The Death of the Perimeter
Almost every organization today uses firewalls and other network/security devices to enforce perimeter security. The perimeter, that public facing layer designed to keep attackers outside, was designed at a time when attacks were still uncommon (or rather they remained undiscovered for long time) and security was and afterthought.
That perimeter is no longer relevant today. When that perimeter is breached - and it always is - an attacker has almost unrestricted access to the organization’s internal network and systems. Factor in the increase of use of BYOD (bring your own device) and a landcape that is going mobile, using cloud technologies with a combination of local and remote work, then then perimeter is becoming increasingly difficult to enforce and irrelevant.
One of Google's latest projects, BeyondCorp, focus on just this. Google understood the lack of perimeter relevance and got rid of it, creating a unique security model, where network perimeter controls are no longer the main protection, and instead focusing on individual devices and users, allowing employees to work more securely from any location, forgoing traditional and cumbersome VPN setups.
While not all organizations are ready for this approach, BeyondCorp really gives us a glimpse of where security is going. Where responsibiity is shifted to single users and a layered security paradigm is enforced, creating a more dynamic model. Networks are not longer the source of trust, and access controls are dictated by each individual case.
For organizations that are still implementing a more traditional model, the next best thing is Red Teaming. An internal assessment of their networks, systems and endpoints, coupled of a realistic view of what an attacker can do inside (either as an insider or after having breached the perimeter), can bring security to the next level. Having the Advanced Capabilities Group study, assess, execute an attack and engage with your security or IT teams, providing an in-depth assessment of the current state of affairs inside your perimeter, will ultimately make your security program, and organization as a whole more resilient to attacks.
Understanding that the perimeter is no longer main source of truth in terms defense, that the focus should be inward, toward the trusted networks, testing the capabilities of the security controls, and adding new, more resilient ones, will bring you one step further towards security fluidity and resiliency.