Listen to this Post
This has been a year that calls for breaking with complacency and taking steps to define and protect the assets that are most critical to our organizations
To say that 2020 has been a year of change would be an understatement. The sudden shift to remote work on a massive scale has forced many organizations to make decisions much faster than they would have liked.
At the same time, we need to acknowledge that we are witnessing a process that has been underway for some time now, albeit at a slower pace and by a smaller “first mover” segment of the total industry.
From the perspective of cybersecurity professionals, the rapid pace of change facing the industry at this time has compelled us to think more critically about which assets are truly critical to our organizations and figure out how to best protect these “crown jewels”.
Constant Change is Inevitable
In the previous era, organizations basically kept all of their assets on their servers, which were guarded behind the walls of their perimeter. While far from being a perfect solution, it was fairly straightforward to manage.
Instead what we are seeing is the rise of identity as the new perimeter to meet the needs of the SaaS-based ecosystem that has come to dominate the work space. We have replaced the high walls with intelligent investigators who assess if you really are who you say you are and if you should have access to a given resource.
We have seen the rise of solutions like Zero Trust that assume that everyone is suspect, and is always verifying that you are who you say you are, as well as multi-factor authentication and single sign on that work to make logging onto your apps easier and more secure. These are important tools for dealing with the current environment, but they need to come as a part of a strategy for directing resources at your organization’s most valuable assets.
Using Threat Models to Protect the Crown Jewels
The term “crown jewels” refers to the assets that are most vital to your organization, and therefore in need of the highest level of protection.
To be clear, any sort of breach or leak is still bad, but let’s be honest in saying that there are degrees of terrible. It is much worse if someone forgets to secure the S3 bucket with plain text customer payment details than another bucket with something far less consequential.
This is where threat modeling can come in handy. Crown Jewels Analysis (CJA) is a threat modeling process that seeks to understand which assets are the most valuable. It takes into account the impact of them being compromised and factors in how hard an adversary would have to work to reach them. Let’s look at a similar system for assessing risk as an example.
The Common Vulnerability Scoring System (CVSS) is a model for assessing the value of software vulnerabilities, rating them on a 1 to 10 scale. It looks at factors like the potential impact of the vulnerability and how difficult it is for the attacker to carry out in determining the score. Security teams look to the CVSS ratings to help them prioritize their work, which as we can see when it comes to defining our crown jewel assets, is essential. A classic example of a CVSS 10 would be an attack that can give the hacker remote code execution, allowing them to roam free within our system without physically accessing our device.
Threat modeling, and CJA in this case, is important because organizations have to balance their resources that they can allocate with the need for security. If we think about a military base, guards are placed at key strategic points like the front gate, an armoury, and specific vantage points where they can provide the most value. You can’t have all of your soldiers constantly patrolling the base because you would exhaust them and get nothing else done. It’s also a great recipe for a mutiny.
There is also a usability versus security trade off to consider. If you lock down all of your assets in your organization too tightly, then it will become impossible to get work done effectively because there is simply too much friction involved in accessing them.
We also run into challenges stemming from the shared responsibility model of the cloud environment. On the positive side, we are able to leverage the expertise and resources of an Amazon, Microsoft, Salesforce or Google platform that our organization is unlikely to have on hand. On the other, we lose visibility and control as our data is sitting on “someone else’s computer”. This makes it harder to properly monitor, and even more difficult to protect the data.
While the exact percentage of the overall data varies by organization, the most valuable bits of data that most would define as the crown jewels comprise a relatively small amount of the overall data that they hold. We should keep in mind that as organizations collect increasingly larger quantities of data, it can become more challenging to define which bits are in most need of protection.
The 5 Steps of Crown Jewels Analysis
I have compiled here below a brief explanation of the steps for how to do a successful CJA.
The first step in strategizing our protection plan is to define which data fall into the crown jewel category. Classic crown jewel-type assets can be your IP, trade secrets, customer payment data, and other data that can cause an outsized harm to your organization.
The next step is to map out and understand which parts of our organization, or in some cases our product, would be compromised if key bits are compromised. The good folks over at MITRE offer us this dependency map visualization to illustrate the point.
We can see here below the potential impact of a single cyber asset being compromised and affecting multiple parts of our assets, tasks, and eventually our mission objective.
Therefore, it is incumbent upon us to understand not only which assets we have in play, but also what they are connected to and can impact if they are compromised.
As much of our workspace is now comprised of 3rd party SaaS applications, we need to be sure to include them in our discovery process.
After our discovery phase, we need to assess what our current controls are and pinpoint the gaps in our security so that we can close them.
With our road map in hand, we need to implement our solutions for securing our systems and business processes.
This stage can involve both technical and human solutions about how to ensure better security moving forward. Take advantage of the opportunity to not only improve your crown jewels’ security, but that of the organization overall.
Reverting to our discussion of the rethinking where our perimeter lies, when it comes to SaaS applications, identity is our new perimeter. We need to ensure that we are enacting the right controls to provision identities to our people and confirm that they are who they say they are and they can do only what is needed for their job. Otherwise we are doing a poor job of protecting our Crown Jewels,
Lewis Carroll was famous for saying that “If you don’t know where you are going, any road will get you there.” Just like every other process in your organization, you should set metrics for securing your crown jewels and constantly monitor it to make sure that it is working the way you want it to.
If you’re doing it right, then you will hopefully learn from the process that you have in place and make adjustments to it that will make it more effective over the long haul. Take into account that your crown jewels will also change over time as some assets become less important and others take their place.
This is hard work and will require attention and focus and the results are completely dependent on your willingness to constant improve and repeat the process
“Instant gratification takes too long.” —Carrie Fisher
Think in Terms of Mitigation
As our assets traverse beyond the perimeter and onto other organizations’ servers in the cloud, our thinking about securing them has to move with them. This means changing our assumptions about who is responsible for securing our assets when they are stored on different servers and how we verify that the right people are gaining access to the right resources.
This change also involves evolving our concept of security. Security is not binary. Security is a relative term in the sense that an asset can be considered to be more or less secure. It is never simply secure because a determined hacker, especially in the age of APTs running rampant, can often (though not always) find a way to reach an asset if they decide that the juice is worth the squeeze.
Without being fatalistic, we are running a game of economics in security where we are playing our resources against that of our adversaries. Ideally we will allocate resources smartly to make compromising our crown jewels expensive to the point of not being worthwhile for the attacker.
Hopefully the vultures will decide that we are too hard a target and will move on to easier prey.