A New Security Paradigm: HCIA
(Ed. Note: I’ve updated this post to incorporate some great feedback I’ve gotten on it already. I may well do so again to keep it fresh, as I expect to refer to this concept a lot…)
In a recent post, I talked about the security value of IT management disciplines such as configuration and change control. I pointed to evidence we had gathered here at EMA that support the security and IT risk management values of taking a strong approach to defining change management objectives, actually implementing them in practice, monitoring the environment for deviations from those objectives, and responding when issues are detected.
What I didn’t discuss was the role of “pre-emptive” control in change management discipline. If change control yields all those benefits, why not deploy controls that would defend the enterprise against unauthorized change before it happens, rather than responding to unauthorized change after the fact?
Behind this question is a new reality of security management faced by businesses everywhere – or I should say, a reality new to many organizations, but certainly not new to attackers who continue to hone their ability to get past legacy defenses.
In the past, the focus of security management was too often on keeping threats outside the door. Today, attacks are much more sophisticated – and often silent when it comes to detection. More organizations than ever before (or at least that I can recall) recognize not only that threats are penetrating successfully, but that their information resources may already be compromised, and they just don’t know it yet. While recognizing this reality may be beneficial to security management within the enterprise, it may be critical, for example, to warfighters operating under conditions of active attack.
This calls for a new approach to management that depends less on preventing specific threats only after they become known (the “blacklist” approach), and building an environment more resilient in the face of more aggressive exploit.
In EMA’s view, such an approach must revolve around four key principles, which I abbreviate as HCIA, as much to suggest “hardier CIA” (i.e., a hardier approach to the traditional information security values of “CIA”: resource confidentiality, integrity and availability) as for the acronym it represents:
Hardening and containment speak to building a more resilient IT environment.
Hardening goes beyond traditional concepts of stripped-down functionality on sensitive resources. Examples include pre-emptive prevention of unauthorized IT change such as whitelisting and more finely grained privilege control that offer greater resistance to unauthorized change, regardless whether change is being attempted by malware or legitimate users attempting unauthorized actions. Code authentication provides a way to validate applications before they execute, or during runtime if ongoing validation of running code can be supported. Desktop virtualization offers another example of hardening, when the desktop environment executes under the control of the data center rather than locally on the user’s endpoint. (I’ve written about the security values of desktop virtualization for years.) Hardening also appears in processes, as with the integration of secure development in the software development lifecycle (SDLC).
Note in particular the aspects of authorization and privilege in the above. These speak directly to need for a more granular approach to identity. Privilege management helps to refine the scope of resource access to limit risk exposure – a chronic bane of endpoint security, for example, when “ordinary” user accounts are commonly linked to administrative privilege. Identity today, however, can – and should – go much farther. Too many application systems stop at authentication at the front end of an application stack, without considering the risks of failure to integrate authentication and authorization into the many moving parts of modern applications behind the “front door” – just to cite one such example. Today’s emerging identity concepts can help to integrate a more finely grained linkage of identity with resource access and use, as well as improving processes for user lifecycle management that limit risks of poorly controlled privilege. Identity also factors into intelligence and action, when a proactive approach to forensic insight can help keep organizations aware of when identity and authorized privileges are used in unauthorized or malicious ways. (You can expect to see more on these topics in future posts.)
Note also the emphasis on hardened infrastructure. What about cases where the organization has limited control over infrastructure-level security – as in some cloud computing concepts, for example – or when information “travels” beyond the boundaries of enterprise IT? This speaks to the need for security for information to “harden” information itself, as suggested in concepts such as those advanced by the Jericho Forum. Here again, the role of identity stands out. (Likely more to come on this subject as well.)
Containment: Virtualization also offers a way to contain threats within the virtual environment (a technique long employed in threat analysis). Sandboxing delivers similar containment, while network segmentation provides isolation of activity within network zones, where a measure of control may be leveraged at points of ingress and egress. Containment may also be in response to a threat, as when isolation or remediation tactics are engaged to limit the impact of a detected compromise.
Note that technologies such as desktop virtualization offer both values – hardening and containment. Note also that hardening and containment are both features of more modern endpoint environments such as some smartphone OSes, where application isolation and code validation are integral to architectural concepts. We’ll see this again in other areas, where some technologies yield benefits in multiple aspects of an HCIA approach.
Intelligence and action speak to the need to mount a more effective response in the face of a dynamic environment. Today, these realms are being extended in entirely new ways:
Intelligence: Visibility throughout the internal environment as well as external intelligence regarding the landscape of vulnerabilities, security exposures and threats remain central to security management, as do event monitoring and operational insight enabled by flexible tools such as search applied to event data or other management information. An approach to outcome-based management, meanwhile, can leverage a growing body of information such as breach data that indicates where strategies fail. Today, intelligence can go even farther. Forensic tools, for example, are often used to diagnose the nature of an incident after the fact. Proactive forensics, however, can reveal the detail and context of a security weakness beyond penetration testing in advance of an actual incident. Intelligence is also being integrated more directly into the tactics of defense, to give defenders more accurate and timely insight into threat activity that can be leveraged directly by more flexible countermeasures. (And if you think there would be synergy between security and risk intelligence and business intelligence, you’d be right…more about this provocative topic soon!)
Action: Proactive forensic investigation also speaks to action that remains vital to success. As noted in a previous post, evidence of events leading up to a data breach was available to the victim organization prior to actual compromise in 82% of cases studied in Verizon’s 2008 Data Breach Investigations Report, but was either not noticed or not acted on. Sadly, this figure actually increased to 86% in the 2010 Verizon report. Clearly, monitoring must be coupled with action to be truly effective – but action goes well beyond event or incident response alone.
For example, when a proactive approach to forensic investigation plays a significant role in security management, the organization will be well prepared for forensic analysis well ahead of the need. One of the banes of forensic investigation is the sheer volume of information that must be analyzed in order to fully understand an incident. Tactics such as developing an inventory of recognized and accepted software can better prepare forensic investigators with a baseline against which unauthorized change or potential malware stands out more clearly. Tools such as whitelisting and configuration monitoring support the development of such an inventory. They also provide a means for deploying unauthorized change prevention when the need arises. Here again, an example of a technology that supports multiple aspects of HCIA.
Action also means that enterprises must recognize that security is essentially gamesmanship. Changed tactics will likely produce a response from the adversary, who will adapt their tactics to meet changes in defense. If the target shifts from one aspect of strategy to another, expect the adversary’s sights to be drawn on the techniques that anchor a new approach. But this is hardly an excuse to become passive and stuck in the past in the face of threats that have become more refined and successful. On the contrary, it means that organizations must be prepared to be more agile in response. For organizations seeking to expand their ability to act, security services (expertise and managed services as well as hosted security technology) offer a variety of ways to embrace greater agility. Unlike most customers, security is a profit center for the security service provider, who is highly motivated to offer agility as a benefit when security is the primary focus of its business.
If the techniques of the adversary have become more sophisticated, defense must evolve to respond to new realities. Today, tools for hardening that may have been considered prohibitive in the past are reducing the friction of their adoption in new and creative ways, while intelligence is becoming increasingly available for better informing response at both the tactical and strategic levels. Strategists would do well to consider how these changes may make the techniques of defense more accessible and realistic, as they weigh their options for responding to the realities of security management as they are today.
- NSA Switches to Assuming Security Has Always Been Compromised (DailyTech.com)