{"id":29026,"date":"2024-06-06T15:56:08","date_gmt":"2024-06-06T19:56:08","guid":{"rendered":"https:\/\/netfoundry.io\/?p=29026"},"modified":"2024-09-17T22:08:23","modified_gmt":"2024-09-18T02:08:23","slug":"the-metrics-manifesto-attack-surface-visibility-vs-invisibility","status":"publish","type":"post","link":"https:\/\/netfoundry.io\/zero-trust\/the-metrics-manifesto-attack-surface-visibility-vs-invisibility\/","title":{"rendered":"The Metrics Manifesto: Attack Surface Visibility vs \u2018Invisibility\u2019"},"content":{"rendered":"\n

In today\u2019s digital landscape, where cybersecurity threats are ever-evolving and becoming more sophisticated, organizations face significant challenges in protecting their sensitive data and infrastructure. The ultimate goal is to reduce the visible attack surface. In fact, the holy grail of security on the internet is invisibility<\/a>.<\/p>\n\n\n\n

Two approaches gaining traction in reducing attack surface visibility are the Metrics Manifesto, a framework proposed by Richard Seiersen, and the implementation of zero trust networking (ZTN). Not all ZTN is born equal, so we will specifically focus on ZTN, which allows us to make our attack surface \u2018Invisible\u2019 to the internet, including no inbound firewall ports. Using the Metrics Manifesto\u2019s principles and Invisible ZTN, we will see how to reduce the attack surface massively and breach risk while increasing business value.<\/p>\n\n\n\n


Understanding the Metrics Manifesto & Frameworks<\/strong><\/p>\n\n\n\n

The Metrics Manifesto (MM), devised by Richard Seiersen, outlines principles to improve an organization\u2019s security posture by leveraging metrics and data-driven decision-making. The manifesto emphasizes the importance of quantifying security risks and implementing actionable metrics to gain insights into an organization\u2019s security posture \u2013 it makes me think of Six Sigma (6\u03c3) for Security (6\u03c3 as an application of engineering principles to improve business processes by reducing defects and errors, minimizing variation, and increasing quality and efficiency). By adopting this approach, organizations can better understand and address vulnerabilities, allocate resources effectively, and continually improve security defenses. To understand more, I recommend watching his 2019 RSA presentation, The Metrics Manifesto<\/a>.<\/p>\n\n\n\n

The MM incorporates frameworks, including the NIST Cybersecurity Framework (CSF)<\/a>, to map the \u2018Control State\u2019 and \u2018Exposure State\u2019. In the YouTube video, Richard discusses applying zero trust controls to \u2018Protect\u2019 as part of the \u2018Control State\u2019 (see diagram) but not making the Attack Surface \u2018Invisible\u2019.
<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"NetFoundry<\/a><\/figure>\n\n\n\n
<\/div>\n\n\n\n

Earlier in the presentation, Richard does set out the key observations and beliefs of the Metrics Manifesto, including:<\/p>\n\n\n\n

\u201cWe believe shrinking the attack surface, while not slowing value exposure, is the new job #1 for security\u201d<\/p>\n\n\n\n

This is part of Richard\u2019s observation: \u201cMost metrics count, the best ones confront\u201d. The metric I believe is most important, which confronts our whole view of cyber security, is:<\/p>\n\n\n\n

\u201cHow many open inbound firewall ports do you have\u201d?<\/p>\n\n\n\n

What\u2019s wrong with holes in our firewall?<\/p>\n\n\n\n

A firewall is a fire-resistant barrier used to prevent the spread of fire. We took the idea of firewalls (FW) and applied them to computing in the 1980s. We place them between two networks and monitor incoming and outgoing traffic based on predetermined security rules. To do this, we \u2018punch holes\u2019 through them, and large enterprises have thousands to 100s of thousands of firewall rules.  For example, to the left is a diagram from a security vendor with recommended open FW holes (red circles). While these open inbound ports allow users and systems to connect, attackers can see them too. Tools like Shodan<\/a> and Censys<\/a> scan the internet to provide a \u2018Search Engine of Everything for Internet-connected devices\u2019. This allows attackers to see bugs, misconfigurations, business logic gaps, and similar vulnerabilities. While FWs try to differentiate between legitimate use and attackers and terminate unauthorized connections, this is too late. The 2023 IBM Security X-Force Threat Intelligence Index<\/a> identified the back door systems access these firewall holes provide as ransomware\u2019s #1 attack vector (i.e., exploiting outbound FW ports). The #2 attack vector is exploiting public-facing apps (i.e., using inbound FW ports). We suffer trillions of dollars of cyberattack damage yearly, as it\u2019s impossible to win a race against the entire Internet. <\/p>\n\n\n\n

