Build a walled garden

Joining an organisation as its new CISO is a big deal – because you’re faced with an immense web of unknowns. And it’s your job to untangle every delicate thread and create an infrastructure to support it.

At Black Hat MEA 2022, Caleb Sima (CSO at Robinhood) shared his strategy for assessing and securing an organisation. And it starts from the outside in.

“Most of my career has been focused on being an entrepreneur,” Sima said, “and then about halfway through my career I switched it up, and decided that I’m going to become a defender of an organisation. To really sit in the hot seat.”

This means that he’s both been the builder of products, and he’s worked to protect companies that build products. So his perspective on security is based on what he understands to be most important to whatever organisation he’s working with.

Assume breach

Sima calls his model Assume Breach. But how do you take an ‘assume breach’ mentality and transform it into a practical guide for a CISO to solve the problem of walking into a new organisation, with limited resources and perhaps limited time, and quickly developing a system for security?

When you walk into an organisation, you think “Oh my gosh, there’s so much to do, so much attack surface, thousands of endpoints, hundreds of services. And you basically say, where do I start?”

Common strategies include:

• Threat modelling – but if you just do this, you end up with 30 or 40 different threat models. “You end up back in the same spot,” Sima pointed out – wondering where to start.
• Frameworks – you take a framework, audit it in the environment, and raise the maturity of that framework over time. But this doesn’t happen quickly – and while you’re doing it, you still have too many other things to manage.
• Pen-test/bug bounty – with this approach you focus on the attacks. And whatever attacks you find, you fix the associated models. But again, this takes a long time – “and by the time you’ve finished you don’t know what bugs haven’t been found.”

Instead, Sima adopts an approach that he calls Walled Garden.

What is the Walled Garden strategy?

“Look at your parameters from the beginning, and harden from the outside in. Then what you’re left with is a soft, mushy, gooey centre.”

The question any CISO would ask then, of course, is this:

What about the attackers that are on the inside; in the soft, mushy bit?

“When you think about an attacker,” Sima said, “they’re going to want to steal something, destroy something, hold ransom for something, or actually cause chaos.”

“But chaos is very rare — when they just want to create havoc. So an attacker has intent; and when an attacker has intent, this is the advantage we’ve got. If we know what the attacker is going to go after, what they want to do, we have visibility over this.”

When an attacker is on the inside of that hard outer wall, we should know the location of all the things they might want to steal or destroy.

Sima calls those things the crown jewels – and this is where the assume breach model really comes into play. “The attacker has to stumble around trying to figure out where to go.” But you, with detailed knowledge of your organisation, already know where they’re headed. And that’s where you start placing your controls.

So the first step is to identify your crown jewels. And doing this doesn’t mean setting up a security process or a technology that tells you what you should focus on. The best way to do it is to ask your organisation.

“I say: hey, across the company, our mission is to identify and protect our crown jewels. I ask the organisation, what do you think the crown jewels are and where do you think they’re stored?”

“They will absolutely come forward and start listing all of the systems and locations that contain all the critical data. And now what you’ve got is this index or inventory of crown jewels across your organisation, that you then have to prioritise.”

What’s happened, then, is that you’ve narrowed down your focus. Instead of flailing around in the dark trying to gain control over a huge attack surface, you’ve identified what might actually be at risk – and then you can work to monitor those crown jewels, minimise the attack surface surrounding them, and harden that highly focused attack surface.

So when an attacker is inside – in your soft, vulnerable inner network – they’ll come up against critical assets that are hard, comprehensively monitored, and have a minimal attack surface.