As I’ve been shifting my focus towards information security, I’ve been thinking a lot about all of the different facets of securing a given network. There’s a lot of moving parts even in relatively simple networks. While the defender has to secure something on the order of 10,000 or sometimes many more items, an attacker usually only has to compromise a handful to be successful. The percentages certainly don’t skew well in the favor of the defenders. It’s enough to make you want to give up, except giving up usually doesn’t pay well and regret isn’t all that nutritious.
While we can’t build completely impenetrable networks, there’s a lot that can be done to detect and slow down would-be attackers that manage to get through, While security vendors would have you believe their product is the One Thing that will cure all of your ills, the truth is that some of the most productive things are free, at least from a purchasing perspective.
All throughout my life I’ve loved realtime strategy games or dungeon crawlers, especially the ones that start you in a very small corner of the map where you see a smidgen of the world and the rest is dark. I loved the challenge of carefully expanding that view; learning to never overreach but to keep pushing the boundaries until I filled all of the map. Looking back over 18 years of IT, I’m surprised it took me until about 10 years ago to start playing that game in my work life, but since then I have I’ve been able to make incredible leaps forward in broadening my understanding and skills.
All of it stems from this simple premise: If you can’t draw it, you don’t understand it. If you don’t understand it, you cannot defend it. Both of them seem like common sense and I would have sneered at them before, but I realized I never pushed those agendas as hard as I should have. I had my little corner of the world and I’d make diagrams of that, but the rest of it was someone else’s job or was off limits. They got mad if I asked so I didn’t. Then I was lucky to work with a group that turned that upside down, where the mindset was “it’s yours to defend, if you don’t understand it then ask.”
And so in between making everything work, keeping the business running, and soothing bruised egos and all of the other expectations of the IT life, I started making maps. I ran into sections where I didn’t know how things worked, and some of the conversations went really well. Some of them went like this from my side:
Yes I realize this is very hard to explain.
Yes, I understand you’re on fire right now.
Well then when do you expect to not be on fire?
And then what usually followed was a bunch of colorful four letter words and comments about my parentage. What I learned from those was to lead with what I knew already, and then ask very specific questions. So rather than saying “I don’t understand anything about how this app works, can you explain it?” I’d say “I know this app runs on Websphere, and I know eventually it pulls the data from Oracle. Which server is it on and where’s the config file for which database it hits?” and I’d get my answers and keep filling in the map and they’d be happy I was out of their (burning) hair.
I realized I would have to make at least two types of maps, physical and logical. The physical maps showed all the places where certain hardware or virtual servers were located and where the links were. The logical maps showed the flow of information from a given use case into the environment from the start to the end of the given transaction. And then I’d make hybrid maps that showed the use case and what physical nodes were touched along the way.
Somewhere along the way, the maps became necessity for more than just me. The people who’d contributed to them who’d then looked them over and said, “yes, this is how it works, I don’t know why you chose to draw out all of this other stuff that I don’t care about, but my part is right at least” were now coming back to me and saying “hey, I need that map you drew for an upcoming change meeting”. They were glad for the previously irrelevant stuff. The hybrid maps became essential for audits, and discussing upgrades, and so on. We started sewing the maps together. I learned that big picture knowledge is infectious and it comes with a side of gratitude.
A neat bonus was that the types of decisions that we made had fundamentally changed as the maps got better. We stopped talking about specific niche solutions and products that seemed cool, and started talking about physical and logical needs across environments. And the overall feel was that none of this mapping exercise was rocket science, but with the greater understanding of our environment we could probably do rocket sciencey stuff. It was incredibly empowering and in retrospect we should have done it much sooner.
And so you’ve read about 900 words of me saying “ask questions and make maps” and you’re probably thinking to yourself “seriously Jason, tell me more about how the sky is blue and water is wet!” In sitting down to write this, I realized that what I’m saying isn’t profound, it’s mundane. Mundane’s ok, it’s Latin for the ground or the earth. If you don’t have maps of your environment that everyone contributes to, you’ve got very little common ground to stand on.
And so my goal of writing this is to reignite that drive to know every inch of your network, at both a physical and logical level. With that knowledge, you’ll pick better tools and make better decisions. The tools you pick will work better because you’ll implement them based on that knowledge, and you’ll have a better understanding of what you need and what you don’t. You’ll set your tripwires where they’ll do the most good, and when the battle comes to you, at least you’ll have home field advantage.
N.B. It’s good to be proud of your work, and when you make maps there’s sometimes an urge to print and hang them on walls for everyone to see. Combine that with someone standing next to it and having their picture taken, throw in a little social media, add a dash of high-megapixel cameraphones making that text possible to read, and you’ve got a really bad hack-me kit. Be careful where you hang your maps.