As I usually say: 'attackers are lazy'. In other words, they always follow the path of least resistance. As defenders catch up with their tactics, techniques, and procedures, the asymmetric gap between offensive and defensive capability shrinks, pushing attackers to shift their battlefield strategy, perpetuating a game that repeats over and over again.
Take, for example, endpoint protection. For the last few years, endpoint protection, detection, and response have been the centerpiece of security strategies. As modern endpoint security products get better at anticipating threats based on AI-based engines, providing richer visibility and more contextual detection capabilities, attackers are pivoting away from them, looking for 'blind spots' in your architecture, leveraging vulnerabilities and misconfigurations in network devices, supply chains, and even firmware embedded deep within devices, areas where security visibility is limited. This trend is particularly significant due to the frequent discovery and exploitation of critical vulnerabilities in software used in public-facing systems. These vulnerabilities allow attackers to perform remote code execution and unauthorized access, opening doors for further attacks, such as ransomware or lateral movement within the network.
The 2024 Verizon Data Breach Investigations Report (DBIR) confirms the tides are turning.
While the primary vector for initial access in 2024 was phishing, accounting for 36% of breaches, it was followed very closely by vulnerability exploitation (21%) and the use of stolen credentials (20%). This reflects an increase in the exploitation of vulnerabilities as an entry point, which grew by 180% from the previous year. At the same time, the exploitation of vulnerabilities on Internet-facing devices as an initial access point nearly tripled from the previous year, now accounting for 14% of all breaches.
What does this new shift mean to us? We, all-around defenders, need to think beyond individual systems and endpoints, taking a holistic view of the attack surface. This is where a defensible security architecture based on zero trust principles shines, a truly effective approach to cybersecurity infrastructure that is designed to be resilient, adaptive, and aligned with modern threat landscapes.
Think Red, Act Blue: Turning Attack Chains into Defensive Chains
Thinking in terms of defensive chains is a fundamental step in designing and building a defensible security architecture. We're all familiar with the concept of attack chains—the step-by-step methodologies adversaries use to achieve their objectives. But what if we flipped that concept around? Using the knowledge of how attackers break in (or thinking 'red'), we can design defensive chains—layered defenses that block, detect, and respond at every step of the chain (that is, acting 'blue').
Think about it as an evolution of the traditional 'defense in-depth' philosophy, one that has expanded beyond 'protection' to include other key capabilities:
- Visibility in Depth: Knowing what's happening across your entire environment, in real-time. This includes endpoints, network traffic, cloud workloads, understanding how data flows across your environment, and who has access to what.
- Detection in Depth: Using advanced threat detection tools, powered by AI and machine learning, to identify anomalies that might otherwise go unnoticed.
- Response in Depth: Building robust incident response plans that are agile and adaptive, ensuring rapid containment and recovery from any incident.
Designing and building defensive chains that incorporate defense (or protection), visibility, detection, and response in depth ensures that no matter where an attacker strikes —whether at the perimeter, in the cloud, or within the supply chain—there's a layer of defense ready to counteract. This approach not only limits the attacker's ability to maneuver, but also extends the defender's ability to respond effectively, transforming isolated defenses into a cohesive, interlinked system. A truly Defensible Security Architecture.
The Role of Zero Trust Principles, in Action
Zero Trust has become a buzzword in security, but its principles are far from superficial. At its core, Zero Trust is about eliminating implicit trust—trust that can be exploited by attackers. Instead, it enforces continuous verification, no matter the source of the request.
This philosophy aligns perfectly with defensible architecture. A truly defensible system doesn't assume anything is safe—it verifies every user, every device, and every action.
But Zero Trust isn't just a philosophy; it's a practical approach that can be implemented in multiple ways. Here are some key applications:
- Zero Trust Network Access (ZTNA): This replaces traditional VPNs with secure, identity-based access to applications and resources. ZTNA ensures that users can only access what they need, reducing lateral movement risks.
