In today’s digital landscape, where cybersecurity threats are ever-evolving and becoming more sophisticated, organizations face significant challenges in protecting their sensitive data and infrastructure. The ultimate goal is to reduce the visible attack surface. In fact, the holy grail of security on the internet is invisibility.
Two approaches gaining traction in reducing attack surface visibility are the Metrics Manifesto, a framework proposed by Richard Seiersen, and the implementation of zero trust networking (ZTN). Not all ZTN is born equal, so we will specifically focus on ZTN, which allows us to make our attack surface ‘Invisible’ to the internet, including no inbound firewall ports. Using the Metrics Manifesto’s principles and Invisible ZTN, we will see how to reduce the attack surface massively and breach risk while increasing business value.
Understanding the Metrics Manifesto & Frameworks
The Metrics Manifesto (MM), devised by Richard Seiersen, outlines principles to improve an organization’s security posture by leveraging metrics and data-driven decision-making. The manifesto emphasizes the importance of quantifying security risks and implementing actionable metrics to gain insights into an organization’s security posture – it makes me think of Six Sigma (6σ) for Security (6σ as an application of engineering principles to improve business processes by reducing defects and errors, minimizing variation, and increasing quality and efficiency). By adopting this approach, organizations can better understand and address vulnerabilities, allocate resources effectively, and continually improve security defenses. To understand more, I recommend watching his 2019 RSA presentation, The Metrics Manifesto.
The MM incorporates frameworks, including the NIST Cybersecurity Framework (CSF), to map the ‘Control State’ and ‘Exposure State’. In the YouTube video, Richard discusses applying zero trust controls to ‘Protect’ as part of the ‘Control State’ (see diagram) but not making the Attack Surface ‘Invisible’.
Earlier in the presentation, Richard does set out the key observations and beliefs of the Metrics Manifesto, including:
“We believe shrinking the attack surface, while not slowing value exposure, is the new job #1 for security”
This is part of Richard’s observation: “Most metrics count, the best ones confront”. The metric I believe is most important, which confronts our whole view of cyber security, is:
“How many open inbound firewall ports do you have”?
What’s wrong with holes in our firewall?
A firewall is a fire-resistant barrier used to prevent the spread of fire. We took the idea of firewalls (FW) and applied them to computing in the 1980s. We place them between two networks and monitor incoming and outgoing traffic based on predetermined security rules. To do this, we ‘punch holes’ through them, and large enterprises have thousands to 100s of thousands of firewall rules. For example, to the left is a diagram from a security vendor with recommended open FW holes (red circles). While these open inbound ports allow users and systems to connect, attackers can see them too. Tools like Shodan and Censys scan the internet to provide a ‘Search Engine of Everything for Internet-connected devices’. This allows attackers to see bugs, misconfigurations, business logic gaps, and similar vulnerabilities. While FWs try to differentiate between legitimate use and attackers and terminate unauthorized connections, this is too late. The 2023 IBM Security X-Force Threat Intelligence Index identified the back door systems access these firewall holes provide as ransomware’s #1 attack vector (i.e., exploiting outbound FW ports). The #2 attack vector is exploiting public-facing apps (i.e., using inbound FW ports). We suffer trillions of dollars of cyberattack damage yearly, as it’s impossible to win a race against the entire Internet.
What if, instead of having open FW ports, we could make everything ‘Invisible’ to the internet? Threat actors can’t attack what they can’t see, so having no inbound FW ports would be a metric that confronts. This requires a new approach called ‘Zero Trust’.
Zero Trust Networking: An Introduction
The term ‘zero trust’ was born in 2010 when John Kindervag popularized it while working for Forrester Research when he presented the idea that an organization should not extend trust to anything inside or outside its perimeters. I was first introduced to Zero Trust ideas when I joined NetFoundry. In my first year, massively improved my knowledge of Zero Trust when I read Zero Trust Networks, O’Reilly, which included the idea that:
“all hosts be treated as if they’re internet-facing. The networks they reside in must be considered compromised and hostile.”
