What I told you was true, from a certain point of view. […] You’re going to find that many of the truths we cling to depend greatly on our own point of view.“ – Obi-Wan Kenobi, Return of the Jedi
On a recent assessment, we started off with a clear understanding of what was inside the environment: what tools were in use, which goals had been underway, and what flows were present in the network.
But we were wrong.
Oh, so wrong.
It’s not about what we believe to be in the network that leads us in the wrong direction. Rather, it’s the limitations on the alignment that exists between the products, processes, and the people that are currently working on the defense of this system that creates the most damage.
We regularly rely on our technologies to tell us our next move.
But what happens when they’re out of focus?
What if they’re misaligned–or worse–misleading?
It happens to everyone. After staring at outputs, reports, and alerts for so many hours in the day, things start to appear as if they’re furniture. Objects hide in plain sight. Flaws in systems that have been left in default configurations that are a clear and present danger have manifested themselves as features of a robust system. It’s only until they’re all visible together, in a clear and seamless composite view, that we actually can recognize that the issues are more widespread than previously thought.
Moreover, it’s revealed that the compliance that was believed and trumpeted industry-wide is actually up for debate.
Back to our assessment.
For the first time, the organization was seeing their segmentation information stitched together with log traffic, Netflow, VMS, and their latest EDR acquisition.
For the first time, massive heatmaps of the entire network sprung forward.
For the first time, they were looking at the network, not as they perceived it, but rather as it actually was.
Here’s how it usually plays out where we start to see the same realization that many have also recognized themselves:
Analyst: “What do the purple colors represent?”
Us: “Oh, that’s the risk ratings generated by your VMS solution.”
The SOC: “What about the group of nodes that have no colors?”
Us: “Yes, that’s a group of devices that are present but have no risk information.”
CISO, unamused: “Wait, you’re telling me that they are devices discovered, just now, that have been visible, but are not being monitored or inventoried by our team?”
Us, delicately: “Yes – this would be a blind spot that has been transmitting information for some time.”
CISO, concerned: “Architect, did you know about this?”
Architect: “Of course, it’s a third-party site, and we don’t have responsibility or permission to manage it.”
CISO: “How long have we known about this?”
Analyst: “Since I started.”
Architect: “It was built by the vendor. We’ve never touched it.”
SOC: “First time I’ve heard of it.”
Each has a different vantage point.
Each understands their craft and how it’s tied to the mission, but only where there was finally alignment– clarity, even–between the sources and their impacts, did it finally become apparent.
It’s the harnessing of the fullest possible understanding of the complete dataset that allows this to become possible.
The difference between knowledge and wisdom.
It’s the truth – from a certain point of view.