- Hardening Existing Devices: Many attacks exploit poorly configured or unpatched devices. Zero Trust emphasizes continuous hardening—regularly reviewing configurations, applying patches, and enforcing strict access controls.
- Knowing What's in Your Products: In today's interconnected world, every device, application, or service you introduce into your network becomes a potential entry point for attackers. Zero Trust means knowing what's inside—understanding the software bill of materials (SBOM) for every critical product that can give access to your crown jewels, to ensure no hidden vulnerabilities or backdoors are leveraged by skilled attackers.
Designing for the Future
Security architects and engineers, as 'all-around defenders', need to design and build for the future. This requires a paradigm shift toward a defensible security architecture that embraces zero-trust principles. By understanding the evolving threat landscape, transforming attack chains into holistic and cohesive defensive strategies that combine protection, visibility, detection, and response in-depth, and rigorously applying Zero Trust practices, organizations can strengthen their defenses against emerging threats.
The good news is that every year, over 1,000 students from all over the world, learn how to master these concepts through my SANS course, Security 530: Defensible Security Architecture and Engineering, Implementing Zero Trust for the Hybrid Enterprise. This class provides a different and unique perspective from that offered by security vendors and industry analysts, emphasizing the need to understand the foundational technology behind security products, their strengths and limitations, and the critical role of people and processes—often overlooked components in building a truly defensible architecture. This course equips security professionals not only to implement the right tools, in the right way, but also to align organizational workflows and human factors for a comprehensive defense strategy.
The course also prepares students for the GDSA certification, which has quickly become a must-have credential in the cybersecurity industry. Earning the GDSA demonstrates your expertise as a defender, architect, and engineer, making you a recognized leader in your organization and a valuable asset in the fight against modern cyber threats.
If you're ready to advance your career and elevate your skills, visit Sans.org to explore the course schedule, take a demo, and get started on your journey. Whether you attend in person or take the course on demand, you'll gain practical knowledge that is immediately applicable to your organization. To learn with me in real-time, Join me in SEC530 at SANS CDI 2024 in Washington, DC on December 13.
The future of defensible security starts here.
Further reading:
- Security 530 – Free Course Preview
- Zero Trust Blog Series - Blog 1: Adopting a Zero Trust Mindset
- Zero Trust Blog Series - Blog 2: Architecting for Zero Trust
- Zero Trust Blog Series - Blog 3: Instrumenting for Zero Trust
- Zero Trust Blog Series - Blog 4: Operating for Zero Trust
About Author: Ismael Valenzuela is author of the Cyber Defense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering and co-author of the Offensive Operations course SANS SEC568: Product Security Penetration Testing - Safeguarding Supply Chains and Managing Third-Party Risk. Ismael is an international cybersecurity industry expert with over 24 years of experience and frequently advises governments, critical infrastructure operators/owners, and corporations around the world on how to combat cybercrime and other motivated threat actors. He is also one of the few holding the highly regarded GIAC Security Expert (GSE) certification in the world. Prior to his current role of Vice President of Threat Research & Intelligence at BlackBerry Cylance, Ismael was responsible for leading offensive and defensive security roles for Foundstone, Intel, and McAfee, among others, and founded one of the first IT security consultancies in Spain. Ismael has also served as an advisor to large government and private sector organizations, including the EU, U.S. government agencies and critical infrastructure operators in New York. Ismael is regularly featured in cybersecurity publications and top security conferences, including BlackHat, RSA, and SANS Cyber Security Summits.
Ismael Valenzuela — Sans Author and Senior Instructor https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK4ATw7vN_l6rw5d3m9EsJZSYsrjwHzlGlZooJ4UO7AQ8Fta-YOKqrBq0nv5GP7A4HrmXkqpCrf5I_FBEb8W8FwVntUTHzJBxqfaxOBhb5Vr4a1TrDJ1HFWnqmf-D3uVaEL5eM0atYJ6BgDgxZIAeeQkyBD4oMzRIfA6gNnX-4zMS0OJqPddYaoDvxdD4/s100-rw-e365/a.png