Post-security is an abstract concept which refers to the move from traditional preventative security to meta-security and security as a strategy. The move takes you from focusing on just preventing an attack to the attack, the fallout, the purpose of an attack, and everything in between. You focus on the game rather than the individual moves in the game. How the opponent plays, or even might play, affects how you perform as well.
In the traditional model of security, you would have a layered defense on the exterior, but much less on the interior to create a walled garden (ideally with some interior measures of defense). The outer layers would provide protection for layers inside. The problem is, the attackers might get in, and then what do you do? With modern security, we need to treat it as a matter of when rather than if.
Post-security emphasizes overall response rather than prevention and covers what you should do after an attack has occurred. One of the defining characteristics of post-security is that it has to do with a business or organizational failure. Prevention is still the cheapest overall, but you can’t expect to avoid every threat every time.
An attack is part of the normal landscape of business. The failure manifests when the attack impacts the business and causes actual harm, loss of a critical business function, or the loss of sensitive information.
Remediation and Containment Over Absolute Protection
You can’t stop the onslaught but you can contain it. Every site can and will be breached with enough time, but how you handle the breach is as important as how you prevent it. Post-security doesn’t mean we give up on security, but we accept that it can and will fail (but still hope it never does).
You can only reduce the attack surface so much without impacting the people actually using the technology. Instead of trying to shrink an attack surface that can’t be shrunk, you have to reduce what an impacted attack surface can do to the site you’re securing. You’re only as strong as your weakest link, and a public application server can only be so locked down.
If the juice isn’t worth the squeeze, you (probably) won’t get hit. Make breaching security cost enough and you reduce the drive-by’s. Make it hard to jump around and exfiltrate data enough and you can make the cost of attack more than what they can take before your response. Hacking has grown from curiosity to an industry, so take away the business aspect and you take away the motive for most attacks.
Prepare for disaster recovery and have a plan to make sure your site is down for as little time as possible. A lot of hacks treat an attack like a siege to force a surrender, have your victory garden ready and your plan readier.
An attack is only successful if it causes damage (e.g. ransoms, downtime) or removes an advantage (e.g. exfiltrated data, reputation, business efficiency). A hack which pulls useless data, or little of value is just a waste of effort for the hackers. Each hack is an attack in a war, and if the enemy wastes their resources, you win the game of attrition.
How Security Has Changed
Security is a big business, for both security companies and for threat actors. Today’s threats involve multiple levels of infiltration to get in, persist, and get the most bang for their buck. The goal is to make the attack profitable, not to test limits. Today’s threats also attack at the human level; they can be disguised as customers or employees, or they can use a multitude of other social engineering techniques.
Antivirus and other traditional solutions aren’t near enough to stop the new generation of threats. You have continuous attacks against your network, against your cloud, against your infrastructure, and against each device inside. Every single layer, level, and avenue is tested at every moment. Also, your users have to face social engineering tests and things which traditional security can’t even begin to address adequately.
You need to focus on preventing attacks, but also preventing the damage from a successful attack. How do you stop an attacker’s efforts from infecting your network and how do you prevent the damage direct or indirect? Previously, the goal was to stop an infection from getting in, now you need to accept it’s endemic.
Post-Security Stacks
It used to be more than enough to just have an antivirus solution, a firewall, and a little knowhow. Now, you need a true Endpoint Detection and Response (EDR) solution, a smart firewall, a complex network, backups and disaster recovery, etc. The technical requirements have gone up as has the requisite knowledge to employ a competent security strategy. You can sit there waiting with sticks to count or a modern computer, it just depends on how much you understand and know.
Antivirus has evolved from heuristics to modern machine learning. You need more than just antivirus though. If a threat gets in, what is your defense going to do? The original Trojan horse only contained a few soldiers but it ended a war. Modern attacks are brutal.
A threat is a sequence of events that may compromise the integrity and confidentiality of protected information at the network or host level. Threats may be of a malicious nature or may be a result of misuse of a device, or even a system failure. A natural disaster can be as destructive as a war.
Many devices contain vulnerabilities which can be exploited by an attacker to gain access privileges, e.g. to gain system access, read sensitive information, or perform destructive acts. In order to properly protect a device from unwanted activities, it is necessary to identify all potentially vulnerable components and the conditions under which they can be exploited. Such a process is referred to as threat modeling.
Conclusion
The ship already sailed for traditional security approaches. You can’t just rely on what used to work: you need to think like a hacker or threat actor rather than just employing an adversarial mindset.
If you want to employ a post-security strategy, you need to determine how a potential threat would target your network or business. What can take you down and what do you need to stay afloat? What does it cost you to be down for a few minutes or days depending on the remediation?
Post-security encapsulates (among others) traditional security, networking, detection, remediation, and disaster recovery. It requires a layered security approach to reduce risk and impact at every level. There is no perfect security, and you get diminishing returns without getting more restrictive. Even then, a layered approach means a more invasive security approach which is more secure can feel less impactful to users.
Post-security is a strategy and a mindset. Approach it the right way and you can create a more holistic solution which feels less invasive and which is more secure from threats external, internal, and even acts of god.
Post-Security Definitions to Remember
Post-Security: Post-security is the paradigm shift from treating security as a prevention-only method to a strategy to protect business assets or similar. It’s not a matter of if but when a threat gets in so you need to be prepared. Post-security is about a holistic system to prevent, remediate, and reduce damage in the event of a breach.
Threat Actor: These are the hackers and people trying to break into your site or system. These are the people you need to stop from a security perspective.
Threat Modeling: The process of identifying security requirements (e.g. what needs to be protected and why?), determining security threats and vulnerabilities (e.g. what devices, products, or solutions are in use and what weaknesses do they have?), quantifying the impact of threats (e.g. if a service is breached, what damage can be done?), and prioritizing remediation (e.g. what needs to be restored to get you back to work sooner?).
EDR: This stands for Endpoint Detection and Response. Traditional antivirus focuses on prevention only, but an EDR will combine the security of a traditional antivirus with modern methods such as machine learning and detection and remediation tools. A modern EDR might lock down the networking on an agent if a threat appears so that even if it gets through, the overall network is secure.
Smart Firewall: A smart firewall refers to a layer 7 firewall or an application firewall. In short, this allows a firewall to “determine intent” and have nuance rather than just working on simple rules.
DRaaS: This stands for Disaster Recovery as a Service. More and more backup solutions have moved towards having at least some components as a service. This may be your entire backup solution or just the offsite, cold backups for your BDR (Backup and Disaster Recovery) strategy.
Endpoint Defense: Endpoint defense leverages multiple technologies or solutions (usually) in order to create a more cohesive strategy to protect endpoints. It’s not just enough to protect the operating system, you need to protect the network, have a way to roll back changes, etc. Endpoint Defense is about going from prevention to prevention and remediation.
Layered Security: A single security solution might provide 95% protection, but two, equivalent 90% solutions will offer more protection. Layered security is just a strategy to use less invasive security solutions to make a more comprehensive security solution, or use strong security solutions to create an even more protected environment without getting too invasive.
Zero Trust Architecture: Never trust, always verify. Zero Trust Architecture is a strategy to reduce the impact of an attack by not implicitly trusting any resource even if it’s passed a specific “checkpoint” in your security system (unless you have to). See this article for more.
Supply Chain Attacks: These are attacks where a threat actor is able to break in via a backdoor in the supply chain. This may be hacking a vendor which is known to work at a specific target’s site, or a coding library a company uses in production code. See this article for more about supply chain attacks.
Image by Shreyas Ganapule from Pixabay