Let’s consider security controls and defenses in one of two categories, classified by source and data flow: outside-in and inside-out. Many organizations invest considerable resources in the former, working to prevent adversaries from gaining a foothold in the environment. Perimeter defenses are structured to only allow certain traffic in and out, and endpoint defenses are configured to detect even the slightest execution of malicious code. Conversely, organizations appear to spend less time on internal defenses. Lateral network movement is seldom captured, and many organizations operate on the belief that if an account has access to something, it is trusted. Unfortunately, “trust” can introduce blind spots that require visibility.
As we have seen repeatedly, however, these approaches fail to completely secure our enterprises. Adversaries and malicious documents continue to find a way in, attacks like ransomware have never been more successful, and sensitive data still leaves the environment. Perhaps it is time to ask ourselves the proverbial “Is this thing still working?” Do we need to focus our efforts elsewhere? Is our data truly secure, or have we just avoided an attack thus far? We must also consider the obvious: When an attacker gains access to an environment, whether it is a ransomware or espionage attack, how do we protect our most valuable assets from theft or extortion?