If Infosec Was a Supermarket Business

EclecticIQ
EclecticIQ Blog
Published in
13 min readFeb 28, 2023

--

eiq-endpoint-response

By Jordan Durham

I was recently reading an article which made a brief analogy between cybersecurity and a retail store. This got me thinking — could there be a deeper analogy made for cybersecurity and a supermarket, especially detection and response programs?

I strongly believe that awareness is one of the, if not most, valuable commodities in the ongoing struggle that is cybersecurity. The more awareness people have of the dangers and things to look out for, the less likely a threat actor has of a campaign succeeding.

With supermarkets being commonplace, an analogy for detection and response thinking utilizing related concepts should have a good chance of resonating with a wide audience, regardless of their technical knowledge.

The core of our analogy will be comparing supermarket stock to a business’s data.

Our Topology

er-blog-supermarket-diagram

Figure 1: Parties involved in the supermarket’s architecture.

Our imaginary supermarket architecture consists of:

  • A main supermarket store.
  • A 24-hour convenience store.
  • A distribution center.
  • External suppliers.

The Supermarket

The supermarket store is the main face of our enterprise, it is what people recognize, it’s where people interact with us, it’s where most of our money is made, and where our reputation is built. As with all enterprises, on the surface, the supermarket serves one or two key purposes, whereas when you peel back the layers there is much more going on.

So, let’s consider a supermarket as if it were a well-known and respected enterprise with information technology (IT) capabilities and a cybersecurity program, what does the supermarket look like then?

Stock

Food, drinks, toiletries, DIY, pet supplies, the list goes on for what a typical supermarket stocks to sell. Whilst on paper, all stock is just something that sits on a shelf waiting to be picked up and bought, when you delve a bit deeper you realize it’s a lot more than that.

General Stock

It comes and it goes, bought & sold, delivered & stored. It’s also tracked, itemized, tested, produced, copyrighted & trademarked, researched, and protected. All of these apply to every single piece of stock on sale in a supermarket, from a top-of-the-range TV to a loaf of bread. Whilst the end customer only sees the product as it sits on the shelf, for the sake of our analogy we need to be aware of what goes on before that stock ends up on that shelf because, in our analogy, stock is data.

Data is produced, it’s tracked, it’s collected, it’s trademarked, it’s used to produce other pieces of data and it can contain highly sensitive information.

Let’s break this down a bit further by grouping some common product sets together.

Alcohol

Alcohol is typically the most protected product group within any supermarket, this being due to its legal licensing and its higher pricing compared to other product types.

In our analogy, alcohol is our most sensitive data. But as with data, not all alcohol is equal — this is also reflected in a supermarket.

The most protected alcohol in a supermarket is the most expensive, high-strength spirits. Typically, each bottle has a protective tag, which both prevents opening but also triggers alarms if removed from the store.

If spirits were data, they would be the company’s critical datasets. Their intellectual property, customer & staff PII, business-critical data, etc. Data should have heavy access controls, tracking and reporting, monitoring and classification as if this data is leaked or stolen it will have a drastic impact on the business.

Let’s consider that you have a bottle of expensive whisky in your store, but it has been mislabelled and has been placed in another area of the store, which isn’t as protected.

  • Is this a problem?
  • How would you know if it was taken from the store without going through the proper checks and procedures?
  • What if this was to be picked up by the wrong people (i.e. underage drinkers) and word spread that you had this product available without protection?

Now think about if this was a critical piece of data, say plans to your new industry-changing product — would the same answers still apply?

Fresh fruit & vegetables

Fruit and vegetables are one of the most populous products you will see in a typical supermarket and when you compare these to alcohol, they have nowhere near the same level of protection or importance.

These products are available to everyone, you don’t need to prove you’re old enough to buy a piece of fruit and you won’t see anyone losing sleep over a stolen apple. Sure, if someone was caught stealing an apple there would be some level of reaction, but you wouldn’t be actively hunting for people with one extra apple.

So, if we apply this to our analogy, we could class this data as low risk. Data that is open to a lot of people and doesn’t have any inherent value to itself alone. However, as the volume mounts up, then it becomes more important. If you were to have your entire internal wiki lost or stolen, you would certainly care as this would affect your business operations and your reputation.

Tinned Food

The long-life products of a supermarket are produced and stored in a way that allows them to be used months and maybe years after they were placed into their containers. It’s not the fanciest product in the supermarket but if you ran out of fresh food, tinned, and dried food would be one of your only options left to rely on.

Think of tinned food as the cold data you store, be this as part of your compliance needs or for the sake of it. Data is typically most important when it’s “fresh”. This is especially true within the cybersecurity realm, and when it’s no longer fresh its added to cold storage for if, and when its needed.

This cold data is still required by lots of people but it’s not easily accessible, you’ll need the ability to access and open the data (you need a tin opener to open a piece of tinned food).

