacker in the middle of their reconnaissance phase. Again, it’s the response which matters at that point.

    As you stated – “you’ll never get 100% secure” so everyone should have a response method in place.

Leave a Reply

Your email address will not be published. Required fields are marked *