In a recent post, I talked about the security value of IT management disciplines such as configuration and change control. I pointed to evidence we had gathered here at EMA that support the security and IT risk management values of taking a strong approach to defining change management objectives, actually implementing them in practice, monitoring the environment for deviations from those objectives, and responding when issues are detected.
What I didn’t discuss was the role of “pre-emptive” control in change management discipline. If change control yields all those benefits, why not deploy controls that would defend the enterprise against unauthorized change before it happens, rather than responding to unauthorized change after the fact?
Behind this question is a new reality of security management faced by businesses everywhere – or I should say, a reality new to many organizations, but certainly not new to attackers who continue to hone their ability to get past legacy defenses.
In the past, the focus of security management was too often on keeping threats outside the door. Today, attacks are much more sophisticated – and often silent when it comes to detection. More organizations than ever before (or at least that I can recall) recognize not only that threats are penetrating successfully, but that their information resources may already be compromised, and they just don’t know it yet. While recognizing this reality may be beneficial to security management within the enterprise, it may be critical, for example, to warfighters operating under conditions of active attack.
This calls for a new approach to management that depends less on preventing specific threats only after they become known (the “blacklist” approach), and building an environment more resilient in the face of more aggressive exploit.
In EMA’s view, such an approach must revolve around four key principles, which I abbreviate as HCIA, as much to suggest “hardier CIA” (i.e., a hardier approach to the traditional information security values of “CIA”: resource confidentiality, integrity and availability) as for the acronym it represents:
Hardening and containment speak to building a more resilient IT environment. Examples include:
Hardening goes beyond traditional concepts of stripped-down functionality on sensitive resources. Pre-emptive prevention of unauthorized IT change such as whitelisting and more finely grained privilege control offer greater resistance to unauthorized change, regardless whether change is being attempted by malware or legitimate users attempting unauthorized actions. Code authentication provides a way to validate applications before they execute, or during runtime if ongoing validation of running code can be supported. Desktop virtualization offers another example of hardening, when the desktop environment executes under the control of the data center rather than locally on the user’s endpoint. (I’ve written about the security values of desktop virtualization for years).
Containment: Virtualization also offers a way to contain threats within the virtual environment (a technique long employed in threat analysis). Sandboxing delivers similar containment, while network segmentation provides isolation of activity within network zones, where a measure of control may be leveraged at points of ingress and egress.
Note that technologies such as desktop virtualization offer both values – hardening and containment. Note also that hardening and containment are both features of more modern endpoint environments such as some smartphone OSes, where application isolation and code validation are integral to architectural concepts. We’ll see this again in other areas, where some technologies yield benefits in multiple aspects of an HCIA approach.
Intelligence and action speak to the need to mount a more effective response in the face of a dynamic environment. Today, these realms are being extended in entirely new ways:
Intelligence: Visibility throughout the internal environment as well as external intelligence regarding the landscape of vulnerabilities, security exposures and threats remain central to security management, as do event monitoring and operational insight enabled by flexible tools such as search applied to event data or other management information. Today, intelligence is being integrated more directly into the tactics of defense, to give defenders more accurate and timely insight into threat activity that can be leveraged directly by countermeasures. (And if you think there would be synergy between security and risk intelligence and business intelligence, you’d be right…more about this provocative topic soon!)
Action: From ongoing investigation of emerging issues to incident response, maintaining an active approach to insight into the risk posture remains vital to success. As noted in a previous post, evidence of events leading up to a data breach was available to the victim organization prior to actual compromise in 82% of cases studied in Verizon’s 2008 Data Breach Investigations Report, but was either not noticed or not acted on. Monitoring must be coupled with action to be truly effective – but action goes well beyond event or incident response alone.
For example, consider the role of what I think of as “proactive forensics” in security strategy. Where a proactive approach to forensic investigation plays a significant role in security management, the organization will be well prepared for forensic analysis well ahead of the need. One of the banes of forensic investigation is the sheer volume of information that must be analyzed in order to fully understand an incident. Tactics such as developing an inventory of recognized and accepted software can better prepare forensic investigators with a baseline against which unauthorized change or potential malware stands out more clearly. Tools such as whitelisting support the development of such an inventory. They also provide a means for deploying unauthorized change prevention when the need arises. Here again, an example of a technology that supports multiple aspects of HCIA.
Action also means that enterprises must recognize that security is essentially gamesmanship. Changed tactics will likely produce a response from the adversary, who will adapt their tactics to meet changes in defense. If the target shifts from one aspect of strategy to another, expect the adversary’s sights to be drawn on the techniques that anchor a new approach. But this is hardly an excuse to become passive in the face of threats that have become more refined and successful, while many IT organizations remain stuck in the past.
Some technologies of defense are evolving to respond to new realities in new ways. Tools for hardening that may have been considered prohibitive in the past are reducing the friction of their adoption in new and creative ways. Strategists would do well to consider how these changes may make such techniques more accessible and realistic, as they weigh their options for responding to the realities of security management as they are today.