A photograph is a snapshot of a point in time. It tells us where we were, what we looked like, and gives us some insights into how we felt. I love to take photographs, I think they’re tremendously powerful.
While snapshots of our lives are a wonderful thing for memories, they’re not so good for security. A snapshot — whether you’re doing compliance, vulnerability management, attack surface management, or anything else security-related — is a bad thing. In fact, the usefulness of a snapshot can be measured in seconds, minutes, hours, or even days in some companies.
On one end of the spectrum are fairly static infrastructure companies that don’t have as much IT change — those snapshots are likely valid for weeks or even months. On the other end of that spectrum are many of the ultra-modern cloud-born start-ups that spin operate on an infrastructure-as-code mentality and change in seconds. On this end of the spectrum snapshots have a useful shelf life of seconds, maybe minutes.
So what?
So why do I bring this up? Because security, as much as we try and assure ourselves otherwise, is a snapshot-based practice. Your software security, third party risk management, vulnerability management, identity and access management, and compliance programs (to name just the obvious ones) are all based on snapshots. Maybe that’s OK for your organization because you’re static and don’t change rapidly. But maybe you’re the type of organization where a snapshot of the assets on network is valid for hours or minutes.
But that’s how we’ve operated since inception. Why is this a problem I’m identifying now, you may be asking yourself. Let me tell you.
I believe that of all the metrics we’re reporting to boards and what-not that try to tell a story of “how good our security program is”, few metrics are as relevant as the distance between your last snapshot and right now. I don’t have a snappy name for it, but this window of time is one of your largest sources of risk, in my opinion.
Risk, you say?
I’ve always been suspect of people who claim that they have no unknown things on their network, mainly because I think think they’re lying. Either to me, themselves, or both. Sometimes the pull to self-delude if powerful when we need hold up some proof of progress.
What I think is interesting about the snapshot window (terrible name for it, feel free to suggest a better one) is that I currently don’t know of a way to get the window to zero. In fact, I don’t have a reusable methodology for getting the snapshot window to zero across any of the top-line security program items. Vulnerability management? Nope. Compliance? We wish. Attack Surface Management? Close, but no.
I know many of you out there reading this are working with pretty small windows, in a lot of cases. But in some areas, you’re probably pretty miserable. How do I know? Because every time a major vulnerability comes out everyone scrambles to find a scanner, run scans, and find those vulnerable assets rather than dive right into the fix. That’s how. I’ve seen claims of continuous compliance but those platforms depend on process and system input that is not, in fact, real-time. So that’s a no too.
This is a risk. In fact, I think it’s a risk that we’re not thinking about enough.
Think about it this way. If your organization runs security scans continuously across your environment, how long between the time the scanner hits an asset, and the next time that asset is reached again? That’s your snapshot window. There are many ways you can apply technology to decrease that window length, but eventually you have to ask whether the effort is worth the risk reduction — and there we agree. There is a diminishing point of returns. The problem is, I am fairly confident most of you aren’t anywhere near it.
TL;DR:
So why should you care? Because I believe that as security programs mature, technology improves at protecting and detecting malicious activity, and we automate more of our security stack — we need to think about this window. We need to start thinking about how to decrease our blind spots, and this is specific metric to me is crucial as collectively security organizations seek to improve themselves.
Let me know what you think — I’m interested in hearing what this triggers in someone else’s brain!
