Cyber attacks typically tend to be executed in multiple stages. Threat actors will therefore often employ a swathe of cyber tools during the different stages. They combine these with different techniques to achieve their overall aim. As a result there is an increasingly pertinent need to adhere to some form of cyber security regime as a viable standardised countermeasure. Many organisations do this either willingly or by virtue of some regulatory requirement. For example PCI DSS, if there is the handling of payment data, SWIFT for finance and banking, NIST or SANS / CIS Top 20 for best practices among others.
The overall aim therefore is to make sure that sensitive information does not fall in the wrong hands. Since the overarching end goal is to protect data by securing the systems that hold that data, most of these endeavors can be broken down into these four core statements:
- Know what you have
- Know what they do
- Prioritise them
- Protect them
These steps, in the order they appear are important fundamentals that underpin most compliance and best practice regimes and under each one, different tools and technologies can be used.
Unfortunately in most cases, the main focus for cyber defenders becomes the "Protect them" part of the four key principles with nearly not enough attention and focus on the first three which actually facilitate the last. This then results in a whole raft of technologies which are deployed to try to fix problems that have not been properly diagnosed or prioritised. Following this the question then becomes:
"How do we re-align for better insight and better protection?"
The pursuit of the answer leads to the concept of the label tool.
Importance of the Label Tool
Consider an actual retail supermarket or grocery shop where the physical label marker tool is used extensively to help label and group items. If most retail or grocery shops did not use this tool as in the case of a lot of corporate networks then there would a more difficult shopping experience and more room for chaos in the aisles.
A shop without labels would be cumbersome to navigate and very near impossible to adequately protect against shop lifters. It would be difficult to prevent or even detect when an item is stolen. However when the correct labelling and grouping is applied, order appears within the once chaotic environment for the simple reason that order makes it easier to detect anomalies hence the phrase "out of order".
Similar to the retail shop or supermarket where the physical label marker tool is widely used, there also exists an answer in the often overlooked, nondescript but powerful cyber tool available to cyber defenders which is referred to here as the Cyber Label Tool.
The Cyber Label Tool
This tool allows for separating the security of a system from the network on which that system relies for core functionalities such as data transfer and speed. This concept is not necessarily new in the realisation of the value it represents. For example, in network routing and switching, MPLS uses a similar concept and is defined by Wikipedia as "a routing technique that directs data from one node to the next based on short path labels rather than long network addresses." This concept is all around us but in cyber security it is not as widely deployed as it should be hence why it remains a secret cyber tool. Nonetheless it is available for cyber defenders to add to their arsenal in the simplest yet most effective of implementations.
A specific type of cyber label tool can be used in the modern day zero trust architecture and is known as R.A.E.L. Firstly it provides the ability to logically organise workloads so that it becomes easy to:
- Know what you have
This is then combined with the other capabilities of the ASP architecture that it belongs to, like workload context and telemetry to further allow for mapping out communications and dependencies so that for these workloads it makes it simple to:
- Know what they do
Which then becomes an important quest for which the destination answer leads on to the capability to accurately and logically:
- Prioritise them
Using some consistent meaningful grouping regime irrespective of the network they are in or where they are physically located thus leaving the network to do what it does best. This is facilitated by removing the over reliance on IPs, Subnets, Zones and VLANs as segregation and containment strategies with their associated complexities.
Once these first three key principles have been executed correctly in the right order, cyber defenders can then move to confidently assess the implications of any policies applied to workloads based on their natural language labels. The crucial yet non ubiquitous capability of executing these first three stages allows for efficiently applying the required controls on these workloads to then:
- Protect them
Protection becomes easy to implement once you have a clear vision of what is to be protected and why.
Having discussed the importance of the Cyber Label Tool, the next logical question will then be this, "so what is a practical example of and actual use case for such a Cyber Label Tool?"
Welcome to the R.A.E.L. World
R.A.E.L. in the cyber world is used in a similar way to most modern addressing systems around the world.
Four main labels are employed:
- Role – Web-Server, Database Server
- Application – CRM, e-Commerce
- Environment – Prod, Dev, Test
- Location – Accra, London, New York
To further elaborate on what R.A.E.L is and what it can do, consider the following organisation profile and subsequent scenarios related to the profile:
Company Name: AB Comp Group
Verticals: Services, Manufacturing, e-Commerce
Number of Workloads: 150 - 200 workloads (hybrid deployment)
Workload Locations: California, New York, London, Sydney, Azure, AWS
Critical Applications: Payment, HRM, IoT,
Teams: Infrastructure, Security, Application
Without R.A.E.L., trying to map out the communication flows between the different workloads for AB Comp Group will likely result in a messy view of connections similar to what is shown below.
The little squares in the figure below are actually the workloads and the coloured lines are the communication flows between them. The lack of any meaningful context is a by-product of these workloads and their communication mapping not having any intelligent grouping.
Once R.A.E.L. is applied to the same list of workloads whether they are on-premise, in the cloud or a hybrid environment, you end up with a clean and ordered list presented in natural language. This information is automatically useful and applicable to multiple teams within an organisation ranging from Security to Infrastructure to Application teams.
Further immediate value is realised in visualising what used to be hidden in a mess of connections. These hidden patches become intelligently illuminated. It is now possible to see a clear and logical order. This is the key to the architectural shift of decoupling security from the network that R.A.E.L. presents. For example it is now clearly visible from the image below the locations of workloads and application groups for AB Comp Group's deployment.
R.A.E.L. further enables the ability to then build application dependency mapping based on these labels rather than attempting to use the traditional IP address and subnet information. Each bubble in the image below represents an application group like a PCI application or manufacturing control app. Drilling down further into a particular location elaborates on the specific application groups and individual workloads within them.
The little squares represent the workloads that service that particular application and which perform a specific role like Web, App or Database in the case of a typical three tier application makeup. The lines represent communication flows between these workloads which can be probed further to show ports, protocols, services and flows. Thus the power of organisation and order is clearly apparent.
Any traffic flow that deviates and is out of order stands out clearly and can be picked up for further action. The architecture also has the capability to enforce security natively on the workloads thereby completing the full cycle.
Three Two One Zero Trust
Using the right cyber tools, the journey to a successful implementation of zero trust through micro-segmentation becomes much easier. Zero Trust is a philosophy which advocates among its key tenets, proper segmentation. This is ever more poignant in the era of “assume breach" and planning accordingly. Using labels which decouple security from the network (IP addresses and subnets) it is possible to define policy that is adaptive and as close to the assets being protected as possible rather than tied to the network which is by its nature less dynamic than the applications it is intended to facilitate. This is the cyber label tool that is the secret weapon in the arsenal of cyber defenders.