Have you ever had to deal with an ant infestation around your home? We've recently moved into a rental home, and our first major headache has been dealing with ants. It's apparently a seasonal thing (beginning and end of Summer), but it was still quite annoying, not to mention a bit gross. The first incursion occurred on move-in day. After having several guys help out, we grilled, and from around the door to the deck I noted a steady stream of ants that followed the trail of crumbs all the way to the nearby kitchen sink. Suffice to say, cleaning has become a much higher priority since then.
Dealing with this matter has gotten me thinking about corollaries with security. These ants are external attackers (which is now known to be our primary concern, thanks to Verizon's report), and they seem to be very motivated to get through the perimeter. Once past the perimeter, they're much harder to contain. Also, how you defend against them varies depending on your goals.
A Porous Perimeter
In hunting down the source of our ant infestation, I noticed a steady stream emanating from under the front door. When I looked at where the foundation joined, sure enough, there were the ants, clearly coming through what must be a crack in the foundation. I sprayed the heck out of it with a strong neurotoxin, and that helped somewhat, but it was at best a quick fix. When the owner's handyman came by, I asked him about.
"Say, I've been dealing with ants, which seem to have found a crack near the step by the front door. Is it possible to seal it?"
"Sure, you can seal it, but they'll just find another place to come in. Your foundation is full of cracks, and there's simply no way to patch them all."
This scenario is very similar to the modern enterprise network. With all the internet services in use today, network perimeters are very porous, and it's simply not adequate to try and plug all the holes. In fact, for business reasons, you don't want all the holes plugged!
It's thus very important to move to a risk resiliency mindset. You cannot eliminate the risk, so your only alternative is to become more resilient to them. A balance of corrective, detective, and preventative measures will provide the depth or protection necessary to create a survivable exposure.
Short-Term vs Long-Term Protection
In tackling the ant problem, there are a couple key approaches. In the short-term, Raid was my friend, quickly killing the initial incursion, and offering "up to 4 weeks" of protection. However, when I moved to the next incursion by the front door, it quickly became evident that Raid was not going to solve the problem completely.
My next step was a trip to Home Depot to find longer-lasting solutions. I quickly honed in on the Ortho Home Defense and MAX Defense product lines. Both claimed "up to 12 months" of protection, which sounded a lot better than 4 weeks. I started by spreading the Home Defense granules around the external perimeter of the house (look - more perimeter defense!). This solution didn't seem to have much effect, to be quite honest, and I'm sure the heavy rains this Spring made it worse.
Next, I moved to indoor perimeter defense using the Home Defense spray. This spray is essentially a neurotoxin and it was very effective at killing ants as they tried their frontal assault. However, it didn't address the root problem. For that, there are two key approaches: the Ortho MAX Defense lawn treatment, and the Ortho Ant-B-Gone treatment. I have a bag of the MAX Defense waiting for application, but the handyman recommend Ant-B-Gone, and that seems to have been useful.
This approach corresponds well to incident response, and particularly correction. If you have an active breach, you're going to want to address is quickly and concisely. You may need to collect data around the breach to support a legal investigation, or for postmortem debriefings. However, beyond that, you really want to plug the immediate hole asap.
However, once that hole is plugged (in my case, spraying the dickens out of the stream under the front door), you need to move into a more strategic approach that addresses the larger problem. In my case, this is where the Ant-B-Gone came into play. Ant-B-Gone is a fine powder that sticks to the ants without killing them right away. They then track it back to the nest, which in turn works to kill the larva in addition to the workers themselves.
In IT, this may mean changing patch management practices, adding better logging and monitoring, or even migrating an application to an entirely different platform or access method. From a business perspective, it means providing a long-term outlook on risk and working jointly to understand the tolerance for given degrees of risk, translating this tolerance into actionable and budgeted approaches for effectively managing the risk. Again, the goal is resiliency that will lead to survivability.
Triage and Root Cause Analysis
In applying the Ant-B-Gone treatment, you don't just carpet-bomb the entire yard (in contrast to the MAX Defense solution, which is a whole-yard treatment). Instead, you have to look for concentrations of ants and then sprinkle a bit of the powder over them and the path, all the way back to the apparent source (nest). I tried this yesterday, in fact, powdering a long line to where they disappeared under a timber around the front of the house. One day later, that stream of ants is gone, and there doesn't seem to be new motion elsewhere.
Within security, we must do the same thing. In an incident response situation, your first step is to perform triage (much like in the ER) to determine where the problem exists, formulating a plan for immediate response. After the immediate response, you then move on to root cause analysis. Why did the incident occur? Or, what is the source of the vulnerability?
As noted under the last point, your goal is to identify strategic (or possibly tactical) improvements that will lead to an overall improvement in the resiliency of the organization. The goal is not just to address the specific issue, but to find ways to effectively address an entire class of risks, if at all possible.
Root cause analysis is an excellent approach to ferreting out these problems. It's akin to pulling a thread on a sweater in order to see where it unravels. However, in this case you're goal is to track an issue back as far as possible to identify the practices that were deficient and led to the specific issue.
Correction vs Prevention, and the Importance of Detection
My last observation on the ant issue relates to the difference in approach between correction and prevention. When I first detected an ant incursion, I immediately worked to correct the problem through use of Raid, and I also sought to take preventative actions in keeping a cleaner home. However, no matter how clean the house was, the ants still kept coming through the front door. Simple prevention alone was not adequate.
Thus came the evolved need for a proactive prevention method that was almost corrective in nature. Taking this more forward approach has proven to be far more effective in keeping the ants out. None of which is to understate the importance of detection. If you don't move around with your eyes open, you're going to miss things. If you don't run regular tests on your environment, you're going to have weaknesses just waiting to be exploited.
And this, I think, is the most important lesson from the whole situation. No matter what corrective and preventive actions I took, it still was important to vigilantly monitor for new incursions. The ants are still out there, wanting to come inside, much as hackers want to compromise your data or systems. Logging and monitoring, with an active capability to actually review those logs on a regular basis, are an extremely important component to the risk resilient enterprise. After all, how can you correct something you don't know about, and how limited will your preventative measures be if you don't constantly evolve them? Detection is knowledge, and knowledge is power.