You Can Only Protect What You Can See

There's an old joke about a drunk guy looking for his keys under a streetlight. He’s not looking for the keys under the light because that’s where he dropped them … he is only searching there because that's where the light is shining.

Security teams do the same thing. We defend the things we can see and avoid the darkness, the things we can’t see.

However, more visibility doesn’t always mean better security. A CISO can buy new monitoring tools and still miss the context (relationship) between the assets. And that's where attackers live.

In 2017, a North American casino was breached via the fish tank in the lobby. Inside the tank was an IoT sensor that controlled the water temperature, salt level, feeding schedule for the fish … not something people usually see as a "real" IT asset. Nobody at the casino worried about the fish tank. It basically ran itself.

But it that fish tank was connected also to the network, unsegmented, and used as a pivot point into core systems. Creating a side door to breach the casino.

Every organization has a fish tank. Something connected to the network, forgotten and unseen. Everyone knows where their crown jewels are. But, very few people fully understand the web of systems surrounding those crown jewels, the ones that make them vulnerable and the ones nobody that don’t seem important.

The growth of technology is making this harder, the IT footprint is bigger than ever. It’s hard to map but even harder to monitor.

Consider this … The question isn't whether you have visibility. It's whether you're looking in the right places.