Security Immutability: The Importance of Change

A few years ago, I wrote about the importance of security immutability. More specifically, I discussed how important it is that your environment be unchangeable in order to ensure that it remains secure. As I looked back on the article, I found it rather amusing that the article was published 4 years ago, but that feels like a lifetime ago. In the last few years, we really have seen just how volatile the world can be.

Interestingly, while the world around us has changed in ways that we never imagined over the past few years, our technology has been doing that for decades. That’s why there’s a plethora of tools, from free ones like Sysinternals’ DiskMon, and Process Monitor, to enterprise offerings like Tripwire File Integrity Monitoring, that are designed to monitor and track changes to our systems. That’s also why the word “change” appears in 831 cells in the MITRE ATT&CK 13.1 spreadsheet, and “monitor” appears 2333 times. We need to be ever-vigilant in our quest to detect changes and monitor systems.

We have to accept that our systems will never be immutable, but we can limit their mutability and increase our awareness to the changes that are occurring. Then, however, we need to know if a change is a good change or a bad change. There are plenty of qualifiers to define a change as good or bad. Did you authorize the change? Did you plan the change? Did you expect the change? These are just some of the questions that you need to ask to qualify if a change is good or bad.

The past few years have brought about a lot of change all around us. There have been good changes – more delivery options for takeout and groceries – and there have been bad changes – some small restaurants went out of business. One very noticeable change that may or may not be controversial, depending on who you are, is the change to where we work. For the past decade, I’ve worked from home. My commute for more than 10 years has been fewer than 10 footsteps away. For others, this change happened due to the pandemic. For many IT and IS teams, this was not a change that they authorized, planned, or expected, but it is a change that they are still working to understand and secure.

For some organizations, it was as trivial as flipping a switch. They were prepared for an event like this and experienced only minor hiccups. For others, this created a nightmare. I’m sure that for many individuals responsible for organizational security, those three letters – WFH – Work From Home – are as scary as any movie monster.

Think about it. You spend years making your environment as immutable as possible. You lock down everything, you limit traffic, you monitor file systems, and you have worked to create a  zero-trust environment. Suddenly, someone flipped the script. It is no longer “your environment.” It is a series of connected systems that are on your VPN today but off the VPN tomorrow. Systems that are on wired home connections on Monday but connected to the local Starbucks Wi-Fi on Tuesday and plugged into a Holiday Inn on Friday (because who doesn’t want to start their weekend travel earlier than expected). How many admins are screaming into a pillow right now?

These new stresses can seem difficult to deal with. We just have to stick with the things that we know we’re doing right. If we’ve secured our environments and locked down our systems, that’s all that we can do. That’s why vulnerability management, security configuration management, and file integrity monitoring are all as critical today as they were before employees started working from home. So many aspects of known security benchmarks, compliance policies, and known attacker techniques and tactics rely on change. While we can’t avoid mutability, we can always work to increase immutability, and that should help us sleep a little better at night.