Having the big picture
Infrastructure diagram - knowing what you’re securing is the first step to secure it efficiently.
Having the big picture – It’s essential.
“If you really want to protect your network, you really have to know your network” Rob Joyce, Chief, Tailored Access Operations, National Security Agency (2015)
Current information systems’ infrastructure is extremely complex with tens, hundreds or even thousands of entities, connected to each other in a complicated mesh. Some contain sensitive data, some contain PII, some are internet-facing and some have only internal interfaces. This is regardless of whether your infrastructure is in the cloud, on-premise or hybrid. As a security expert, you need to have a way to know what you have, what exactly you are securing, where it is located and what measures you have in place to protect it. This is why you must have a Detailed Infrastructure Diagram. It’s the first step to secure your organization effectively.
One of the first things I did when I joined monday.com was to map our infrastructure. I mapped all the EC2s, S3 buckets, DBs, VPCs, Security Solutions, CDNs and more and put them in a Detailed Infrastructure Diagram.
How did I do it?
I began by interviewing all relevant stakeholders. Since no one had the big picture, collecting information from different persons and teams revealed a lot of overlapping information from one hand, but also revealed information that was known to a limited number of employees and sometimes to only one person.
I used well-recognized icons in the diagram in order to make it more readable and easy to understand. With this information, I created a draft diagram of our infrastructure. How did it look at the beginning? Like a big mess!
Then I ran a few reiterations in order to review the diagram and make it more accurate. The outcome was an eye-opener! Unfortunatelly, I cannot share it for an understandable reason. For the first time, we had a diagram that showed the R&D, the infrastructure team and of course the security team what assets we have in our infrastructure, what information these assets hold, where we have PII and more.
Now that I had the diagram, what could I do with it?
First of all, all stakeholders could understand what the connections are between the different assets. We could follow data flows and see where our data resides.
Moreover, we could identify our weakest links that possess the greatest risks to our infrastructure.
Additionally, when you encounter an incident, it will assist you in finding the origin of the problem and better understand what exactly happened and how it happened.
As quoted at the beginning of this post, attackers learn your infrastructure before they launch an attack. As it was said, they want to know it better than you do. So, one of the best ways to reduce the risk of a cyber-attack and to reduce its severity if it happens is to know your infrastructure better than the attackers
Advantages of having a Detailed Infrastructure Diagram
- For me, it was a great opportunity to get to know our infrastructure. As I see it, the first survey should be manual in order for the security team to know the infrastructure better. The next iterations will be detailed later.
- A common language between the DevOps / Infrastructure team and the Security team. When we all refer to the same diagram with our common knowledge, we have better communication that helps secure the infrastructure better.
- A better understanding of an attack in case you are under one. Having an up-to-date infrastructure diagram helps you identify quicker the origin of an attack and its lateral movement inside your infrastructure
Measuring the effectiveness of an infrastructure diagram
monday.com is a data-driven company that measures the effectiveness of all initiatives. As part of it, we want to measure the effectiveness of having a detailed infrastructure diagram. For myself, I don’t have a clear picture since this was one of my earliest tasks when I joined monday.com. Actually, I never acted without this diagram. If you would like to measure the effectiveness of your detailed infrastructure I would measure the time to understand an incident before you had it and after. I would also measure the effectiveness of having a common language with your DevOps / Infrastructure / IT team.
What is the next step?
The next step will be having an automated tool. Such a tool will keep the diagram always updated. The cloud hosting providers have such tools that you can purchase from a 3rd party.
Once in a quarter, review your infrastructure diagram. We do this as part of the Security Week. This will keep your diagram always up-to-date and aligned with the current status. It will also keep the security team always informed of the current infrastructure.