Key Considerations — Stock

As we’ve covered, there are many types of stock and data (many more types than discussed here, in fact), each serving its own purpose to the company and its end users. Whilst all require protection and monitoring, would you apply the same levels of identification, protection, and response across them all?

It is only natural to expect the highest level of response when your critical data is affected: from shutting down all levels of access, calling law enforcement and undertaking legal action. However, would you react the same way if a single piece of low-risk data is affected (i.e. a quick start guide for customers)?

Think of any downstream effects of treating all data as critical, it is all fine and well defining a concise response program and process but if this is triggered too frequently it will quickly overrun your ability to react.

Access

Supermarkets typically have a large entrance, maybe multiple, to allow their customers access to the store and the stock for sale. There are many doors other to your typical supermarket aside from the main entrance(s), and they’re not just used by your potential customers. As with all businesses, there is an inherent need to provide different levels of access to staff, customers and third parties. The aim of this section is to shine a light on typical supermarket access and the considerations needed around them that you may not immediately think of.

Main Entrance

Your customers will use the main entrance, but so will your staff. Both are essential to the success of your business and without them, you have no transactions to make money or staff to keep the business running.

You’re allowing people access to your supermarket and letting them freely walk among your fully stocked aisles. This is a business-critical process, if you were to disrupt this process it is likely to have negative consequences. Consider how your local supermarket may solve these questions below whilst keeping any impact to the customers entering, browsing, and leaving your store to a minimum.

  • Do you need to validate who is entering?
  • Are you going to monitor every step and action they take in your store?
  • How do you differentiate customers to your staff?
  • Have your staff only carried out tasks that are relevant to their role?
  • Do you know if they have paid for exactly what goods they’re taking out?
  • Have your staff taken any business equipment home?

Delivery Doors

Allowing products into your store via deliveries to sell is equally as important to the success of the business as the customer experience, as with nothing to sell there is no turnover. Deliveries arrive at the delivery doors from trusted suppliers and from distribution hubs owned by the supermarket brand. These doors are locked to everyone other than those permitted to enter. Opening these doors requires identity validation and a corporate agreement in place between the two companies (deliverer and receiver).

Some questions to ponder:

  • How do you validate the items being delivered?
  • Are you only sending what you should be via the delivery mechanisms?
  • Who is approved to send & receive?
  • What happens to your operations if your delivery doors are overloaded?
  • What’s stopping anyone from the shop floor from accessing the delivery system?

In our analogy, the delivery doors can be seen as data connections between other company locations (datacenter, corporate headquarters, etc.) and 3rd party vendors (VPN to cloud provider, service provider, etc.). Rather than physical goods that are being delivered and returned, it is data. Does that change how you think about the comings and goings through your delivery doors?

Key Considerations — Access

Think about both sets of questions as if you were running a bank’s or a defence manufacturer’s cybersecurity program. How would you go about answering the same set of questions above, whilst maintaining efficient business-critical operations?

Some items to consider:

  • A bank issues you with an account number and asks for verification when you want to make a transaction, but this process can’t take so long that it slows down other customer waiting in line.
  • A defence manufacturer will not allow public access to their facilities, meaning anyone accessing will need full identity validation and proof of their reason to be there. Accuracy is key here, but again you can’t take too much time, if you have thousands of employees trying to access at the start of their shift you don’t want each verification to take 10 minutes as your productivity is heavily affected.

Customers & Staff

A supermarket, or any company, can’t succeed without both customers and staff to provide the services and products that customers purchase.

As a supermarket you must be open to the public to operate, but do you have any level of restrictions in place for who can enter your store? Or do you have a completely open-door policy?

Have you ever been entering a supermarket and heard someone be denied entry? How did the supermarket know to deny that person access? Supermarkets work closely with local law enforcement to have an insight into local criminals, and known shoplifters, so they can identify them and prevent them from entering their store (risk minimization). This is applied intelligence to protect the stock of the store, the staff, their customers, and their reputation.

If supermarkets can apply this type of thinking and control, how does this align with infosec & cybersecurity?

Apply the same thinking as the supermarket when thinking about the below questions:

  • Do you care about who has access to your store?
  • If you knew about criminals operating in your area, would you still allow them to enter your store?
  • Would you impose a blanket ban of anyone on local law enforcement lists or would you apply tighter monitoring (CCTV etc) for those only suspected of being criminals?

Key Considerations — Customers and Staff

As well as the data and systems you need to protect, you must also protect your staff and customers (and their data). To protect, you must be able to monitor and identify. This is why we have so many different usernames and passwords for all sorts of businesses and services. They need this information to ensure you’re protected but also that you have the appropriate level of access.