This idea was also incorporated into NIST 800-207, the Special Publication on Zero Trust Architecture. We can see this maps nicely to the Metrics Manifesto. If our resources are publicly facing, they are more exposed. If we do not introduce extra controls, our attack surface and risk of breach increases. The naughty little secret is that many control systems (VPNs, Firewalls, Zero Trust solutions, etc.) have inbound ports that listen for internet connections. They can be (and are frequently) compromised through vulnerability or misconfiguration. At the same time, these extra controls to increase security reduce agility and value to the business – it’s an age-old security balancing act.
What if we could close all inbound ports and effectively change ‘Public Proximity’ from public to private? This would massively reduce our attack surface and breach risk. No inbound ports would mean no access to any applications unless on a private, physical network… this would slow value exposure and business opportunities.
Magical Zero Trust Networking: Ziti Invisibility
Returning to the questions, What is your attack surface visibility” and “How many open inbound firewall ports do you have?”, we must understand that not all Zero Trust Networking solutions are equal. Some allow us to close all inbound ports on our firewall while using the public internet – i..e, making it Invisible and invisible to external malicious actors. This utilizes the concept of Software-Defined-Perimeters, popularised by the Cloud Security Alliance, specifically ABC, Authenticate/Authorise-Before-Connect, using cryptographic identity and outbound-only connections. I wrote a blog last year exploring this by comparing zero trust networking solutions using analogies from Harry Potter (hint, it’s like making your app magical with an ‘invisibility cloak’ and a ‘port key’).
Even better, ZTN with ABC is available as an open-source solution called OpenZiti. NetFoundry, the company I work for, maintains OpenZiti and provides a SaaS version called NetFoundry Cloud. You can try it out for free today.
Ziti also introduces a radical possibility called embedded zero-trust networking with ABC. This makes your application ‘Invisible’ to all hostile and compromised networks, including WAN, LAN, and host OS. It is the logical conclusion of zero trust, assuming all networks are compromised and hostile. It is for all these reasons that many have said:
“Ziti provides the best NIST 800-207 adherence across all architectures”.
The Metrics Manifesto & Ziti:
By utilizing Ziti and ZTN with ABC, we make our attack surface Invisible and massively reduce our risk of breach. Further, as we are replacing bolt-on security and networking solutions with built-in, using software and APIs, we can increase business velocity and innovation to drive more business opportunities. We have created a high-level (an area for more quantified research) overview of these reductions in risk according to deployment type:
- ZTN with ABC at the Network Level (ZTNA):
- Close all inbound FW ports – this will stop all external network attacks, including brute force, CVE, port scans, DDoS, etc. – for a massive reduction in the attack surface.
- Optionally close all outbound ports, except to ZTN – stopping connections to C&C or data exfiltration – for another order of magnitude reduction risk by breaking the breach chain.
- ZTN with ABC at the Host Level (ZTHA): This extends zero trust to the host. Even if the network is compromised, the hosts cannot be for another order of magnitude reduction in attack surface.
- ZTN with ABC at the App Level (ZTAA): Extends zero trust to the app. Even malicious SW on a host cannot easily break into the app and its ZTN for another order of magnitude reduction in the attack surface.
The Holy Grail of Security: Zero Trust Invisibility
The Metrics Manifesto and zero trust networking with authenticate-before-connect present compelling strategies for shrinking the attack surface while not slowing value exposure. By implementing Ziti or comparable technology, organizations can close all inbound firewall ports and potentially more to deliver the best adherence to NIST 800-207 and treat all networks as compromised and hostile.
MM and ZTN with ABC help us reduce breach risk by orders of magnitude and drive greater business opportunities. In the spirit of Richard and his wonderful metrics-based approach, we need to develop a more quantified analysis of how much ZTN with ABC can reduce risk, with careful analysis of different implementations across ZTNA, ZTHA, and ZTAA.
Organizations that embrace the Metrics Manifesto and adopt ZTN with ABC gain a comprehensive security approach beyond traditional perimeter-based defenses. By leveraging data-driven decision-making and ‘magical zero trust’, organizations can proactively protect their valuable assets, safeguard sensitive data, and stay one step ahead of the ever-evolving threat landscape.