What if, instead of having open FW ports, we could make everything \u2018Invisible\u2019 to the internet? Threat actors can\u2019t attack what they can\u2019t see, so having no inbound FW ports would be a metric that confronts. This requires a new approach called \u2018Zero Trust\u2019.<\/p>\n\n\n\n\n\n\n

Zero Trust Networking: An Introduction<\/h3>\n\n\n\n

The term \u2018zero trust\u2019 was born in 2010 when John Kindervag popularized it while working for Forrester Research when he presented the idea that an organization should not extend trust to anything inside or outside its perimeters. I was first introduced to Zero Trust ideas when I joined NetFoundry. In my first year, massively improved my knowledge of Zero Trust when I read Zero Trust Networks, O\u2019Reilly<\/a>, which included the idea that:<\/p>\n\n\n\n

\u201call<\/em> hosts be treated<\/em> as if they\u2019re internet-facing. The networks<\/em> they reside in must be considered compromised and hostile<\/em>.\u201d<\/p>\n\n\n\n

This idea was also incorporated into NIST 800-207<\/a>, the Special Publication on Zero Trust Architecture. We can see this maps nicely to the Metrics Manifesto. If our resources are publicly facing, they are more exposed. If we do not introduce extra controls, our attack surface and risk of breach increases. The naughty little secret is that many control systems (VPNs, Firewalls, Zero Trust solutions, etc.) have inbound ports that listen for internet connections. They can be (and are frequently) compromised through vulnerability or misconfiguration. At the same time, these extra controls to increase security reduce agility and value to the business \u2013 it\u2019s an age-old security balancing act<\/a>.<\/p>\n\n\n\n

What if we could close all inbound ports and effectively change \u2018Public Proximity\u2019 from public to private? This would massively reduce our attack surface and breach risk. No inbound ports would mean no access to any applications unless on a private, physical network\u2026 this would slow value exposure and business opportunities.<\/p>\n\n\n\n\n\n\n

Magical Zero Trust Networking: Ziti Invisibility<\/h3>\n\n\n\n

Returning to the questions, What is your attack surface visibility\u201d and \u201cHow many open inbound firewall ports do you have?\u201d, we must understand that not all Zero Trust Networking solutions are equal. Some allow us to close all inbound ports on our firewall while using the public internet \u2013 i..e, making it Invisible and invisible to external malicious actors. This utilizes the concept of Software-Defined-Perimeters<\/a>, popularised by the Cloud Security Alliance<\/a>, specifically ABC, Authenticate\/Authorise-Before-Connect, using cryptographic identity and outbound-only connections. I wrote a blog last year exploring this by comparing zero trust networking solutions using analogies from Harry Potter<\/a> (hint, it\u2019s like making your app magical with an \u2018invisibility cloak\u2019 and a \u2018port key\u2019).<\/p>\n\n\n\n

Even better, ZTN with ABC is available as an open-source solution called OpenZiti. NetFoundry, the company I work for, maintains OpenZiti and provides a SaaS version called NetFoundry Cloud. You can try it out for free today<\/a>.<\/p>\n\n\n\n

Ziti also introduces a radical possibility called embedded zero-trust networking with ABC. This makes your application \u2018Invisible\u2019 to all hostile and compromised networks, including WAN, LAN, and host OS. It is the logical conclusion of zero trust, assuming all networks are compromised and hostile. It is for all these reasons that many have said:<\/p>\n\n\n\n

\u201cZiti provides the best NIST 800-207 adherence across all architectures<\/em>\u201d. <\/p>\n\n\n\n

The Metrics Manifesto & Ziti:<\/strong><\/p>\n\n\n\n

By utilizing Ziti and ZTN with ABC, we make our attack surface Invisible and massively reduce our risk of breach. Further, as we are replacing bolt-on security and networking solutions with built-in, using software and APIs, we can increase business velocity and innovation to drive more business opportunities. We have created a high-level (an area for more quantified research) overview of these reductions in risk according to deployment type:<\/p>\n\n\n\n