You wouldn’t expect a public user of an e-commerce website to be able to access the financial controls for the company on the website, this would be heavily restricted and limited to key personnel only. Likewise, you wouldn’t expect a public customer to be able to walk into the administration office and open a safe in a supermarket with nothing stopping them.

Store Front & Building

The design and upkeep of your supermarket building are of paramount importance if you are to attract and retain customers. Your brand image is reflected in the buildings that you operate out of, ensuring they fit with your brand and are maintained to your business standards is key.

One commonly overlooked piece of cybersecurity is brand protection. If your brand is defaced, then your income will suffer as much as, if not more so, the result of a data loss breach.

Think about the following, comparing a supermarket store with an online e-commerce store:

24 Hour Convenience Store

All the discussed items above take place in a 24-hour store, but at a much smaller scale. This doesn’t mean that it is any less important to you as a business. You still have the same legal responsibilities on age-restricted products (alcohol), the need to track your stock levels, validate deliveries and maintain the store itself. You have direct connections to external vendors and to your company distribution centre.

Some may see these smaller stores as an easier target to steal stock because they’re going to have less staff to monitor the store and likely have fewer physical controls on sensitive products.

All these points can be attributed to smaller branch offices for the modern enterprise. The transactions made in these smaller branches are still critical to the overall success of the business.

Some points to think about:

  • Do I need the same level of protection for expensive alcohol in these smaller stores?
  • Should this type of alcohol even be kept/sold in these stores?
  • Do I need a direct link between these stores and my headquarters or to external vendors?
  • If we have a distribution hub, shouldn’t we use this for everything?

Key Considerations — 24 Hour Convenience Store

Think of the convenience store as a branch office, it still provides the core functions of your overall business but at a reduced size. Carrying out these functions requires the same level of access as any other corporate location, meaning it carries the same risks to the business. Applying the same level of visibility, identification, and protection to these locations is key to the overall success of a functioning cybersecurity program.

This isn’t without complications however, given the often-remote nature of branch offices you might have limited resources to be able to collect and transfer the data required for your monitoring purposes without interfering with the critical business functions at the branch. It is a well-traveled balancing act of collecting the minimal viable data to provide the most visibility.

Distribution Hub

A hidden aspect of the supermarket infrastructure but critical to its operational success, it provides the means for stock to get from producer to store shelves. The big differences between a distribution hub and a store are the size of the building and that the hubs are not open to the public.

A distribution hub is a warehouse, storing products in bulk before being transported to stores when needed. Most products being sold in a store will come via a distribution centre, with the rest being supplied by external suppliers. The products that do come from a distribution hub are stored in bulk, to be split up into smaller volumes when shipped to store. We must consider the storage, identification and protection of various products stored in concentrated locations differently to when stored in a store. Key

Considerations — Distribution Hub

As a bad actor with aim of collecting all your transaction data, what would make more sense: to locate and breach each of your branch locations that carry out transactions or to focus on breaching the core storage database at your data centre containing all transactions carried out across your business?

Similarly, if I wanted to steal a large volume of high-strength spirits, I would target a central location where they’re stored rather than going to steal one or two bottles from multiple locations.

This doesn’t mean monitoring and protecting these central locations requires a completely different program to those protecting your supermarket and convenience locations, it means you must be aware of the different risk factors and incorporate them into your full program.

Wrapping Up

The aim of this analogy was to highlight the considerations that must be made when running a cybersecurity program and to give an insight into the mindset required to make it successful.

If I was to give a key takeaway from this analogy it would be that to respond to anything, you must have the mechanisms in place and validated to detect them first. Identifying what tools you have and where they are is a critical first step that should never be overlooked.

You might also be interested in:

Compliance Does Not Equal Cybersecurity

Data Philosophy and Technology Combine for Better Endpoint Security

Comparing Sysmon and EclecticIQ Endpoint Response — Event Filters

About Endpoint Security Solution Assessment

The assessment should cover all aspects of our traditional People, Process, and Technology Framework. Check out the whitepaper on “5 Questions to Ask About Your EDR” to help you make an informed decision.

About EclecticIQ Endpoint Response

EclecticIQ Endpoint Response solution offers unapparelled visibility into endpoint telemetry — by using the proven open-source telemetry tool osquery as a foundation and adding our own custom extensions on top, achieving in a single agent what would otherwise require multiple tools running in unison. Interested to learn more, feel free to contact us.

About EclecticIQ Endpoint Response Community Edition

The EclecticIQ Community Edition platform is a sophisticated and flexible endpoint monitoring and response platform, based on the osquery agent. It provides endpoint monitoring and visibility, threat detection, and incident response for Security Operating Centers (SOCs). Download it on Github.

--

--

EclecticIQ
EclecticIQ Blog

EclecticIQ is a global provider of threat intelligence technology and services. Our clients are some of the most targeted organizations, globally.