For a few years , the term “assume infringement” has been influential for corporate security expenditure and protective policy, but might now be close to retirement.
When the overwhelming majority of spending on information protection centred on impermeable perimeter defences and reactive responses to evidence-based intrusion, it served as an useful rallying cry for companies to use their business to identify insider attacks, implement zero-trust network segmentation, and seek widespread adoption of multifactor authentication systems and conditional access
The much older adage “a defender wants to be right all the time, while the attacker needs to be right just once” should have been overturned by substantial improvements in enterprise-wide visibility into anything such as “an attacker needs to be invisible all the time, while the defender requires them to slip up just once.” Unfortunately, defence operations and threat-hunting departments have found that instead of automation. In the best case, developments in enterprise-wide awareness have applied hundreds of regular notifications to their never-completed to-do lists for under-resourced defence teams (which tend to be the majority).
A higher proportion of spending has been dedicated to increasing exposure as defence budgets have morphed, on the presumption that further attacks can be preemptively detected, stopped, and mitigated.
Installing hundreds of surveillance cameras in and around your home with conflicting fields of view and depending on it as the main alerting tool for avoiding break-ins would be an apt example for the case. The primary presumption is that all such video streams can be constantly tracked, the build-up and execution of the break-in will be identified, and a reaction will be launched to deter the robber.
The implications of such a policy are very clear (by way of continuing the analogy):
1. Since tracking 24/7 is costly, it needs automatic detection. Automatic identification comes at the expense of high false-positive rates and baseline tuning; in home CCTV terminology, missing the rodents, golf balls, and delivery man that cross a field of view, while desensitising activity thresholds and setting up hot zones for alerting. Unfortunately, even occasional false positive occurrences such as lightning strikes during a tornado or the shadow of a moving aircraft are necessary to fill an inbox or message tray and contribute to delays in wariness and lost investigation cycles. Use at least two separate and distinct monitoring technology to identify and validate the threat (e.g. CCTV movement areas and a break-glass sensor) to tackle the risk.
2. In post-break-in cleaning and triage, automated detection without an automatic response limits utility, not protection. Automatic responses will need to be reversible during the time of alarm response due to possible false positives. If CCTV action and break-glass sensors are activated, maybe an automated call for a patrol car visit is launched. In the meanwhile, if it was obviously a false positive, the original warning receiver will replay video and cancel the callout (e.g., the neighbour’s kids kicked a ball over the fence and smashed a window).
3. Balance is important between identification and avoidance and can evolve over time. CCTV surveillance 24/7 can serve as a key detector feature, but it should not be overlooked to lock all external doors with deadbolts. The potential possibility of a $50 miniature drone flying down the chimney and retrieving the spare front-door key found on the kitchen table will not deter Deadbolted Doors. Investments in security appear to be reactive to risks, whereas new monitoring systems seem to be more accurate in detecting behavioural abnormalities.
In shifting the way organisations think about and invest in their security systems (and operating programs), ‘Assume hack’ served its function. The security pendulum could have swung a bit too far, as in many well-intentioned measures, and now needs a rational solution.
Although I assume that cloud-SIEM and the advanced artificial intelligence systems that are married to it will finally fulfil the 24/7 awareness and monitoring needs of most organisations, SecOps teams will have to struggle against both alert fatigue and posture fatigue. The term I would like to see the industry focus on is “automatically mitigated” for the next five years.